Privacy issues are sweeping the information security landscape as individuals demand accountability from corporations,
organizations and others that handle their data. As an information security professional, it's important that you have a basic understanding of data privacy laws and know the legal requirements your organization faces if it enters a line of business regulated by these laws.
You may have already dismissed these concerns as irrelevant because someone advised you that there's no legal requirement that you protect data. The Federal Trade Commission (the government agency charged with protecting the privacy of individuals in the United States) can only take action against you if you voluntarily post a privacy statement and then deliberately violate it. Therefore, many organizations have taken the advice of their attorneys and refuse to post a privacy statement.
This legal protection may work in some cases, but it's simply not true that there aren't privacy laws on the books in the U.S. Granted, these laws only apply if your organization fits into certain categories, but the categories are quite broad.
The first category involves the privacy of children. The Children's Online Privacy Protection Act of 1998 (COPPA) provides specific guidelines for organizations that fit into one of the following three categories:
- Operate a Web site directed to children under age 13 that collects personal information.
- Operate a general audience Web site that knowingly collects personal information from children under 13.
- Operate a general audience Web site with a special section for children and collect personal information from children under age 13.
MORE INFORMATION ON PRIVACY LAWS & REGULATIONS:
- Guest Commentary contributor Ira Winkler describes the impact of privacy laws on CISOs.
- How much do you know about IT laws and regulations? Find out with our compliance quiz.
- Learn some best practices for managing compliance with security standards.
The Health Insurance Portability and Accountability Act (HIPAA) also contains a substantial Privacy Rule that affects organizations that process medical records on individual citizens. HIPAA's "covered entities" include:
- Health care providers
- Health care clearinghouses
- Health care plans
The HIPAA Privacy Rule requires covered entities to inform patients about their privacy rights, train employees on the handling of private information, adopt and implement appropriate privacy practices and provide appropriate security for patient records. For more information on HIPAA, see the Department of Health and Human Services' HIPAA Web site.
The most recent addition to privacy law in the United States is the Gramm-Leach-Bliley Act of 1999 (GLBA). Aimed at financial institutions, this law contains a number of specific actions that regulate how covered organizations may handle private financial information, the safeguards they must put in place to protect that information and prohibitions against their gaining such information under false pretenses.
If you're thinking to yourself, "That's fine, I don't work for a bank, hospital or children's Web site, so these laws don't apply to me," stop and think again. The FTC has interpreted GLBA with an incredibly wide definition of the term "financial institution." Some examples of industries covered by GLBA include:
- Securities trading
- Insurance companies
- Tax preparers
- Credit counselors and financial advisors
- Real estate settlement services
- Debt collection services
Of course, this isn't a comprehensive list. For more information GLBA that can help you determine if you're covered, visit the FTC's GLBA site.
Data privacy is a complex and rapidly changing field. The legal landscape surrounding these issues is fluid and subject to new legislation and interpretation by government agencies and the courts. It's imperative that you keep current on the laws as they apply to your firm.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.