 |
US Federal Laws |
 |
|
|
 |
|
 |
| |
Check21
Economic Espionage
FACTA
FERPA
Gramm-Leach-Bliley
HIPAA
IDTPEA
Sarbanes-Oxley
USA Patriot Act
US Safe Harbor Law |
|
 |
|
 |
|
United States Federal Laws Regarding Data
Security
The United States Check Clearing for the 21st Century Act (Check
21), effective October 2004, enables banks to improve check
processing by allowing them to handle more checks
electronically, making check processing faster and more
efficient. The Act allows banks to issue substitute checks in
place of original checks. For example, customers who receive
cancelled checks with their monthly account statement may begin
to receive substitute checks. Substitute checks are considered
proof of payment.
The Economic Espionage Act of 1996 (EEA) made it a criminal
offence to steal trade secrets, defined as “all forms and types
of financial, business, scientific, technical, economic or
engineering information” that the owner has taken reasonable
measures to keep secret and that is not known to the public. The
legislation applies to information in any form.
The Fair and Accurate Credit Transactions Act, 2003 (FACTA) was
enacted in December 2003 with more specific document destruction
rules coming into effect on June 1, 2005. FACTA amended the
existing Fair Credit Reporting Act providing consumers,
companies, consumer reporting agencies and regulators with new
tools to expand consumer access to credit, enhance the accuracy
of consumer financial information, and help fight identity
theft. FACTA is administered by the Federal Trade Commission
(FTC).
The Family Educational Rights and Privacy Act (FERPA) (20 USC
§1232g, 34 CFR Part 99) is a federal U.S. law that protects the
privacy of student education records.
The Financial Modernization Act of 1999, also known as the
Gramm-Leach-Bliley Act (GLB Act), protects the privacy of
consumer information held by financial institutions and requires
companies to give consumers privacy notices that explain the
institutions’ information sharing practices. The Act also
provides consumers with the right to limit some sharing of their
information.
The Health Insurance Portability and Accountability Act of 1996
(HIPAA) is a United States federal law that requires health care
organizations to “maintain reasonable and appropriate,
technical, and physical safeguards to prevent intentional or
unintentional use or disclosure of protected health
information.” Protected health information (PHI) includes
patient medical records, patient logs, insurance, billing and
other personally identifiable health information.
The Identity Theft Penalty Enhancement Act of 2004. The law
established a new federal crime, aggravated identity theft,
outlined under “offenses” in the Act: Offenses – (1) In general
– Whoever, during and in relation to any felony violation
enumerated in subsection (c), knowingly transfers, possesses, or
uses, without lawful authority, a means of identification of
another person shall, in addition to the punishment provided for
such felony, be sentenced to a term of imprisonment of 2 years.
(2) Terrorism offense – Whoever, during and in relation to any
felony violation enumerated in section 2332b(g)(5)(B), knowingly
transfers, possesses, or uses, without lawful authority, a means
of identification of another person or a false identification
document shall, in addition to the punishment provided for such
felony, be sentenced to a term of imprisonment of 5 years.
Enacted following a series of high-profile accounting scandals
in the United States, most notably Enron and Worldcom, the
Sarbanes-Oxley Act of 2002 (SOX) is intended to enhance
corporate responsibility and financial reporting as well as
combat corporate and accounting fraud. It is one of the most
complex pieces of legislation passed in the United States in
recent years and includes some of the most far reaching reforms
of American business practices since the 1930’s.
The Uniting and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism Act (USA
Patriot Act) was enacted in October 2001 in an effort to “deter
and punish terrorist acts in the United States and around the
world, to enhance law enforcement investigator tools and for
other purposes.”
The European Union’s Directive on Data Protection prohibits the
transfer of personal data to US companies which do not meet the
Commission’s standards for privacy protection.
|
|
State & Local Laws |
|
|
|
|
|
United States State and Local Laws
Regarding Data Security
As of January 1, 2007 it will be illegal in Arkansas
to publicly post or display an individual’s social security
number or to require an individual to transmit their social
security number via the internet unless the information is
encrypted.
California was the first U.S. state to have an agency, the
Office of Privacy Protection, dedicated to promoting and
protecting the privacy rights of consumers. The State has a
number of laws related to privacy and identity theft including
Senate Bill 1386 (SB 1386). Since July 2003, businesses and
individuals that maintain computerized data that includes
specified personal information must disclose any breach of the
security of that data. The legislation is designed to give
companies the incentive to take proactive steps to ensure that
their customers do not become victims of identity theft.
The Florida Unlawful Use of Personal Identification Information
Act (HB 481) requires businesses to notify individuals when a
security breach results in their personal information being
released to unauthorized parties if the breach has or will
likely result in harm to the affected individuals. The Act
specifies the notification steps businesses must follow in the
event of a security breach.
Hawaii Laws Regarding Personal Privacy
-
NOTIFICATION OF SECURITY BREACHES - Act 135
imposes new obligations on the part of Hawaii businesses
to notify an individual whenever the individual's
personal information that is maintained by the business
has been compromised by unauthorized disclosure. The
underlying policy behind the Act is that prompt
notification will help potential victims to act against
identity theft by initiating steps to monitor their
credit reputation. In this regard, it is extremely
important that any business subject to the Act's
provisions undertake measures to fully comply with the
law when it becomes effective on January 1, 2007.
- DESTRUCTION OF PERSONAL INFORMATION RECORDS
- Act 136 imposes new obligations on the part
of Hawaii businesses to properly dispose of "personal
information" contained in their records. In short, it
requires businesses that have "personal information"
about individuals to destroy or shred that information
when they are discarding it. This is necessary to
preserve the confidentiality of our citizens' data.
This new law takes effect on January 1, 2007.
Pursuant
to Act 136, businesses must establish "reasonable
measures" to protect against the unauthorized access
to that information in connection with or after its
disposal.
These "reasonable measures" include:
- Implementing and monitoring compliance with
policies and procedures that require the burning,
pulverizing, recycling, or shredding of papers
containing personal information so that information
cannot be practicably read or reconstructed;
- Implementing and monitoring compliance with
policies and procedures that require the destruction
or erasure of electronic media and other non-paper
media containing "personal information" so that the
information cannot practicably be read or
reconstructed; and
- Describing procedures relating to the adequate
destruction or proper disposal of personal records
as official policy in the writings of the business.
- SOCIAL SECURITY NUMBER PROTECTION -
The purpose of Act 137 is to minimize the abuses
associated with the fraudulent use of a social security
number (SSN) by attempting to restrict its use as an
identifier. To provide businesses and government
agencies with time to comply with the law, the Act is
scheduled to take effect on July 1, 2007.
Prohibited Uses of Social Security Numbers
Pursuant to the Act's provisions, unless otherwise
authorized by law, a business cannot:
- Intentionally communicate or otherwise make
available to the general public an individual's
entire social security number;
- Intentionally print or imbed an individual's
entire social security number on any card required
for the individual to access products or services
provided by the person or entity;
- Require an individual to transmit the
individual's entire social security number over the
Internet, unless the connection is secure or the
social security number is encrypted;
- Require an individual to use the individual's
entire social security number to access an Internet
website, unless a password or unique personal
identification number or other authentication device
is also required to access the Internet website; and
- Print an individual's entire social security
number on any materials that are mailed to the
individual, unless the materials are
employer-to-employee communications, or where
specifically requested by the individual.
- Any business that violates any provision of Acts
135, 136, or 137 shall be subject to penalties to the
State of Hawaii of not more than $2,500 for each
violation. In addition, any business that violates any
provision shall be liable to an injured party in an
amount equal to the sum of any actual damages sustained.
Georgia is one of the most aggressive states in the United
States in fighting identity theft, introducing its first
identity theft legislation in 1998 making identity theft a
felony. The 1998 law was updated in 2002 by Senate Bill 475
to recognize that people whose identities are stolen are victims
even if they do not suffer financial loss. Also, the law
requires companies to securely dispose of all consumer identity
information.
The Illinois Personal Information Protection Act (HB 1633)
requires businesses to notify individuals when a security breach
results in their personal information being released to
unauthorized parties. The Act specifies the notification steps
businesses must follow in the event of a security breach.
Kansas Comprehensive
Privacy Act
Unless required by federal law, no document available for public
inspection or copying shall contain an individual’s social
security number if such document contains such individual’s per-
sonal information. ‘‘Personal information’’ shall include, but
not be lim- ited to, name, address, phone number or e-mail
address.
The Louisiana Database Security Breach Notification Law (SB 205)
requires businesses to notify Louisiana residents when a
security breach results in their unencrypted personal
information being released to unauthorized parties and there is
reasonable likelihood of harm to customers. The Act specifies
the notification steps businesses must follow in the event of a
security breach.
The Maine Notice of Risk to Personal Data Act (LD 1671) requires
information brokers to notify individuals when a security breach
results in their personal information being released to
unauthorized parties. The Act specifies the notification steps
information brokers must follow in the event of a security
breach.
Maryland HB388
Employers in Maryland are no longer allowed to print an
employee’s social security number on their paycheck or any part
of the pay stub.
The Minnesota Bill H.F. No. 2121 requires businesses to notify
individuals when a security a breach causes their personal
information to be released to unauthorized parties. The Bill
specifies the notification steps businesses must follow in the
event of a security breach.
Montana’s Identity Theft Act (HB 732) requires businesses to
notify individuals when a security breach results in their
personal information being released to unauthorized parties if
that breach causes or is reasonably believed to cause loss or
injury to a Montana resident. The Act specifies the notification
steps that businesses must follow in the event of a security
breach. Additionally, the Act specifies that Montana businesses
must take reasonable steps to destroy customer records that are
no longer needed, if they contain personal information by
“shredding, erasing, or otherwise modifying the personal
information”.
Nevada Senate Bill 347 requires businesses to notify individuals
when a security breach results in their personal information
being released to unauthorized parties. The Bill specifies
the notification steps businesses must follow in the event of a
security breach.
New Hampshire Chapter 208 (SB334)
A consumer who has been the victim of identity theft may place a
security freeze on his or her consumer report by making a
request in writing, by certified mail to a consumer reporting
agency with a valid copy of the police report, investigative
report, or complaint the consumer has filed with a law
enforcement agency about unlawful use of personal information by
another person. In the case of a victim of identity theft, a
consumer reporting agency shall not charge a fee for placing,
removing, or temporarily lifting for a specific party or period
of time a security freeze on a consumer report.
New Jersey’s Identity Theft Prevention Act (ITPA) protects
individuals from identity theft in various ways, including: -
requiring consumer credit reporting agencies to place security
freezes on consumer reports upon request - requiring businesses
that collect digital records
containing personal information to notify individuals whose
personal data is compromised - limiting the use of social
security numbers as general identifiers; and requiring
businesses to destroy personal information that is no longer
needed.
The New York Information Security Breach and Notification Act
(A04254) requires businesses to notify affected individuals when
a security breach results in their private information being
released to unauthorized parties. The Act specifies the
notification steps businesses must follow in the event of a
security breach.
The North Carolina Identity Theft Protection Act, (Senate Bill
1048) guards against the misuse of North Carolina residents’
personal information. The Act mandates the proper disposal of
records containing sensitive information, limits the legal uses
of social security numbers, and grants consumers the right to
put a credit freeze in place to prevent identity thieves from
obtaining false credit.
NC Identity Theft Act: Short
Summary
North Carolina passed the Identify Theft
Protection Act of 2005 in December 2005. Although this act
is focused on protecting financial information, it addresses
the protection of personal information that can be used to
gain access that information. Due to this fact, the
university falls under this legislation. Below is a summary
of the major impact:
1. Social Security Numbers (SSNs) (6
digits or more) may not be transmitted over Internet in
unencrypted form.
2. SSNs (6 digits or more) may not be
used for authentication without other identifying
information.
3. SSNs (6 digits or more) may not be
printed on any card or may not be printed on any material
mailed to an individual unless specifically required by
federal law.
4. Individuals must be notified of
security breaches when there’s a reasonable likelihood that
their “identifying information” was compromised.
5. Identifying information covers a wide
range of data, including SSNs, bank account numbers,
driver’s license numbers, biometric data (fingerprints),
passwords, and parent’s legal surname prior to marriage
(often used by financial institutions as a form of
authentication).
6. A violation of this act can result in
significant monetary damages, exposure of personal
information that could result in damages to the individual,
and security breaches that could expose the offender to
civil and criminal penalties.
Pennsylvania Senate Bill 713 the Breach of Personal Information
Notification Act, requires businesses to notify individuals when
a security breach results in their personal information being
released to unauthorized parties and the security breach causes
or will cause loss or injury to a Pennsylvania resident. The Act
specifies the notification steps businesses must follow in the
event of a security breach.
Pennsylvania Protection from Identity Theft Act - 2007
The Rhode Island Identity Theft Protection Act of 2005 (H6191
Substitute A) requires businesses to notify individuals when a
security breach results in their personal information being
released to unauthorized parties, unless an appropriate
investigation determines that the breach has not and will not
likely result in a significant risk of identify theft. The Act
specifies the notification steps businesses must follow in the
event of a security breach.
The Consumer Empowerment and Identity Theft Prevention Act
of 2006".
The Texas Information Disposal Act, House Bill 698 (HB 698),
amends the Texas Business and Commerce Code adding document
retention and disposal requirements. Specifically, it requires
that business records containing personal identifying
information be shredded, erased or destroyed by other means
prior to disposal.
|
View
Cart
