In this video, Kip Boyle discusses laws related to cybersecurity. Learn why being compliant with laws and regulations is a major goal of an information security program.
- [Instructor] Being compliant with applicable laws and regulations is one of the four major goals of an information security program. Because of the growing importance of information security, there are many laws and regulations. We can expect more to emerge in the coming years. You'll find applicable laws and regulations at many levels of governance. Everything from multinational requirements all the way down to national, state, and local levels. You'll even find some industries are self-regulating. Let's review a few of the more common laws and regulations you're likely to see.
We'll start with some broadly applicable laws and regulations. Enacted by the United States in 2002, the Sarbanes-Oxley Act applies to publicly-traded US companies. It's designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures, particularly financial ones. That means information security programs need to make sure their organization's financial data is safeguarded whether they are publicly traded or not. The Payment Card Industry Data Security Standard is a set of requirements for securing payment card customer data.
It was developed by the founders of the PCI Security Standards Council, which includes American Express, Mastercard, and VISA. PCI DSS applies to anyone handling credit card data, including retailers, banks, and the credit card companies. Data breach notification laws have been enacted in most U.S. states since 2002. California was one of the first in the U.S. The European Union enacted such a law in 2009. They all require organizations to notify their affected customers about data breaches.
These laws also require organizations to take other steps to protect consumers involved in the breach. Let's turn now to some industry-specific regulations and guidelines. Enacted in 2002, the Federal Information Security Management Act requires U.S. federal agencies to implement a program to provide security for their information and information systems. The North American Electric Reliability Corporation has published standards for the bulk power system of North America.
It protects the industry's critical infrastructure from physical and cyber threats. The Health Insurance Portability and Accountability Act requires the adoption of standards nationwide to protect electronic health care transactions. The law also requires guarding the security and privacy of personal health information. It applies to health care providers, health plans, and health clearing houses who are also known as covered entities. HIPAA also applies to business associates, which are non-health care companies that serve covered entities.
An outside company that prints and mails explanation of benefits statements is an example of a business associate. The Health Information Technology for Economic and Clinical Health Act significantly modified HIPAA in 2009. It added new requirements concerning privacy and security for patient health information. And it applies to both covered entities and business associates. On the international front, one of the most important laws is the European Union Data Protection Directive.
It was adopted in 1995 and regulates the processing of personal data within the European Union. If you don't already know, it's important to realize that people in the EU have higher expectations when it comes to personal privacy as compared to the United States, thus the directive prohibits European firms from transferring personal data to overseas jurisdictions with weaker privacy laws, unless there is a separate agreement for data protection. Note that the general data protection regulation will supersede the data protection directive and will be enforceable starting on May 25th, 2018.
Critically for international commerce, the European Commission and the United States agreed to establish a new framework for meeting the requirements for transatlantic data flows in February 2016. This is known as the EU-US Privacy Shield. Figuring out which laws and regulations to apply to your organization takes time to research and usually requires legal counsel in order to be highly confident in your conclusions. Which you'll want to be before you spend significant time and money trying to comply with them.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance