Rules, Regulations and Laws you should know for the exam (US):
- HIPAA (Not HIPPA) – Health Insurance Portability and Accountability Act.
- Puts strict privacy and security rules on how PHI (Personal Health Information is handled by Health Insurers, Providers and Clearing House Agencies (Claims)).
- HIPAA has 3 rules – Privacy rule, Security rule and Breach Notification rule.
- The rules mandate Administrative, Physical and Technical safeguards.
- Risk Analysis is required.
- Security Breach Notification Laws.
- NOT Federal, 48 states have individual laws, know the one for your state (none in Alabama and South Dakota).
- They normally require organizations to inform anyone who had their PII compromised.
- Many have an encryption clause, lost encrypted data may not require disclosure.
- Electronic Communications Privacy Act (ECPA):
- Protection of electronic communications against warrantless wiretapping.
- The Act was weakened by the Patriot Act.
- PATRIOT Act of 2001:
- Expands law enforcement electronic monitoring capabilities.
- Allows search and seizure without immediate disclosure.
- Computer Fraud and Abuse Act (CFAA) – Title 18 Section 1030:
- Most commonly used law to prosecute computer crimes.
- Enacted in 1986 and amended in 1989, 1994, 1996, 2001, 2002 (PATRIOT Act), and 2008 (Identity Theft Enforcement and Restitution Act).
- Payment Card Industry Data Security Standard (PCI-DSS) – Technically not a law, created by the payment card industry.
- The standard applies to cardholder data for both credit and debit cards.
- Requires merchants and others to meet a minimum set of security requirements.
- Mandates security policy, devices, control techniques, and monitoring.
- Gramm-Leach-Bliley Act (GLBA):
- Applies to financial institutions; driven by the Federal Financial Institutions Examination Council (FFIEC); enforced by member agencies, OCC, FDIC, FRB, NCUA, and CFPB.
- Enacted in 1999, requires protection of the confidentiality and integrity of consumer financial information.
- Sarbanes-Oxley Act of 2002 (SOX):
- Directly related to the accounting scandals in the late 90’s.
- Regulatory compliance mandated standards for financial reporting of publicly traded companies.
- Intentional violations can result in criminal penalties.