Laws Applicable to UC

There are a number of Federal Laws that include Information security requirements that apply to UC. A summary of each of these laws is included below. More information about these laws can be found by following links provided

• Health Insurance Portability and Accountability Act (HIPAA)
  
  Passed: August 1996
  Purpose: To improve the portability while maintaining the privacy and security of patient information.
  Types of companies or entities affected: Medical providers, insurance companies, claims clearinghouses, employers that self-insure workers' health benefits.
  Gist: The law's "administrative simplification" section enforces a privacy rule, security rule, transaction and code-set standards and identifier standards. These regulations specify what patient information must be kept private; how companies must secure the information; and the standards for electronic communication between medical providers and insurance companies. The deadline for implementing privacy controls was April 15, 2003; security is April 21, 2005; transaction and code set standards is Oct. 15, 2003, and an identifier standard is July 30, 2004.
  Effects on IT: Unlike some other laws, HIPAA lists very specific technology standards and policies that must be implemented to comply, but is vendor neutral.
  Additional Information: HIPAA, HIPAA Requirements Checklist (from NACUA), HIPAA Standards and Procedures Checklist
  
  
• Gramm-Leach-Bliley Act (GLBA)
  
  Passed: November 1999
  Purpose: To protect the information financial institutions collect about customers.
  Types of companies affected: Mainly financial institutions, but also any company that collects name, Social Security number and bank account number from customers or employees.
  Gist: On May 23 2003 the act's Safeguards Rule came into effect, forcing financial institutions to design, implement and maintain safeguards to protect customer information.
  

  What is the difference between Policies, Procedures, Guidelines, Standards, Principles, Best Practices and Frameworks? Tell me.

  Effects on IT departments: All companies that collect financial information must take security measures, such as maintain firewalls, install and update virus protection, and schedule routine security audits, as well as develop and implement privacy policies.
  Opinion: "Most IT departments are aware that they must protect information, but they aren't specifically aware that there are federal regulations enforcing this." Stan Gatewood, CISO of UGA- InfoSec.
  
  
• The Family Educational Rights and Privacy Act (FERPA)
  
  Passed: 1974
  Purpose: To protect the privacy of student education records.
  Types of companies affected: All educational agencies or institutions that receive funds under any program administered by the Secretary of Education.
  Gist: Students have specific, protected rights regarding the release of education records and FERPA requires that institutions adhere strictly to these guidelines. FERPA gives students the following rights regarding educational records: The right to access educational records kept by the school; The right to amend educational records; The right to demand educational records be disclosed only with student consent; The right to file complaints against the school for disclosing educational records in violation of FERPA.
  Additional Information: UC Office of the Registrar
  
  
• USA Patriot Act
  
  AKA: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001
  Passed: October 2001
  Purpose: To boost the government's ability to track and prosecute terrorist activity through increased use of surveillance, information sharing and other means.
  Types of companies affected: Financial institutions, ISPs and other companies that handle and store online communications.
  Gist: The act obliges financial institutions to report any suspicious activity regarding large money transactions. Also, ISPs are encouraged to hand over information about activity by their users they consider suspicious, and can do so without liability. The law also expands that type of information that government agencies can collect from ISPs about their users, including records of session times and durations, temporarily assigned IP addresses and credit card or bank account information.
  Effects on IT departments: Many aspects of the act encourage cooperative efforts from the private sector, instead of imposing regulations. Companies might wait until a government agency subpoenas information from them before considering compliance, although the time and cost to produce information on the fly could be prohibitive. Legal experts recommend companies ask the inquiring agency to reimburse the cost - some will, some won't.
  Estimated spending to comply: Too soon to tell because many of the act's provisions are suggestions. If the government repeatedly asks a company to produce records to help the government, its officials might realize upgrading their IT systems to automate reporting is less expensive than hiring temporary staff to do it by hand.
  Additional Information: http://www.epic.org/privacy/terrorism/hr3162.html
  
  
• California Senate Bill 1386 Passed: September 2002
  
  Purpose: To give California consumers immediate notice of security compromises in businesses' computer systems so they can take action before identity theft occurs.
  Types of companies affected: Any company that stores a California resident's personal information on their computer system.
  Gist: The law, which went into effect July 1, 2003, says companies must notify their customers when they know or believe unencrypted personal information was accessed by an unauthorized person. Notification must happen "in the most expedient time possible and without unreasonable delay," and can be written or, in some cases, sent by e-mail or posted on the company's Web site. Personal information is defined as an individual's name and Social Security number, California driver's license or state ID number, bank account, credit card or debit card number along personal identification number or password.
  Effects on IT departments: Mandatory reporting of security breaches means departments must know about them, determine which customers' information might have been compromised and automate notifying all potentially affected individuals.
  Opinion: "While privacy has never been a huge [business] driver, lack of privacy is." Stan Gatewood, CISO of UGA - InfoSec.
  Estimated spending to comply: Depends on whether the bills brewing in Congress to make this a federal law pass. For now, it means every company doing business in California must implement security and notification systems.
  
  
• CDA - Communications Decency Act of 1996
  The Communications Decency Act of 1996 was a highly controversial statute prohibiting anyone using interstate or communications from transmitting obscene or indecent materials when they know that the recipient is under 18 years of age - regardless of who initiated the communications.
  http://en.wikipedia.org/wiki/Communications_Decency_Act
  
  
• CFA - The Computer Fraud and Abuse Act of 1986
  The Computer Fraud and Abuse Act of 1986 focuses primarily on protecting "government-interest" computers, including: federal, state, county and municipal systems; financial and medical institutions; and computers used by contractors supplying such institutions. Specifically, the law prohibits the use of "a program, information, code or command" with intent to damage, cause damage to, or deny access to a computer system or network. In addition, the Act specifically prohibits even unintentional damage if the perpetrator demonstrates reckless disregard of the risks of causing such damage.
  http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
  Copyright Law of the United States of America
  http://www.loc.gov/copyright/title17/
  
  
• DMCA - The Digital Millennium Copyright Act of 1998
  
  Purpose: To protect intellectual property.
  http://www.loc.gov/copyright/legislation/dmca.pdf
  
  
• ECPA - The Electronic Communications Privacy Act of 1986
  The Electronic Communications Privacy Act of 1986, generally known as the ECPA, assigns fines and prison sentences for anyone convicted of unauthorized interception and disclosure of electronic communications such as phone calls through land lines or mobile systems and e-mail. In addition, the ECPA specifically prohibits making use of an unlawfully overheard electronic communication if the interceptor knows that the message was unlawfully obtained. On the other hand, providers of electronic messaging systems, including employers, are permitted to intercept messages on their own systems in the course of their normal operations; naturally, they are authorized to transmit messages to other communications providers as part of the normal course of transmission to the ultimate recipient. The ECPA also prohibits access to stored messages, not just those in transit.
  http://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act
  
  
• Wiretap Act USC title 18, pt. 1, ch. 119, sect. 2511
  Case Law Discussion
  http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002511----000-.html
  
  
• U.S. Code Title 18, Pt. I, Ch. 121:
  Stored Wire And Electronic Communications And Transactional Records Access
  http://www4.law.cornell.edu/uscode/18/pIch121.html
  
  
• U.S. Code Title 18, Pt. I, Ch. 121, Sec. 2703:
  Required disclosure of customer communications or records
  http://www4.law.cornell.edu/uscode/18/2703.html
  
  
• State Laws regarding disclosure of breach of customer communications or records
  http://www.pirg.org/consumer/credit/statelaws.htm