Security legislation and industry standards might define how data has to be handled, how to make sure that private information is protected, and what kind of information can be public. Based on legislative mandates and industry directives, organizations might have to protect customer records and privacy and even encrypt data to help ensure that the network is secure. Some examples of laws and directives influencing network security include the following:
■ The U.S. Gramm-Leach-Bliley Act of 1999 (GLBA): Information that many individuals would consider private—including bank balances and account numbers—is regularly bought and sold by banks, credit card companies, and other financial institutions. The GLBA, which is also known as the Financial Services Modernization Act of 1999, provides limited privacy protections against the sale of private financial information and codifies protections against pretexting, the practice of obtaining personal information through false pretenses.
■ The U.S. Health Insurance Portability and Accountability Act (HIPAA): HIPAA is U.S. federal legislation that was passed into law in August 1996. The overall purpose of the act is to enable better access to health insurance, reduce fraud and abuse, and lower the overall cost of health care in the United States. The HIPAA security regulations apply to protected health information that is electronically maintained or used in an electronic transmission. Thousands of U.S. organizations must comply with the HIPAA security rule.
■ European Union data protection Directive 95/46/EC: This directive requires that European Union member states protect people's privacy rights when processing personal data, and that the flow of personal data between member states must not be restricted or prohibited because of these privacy rights.
■ The U.S. Sarbanes-Oxley Act of 2002 (SOX): This U.S. Federal law, passed in response to a number of major corporate scandals, is also known as the Public Company Accounting Reform and Investor Protection Act. SOX establishes new or enhanced auditing and financial standards for all U.S. public company boards, management, and public accounting firms. The act contains 11 sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the U.S. Securities and Exchange Commission to implement rulings on requirements to comply with the new law.
■ Payment Card Industry (PCI) Data Security Standard (DSS): The PCI DSS was developed to ensure safe handling of sensitive payment information, such as the storage and transfer of credit card information. The PCI DSS is the umbrella program for other programs, such as the Visa Cardholder Information Security program and MasterCard Site Data Protection program.
■ The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA): This act establishes rules for managing personal information by organizations involved in commercial activities. It aims to strike a balance between an individual's right to the protection of personal information and the need of organizations to obtain and handle such information for legitimate business purposes.
Was this article helpful?