The California Online Privacy Protection Act of 2003 (OPPA) is a privacy policy requirement law that came into effect July 1, 2004 that requires a privacy policy be "conspicuously" posted on all commercial websites that collect personally identifiable information (PII) on California consumers. The law also requires companies to follow promises made in a posted privacy policy. Although the new law is a California statute, it may affect any website that can be viewed by California consumers; in other words, every company with a commercial website or online service. If your company already has a privacy policy posted on your website, you should evaluate whether the policy is sufficiently accessible and contains the required information.

The law provides a 30-day grace period for companies to comply if they're notified of failure to post a policy that complies with the law. Failure to comply could lead to civil fines or injunctions. While many companies already have privacy policies on their websites, the new California law imposes specific requirements concerning both the form and the content of a website privacy policy.

Online Applicability

The actual text of the privacy policy must appear on the homepage or the first major page after entering the site, or must be accessible through a hyperlink, text link or other functional link:

Ø Icons used as hyperlinks on the homepage must include the word "privacy," and must also use a color that contrasts with the background color of the page.

Ø Text links must either include the word "privacy", be written in capital letters equal to or greater in size than the surrounding text; or be "written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language."

The privacy policy must:

Identify the categories of PII that will be collected through the site, including first and last name, street address, email address, telephone number, social security number, or any other identifier by which a person can be contacted physically or online and the categories of third parties with whom this personal information may be shared
Describe the process by which consumers can review or request changes to their personal information, if any such process exists
Describe the process used to notify consumers of any changes to the privacy policy
State the effective date of the policy
Must be conspicuously posted on the site

Further Information

http://www.privacy.ca.gov/

Children's Online Privacy Protection Act (COPPA) Return to Home Page

Legislative Summary

The Children's Online Privacy Protection Act requires the Federal Trade Commission (FTC) to issue and enforce rules to protect the online collection and use of personal information from children under the age of 13. The primary goal is to place parents in control over what information is collected from their children online. This legislation applies to operators of:

Commercial websites or online services directed to children under 13 that collect personal information from children
General audience sites that knowingly collect personal information from children under 13
General audience sites that have a separate children's area and that collect personal information from children. If your financial institution has a website or an area for children, this legislation applies to you.
Foreign-run websites must comply with COPPA if they are directed to children in the U.S. or knowingly collect information from children in the U.S.

Online Applicability

Websites targeted specifically at children must:

Ø Provide privacy statement at all data collection points

Ø Obtain parental consent before obtaining personal information from children

General audience websites must:

Ø Avoid collecting personal information from children under the age of 13 and therefore avoid triggering the provisions of the act.

Ø Implement verifiable parental consent mechanism if such information is required.

Further Information

http://www.ftc.gov/coppa

http://www.ftc.gov/kidzprivacy

Data Protection Act of 1998 Return to Home Page

Legislative Summary

The Data Protection Act of 1998 governs the processing of personal data in the UK. The United Kingdom's Data Protection Act of 1984 was revised in 1998, and brought into effect on March 1, 2000. The new Act changes the original definitions and meanings of personal data, and broadens the scope of the original act by differentiating between personal data and sensitive personal data. The Act now incorporates the concepts of 'obtaining', holding' and 'disclosing'.

The Data Protection Act of 1998 contains eight Data Protection Principles:

Personal data shall be processed fairly and lawfully.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

By law, businesses have to adhere to these principles, and must notify the Information Commissioner if they collect personal data. Under the Act, the UK's Information Commissioner can serve an enforcement notice to any business that contravenes any of the Data Protection principles while processing personal information. When asked to do so by a member of the public, businesses must stop processing personal information about the individual.

Online Applicability

Website operators who collect personal information from individuals must:

Ø Ensure web collection forms comply with 'fair processing' principles i.e.: identify the organization to users; explain why the site is collecting the data, and the third parties they will pass the data to (both internally and externally).

Ø Inform users when they intend to use "cookies" or web bugs (beacons) and provide the opportunity to refuse the cookie. Ensure the security of the data collection process

Ø Post a privacy policy and provide links to it at every point of information collection

Ø Provide an "opt-out" mechanism for receiving direct marketing email

Ø Ensure a valid email address is used for direct marketing purposes

Ø Ensure that if information is collected from children under 12, that they understand how their information is being collected and used. Parental consent must be obtained for those under the age of 12, and there must be a way to verify that the consent has been given.

Website operators established outside the UK that use a computer hosted inside the UK to collect personal information, or where the operator places a cookie on the computer of a UK Internet user, are also subject to the Act.

Further Information

http://www.hmso.gov.uk/acts/acts1998/19980029.htm#aofs

http://www.jisclegal.ac.uk/dataprotection/DPPrinciples.htm

DCID -- Director of Central Intelligence Directive 6/3 Return to Home Page

Directive Summary

This US federal directive establishes the security policy and procedures for storing, processing, and communicating classified intelligence information in information systems. Because intelligence information is a vital asset to the effective performance of US national security roles, it is essential that this information be properly managed, and that its confidentiality, integrity, and availability be ensured. Directive 6/3:

Ø Provides policy and procedures for the security and protection of systems that create, process, store, and transmit intelligence information.

Ø Provides administrative and system security requirements, including those for interconnected systems.

Ø Defines and mandates the use of a risk management process.

Ø Defines and mandates the use of a certification and accreditation process.

Ø Promotes the use of efficient procedures and cost-effective, computer-based security features and assurances.

Ø Describes the roles and responsibilities of the individuals who constitute the decision-making segment of the IS security community and its system users.

Ø Requires a life-cycle management approach to implementing system security requirements.

Ø Introduces the concepts Levels-of-Concern and Protection Level of information.

This policy and its associated implementation manual apply to all United States government organizations', their commercial contractors', and Allied governments' ISs that process, store, or communicate intelligence information.

Online Applicability

The "Protecting Sensitive Compartmented Information Within Information Systems" Manual provides 11 Steps required for accreditation of an Information System; these steps are:

Determine Level of Concern
Determine Protection Level
Determine Interconnected System Requirements
Identify Technical Security and Assurance Requirements
Determine Required Documentation and Testing Activities
Write the System Security Plan
Validate Security in Place
Testing against Security Requirements
Prepare Certification Package
Forward Certification Package
Accreditation Decision by the DAA

EU Safe Harbor Principles Return to Home Page

Legislative Summary

The European Union's comprehensive privacy legislation, the Directive on Data Protection, requires that transfers of personal data take place only to non-EU countries that provide an adequate level of privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Community. As such, the U.S. Department of Commerce developed a "safe harbor" framework to streamline the process for US companies to comply with the EU Directive, requiring they:

Provide notice to individuals about the specific purposes of the data collection
Provide choice to opt-out of disclosure to third-parties or additional uses (opt-in for sensitive information)
Require third-party agents who receive personal information to provide the same level of privacy protection
Allow means for an individual to access personal information held
Take reasonable precautions from loss, misuse or unauthorized access
Keep data reliable for its intended use
Provide a readily available recourse mechanism
Provide procedures verifying implementation of principles

The Safe Harbor legislation applies to US headquartered organizations, US subsidiaries of foreign companies and business partners of European businesses.

Online Applicability

Organizations seeking to certify to the Safe Harbor, must:

Ø Provide comprehensive privacy notice detailing all data collection & purposes

Ø Provide appropriate opt-in / opt-out mechanisms on data collection forms as appropriate

Ø Review third-party websites for compliance with key privacy principles

Ø Implement security safeguards over the collection of personal information online, particularly sensitive information

Ø Implement ongoing monitoring procedures to verify ongoing compliance with the EU Safe Harbor principles online

Further Information

www.export.gov/safeharbor

Federal Information Security Management Act of 2002 (FISMA) Return to Home Page

Legislative Summary

The Federal Information Security Management Act (FISMA) was passed by Congress and signed into law by the President as part of the Electronic Government Act of 2002. It provides a framework to ensure comprehensive measures are taken to secure federal information and assets. FISMA compliance is a matter of national security, and is therefore scrutinized at the highest level of government. Because the Act applies to the information and information systems used by the agency, contractors, and other organizations, it has a wider applicability than previous security laws. Agency IT security programs apply to all organizations which possess or use Federal information -- or which operate, use, or have access to Federal information systems -- on behalf of a Federal agency, including contractors, grantees, State and local governments, and industry partners. Therefore, Federal security requirements continue to apply, making the agency responsible for ensuring appropriate security controls.

REPORTING ON FEDERAL GOVERNMENT INFORMATION SECURITY MANAGEMENT

Federal agencies must transmit their FY reports to the Office of Management and Budget (OMB) by October of each year. OMB uses the reports to help evaluate government-wide security performance, develop its annual security report to Congress, assist in improving and maintaining adequate agency security performance, and inform development of the E-Government Scorecard under the President's Management Agenda. The report must summarize the results of annual IT security reviews of systems and programs, and any progress the agency has made towards fulfilling their FISMA goals and milestones.

Online Applicability

Ø FISMA Sec.3505.(c )(1): The head of each agency shall develop and maintain an inventory of major information systems (including major national security systems) operated by or under the control of such agency.

Ø FISMA Sec.3505.(c )(2): The identification of information systems in an inventory under this subsection shall include an identification of the interfaces between each such system and all other systems or networks, including those not operated by or under the control of the agency.

Ø FISMA Sec.3544. (a)(1)(A)(i) & Sec.3547: The application should be protected against unauthorized access, use, disclosure, disruption, modification or destruction of information collected or maintained by the agency

Ø FISMA Sec.3544. (a)(1)(A)(ii): The application should be protected against unauthorized access, use, disclosure, disruption, modification or destruction of information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of the agency

Ø FISMA Sec.3544. (a)(1)(A)(ii): The head of each agency shall be responsible for the information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency

Ø FISMA Sec.3544. (b): The application must be able to ensure the integrity, confidentiality, authenticity, availability, and non-repudiation of information and information systems supporting agency operations and assets

Ø FISMA Sec.3544. (b)(2)(C): Each agency shall develop, document, and implement an agency-wide information security program, ensuring that information security is addressed throughout the life cycle of each agency information system

Ø FISMA Sec.3544. (b)(2)(D): Each agency shall develop, document, and implement an agency-wide information security program, that includes periodically testing and evaluating information security controls and techniques to ensure that they are effectively implemented.

FISMA compliance requires detailed reporting and measurements on cyber security for the agency, both on the existing risks as well as the remediation plans. Verifying compliance for every IT system within the organization requires comprehensive validation testing and remediation planning with coordinated reporting and information flow to allow the Agency head to accurately report on their current FISMA compliance status.

Organizations lacking a centralized IT function and the foundational processes and procedures required for testing and reporting on the various IT systems have to build this infrastructure from scratch and are under significant time pressure, which in turn leaves little room for error. Most government agencies have hundreds, if not thousands, of systems that comprise the IT /IS infrastructure. These numbers exacerbate the compliance reporting requirements and ultimately lead to FISMA compliance failure. Coupled with limited funding and potential misinterpretations of the requirements, many agencies are in dire compliance shape.

Further Information

xxx

Gramm-Leach Bliley Act (GLBA) Return to Home Page

Legislative Summary

The Financial Services Modernization Act of 1999, more commonly known for its authors, Gramm-Leach-Bliley, includes provisions to protect consumers' personal financial information held by financial institutions. Repealing the Depression-era barriers that separated banking, insurance and securities, the Act allows US financial services providers (including banks, securities firms, and insurance companies) to affiliate with each other and enter each other's markets. The legislation is intended to ensure financial institutions protect sensitive customer information that may be accessible to hackers through web-enabled environments, including Internet connectivity and hosting arrangements. The Safeguard Rule went into effect in 2003, requiring proactive steps to ensure free security of customer information.

While this legislation modernizes the US financial landscape, it also contains significant privacy and security elements for individuals, including the:

Ø Provision of a comprehensive privacy notice upon application and on an annual basis. The privacy notice should include what information the institution collects about its customers, with whom it shares the information, and how it protects or safeguards the information.

Ø Provision of a detailed security policy that identifies and assesses the risks that may threaten customer information. The policy must outline specific security measures that the institution will take in implementing a security program.

Ø Provision of opt-out rights for any sharing of personal information with non-affiliated 3rd party companies. The privacy notice must explain how consumers can opt out. The privacy notice also must explain that consumers have a right to say no to the sharing of certain information, such as credit report or application information, with their financial institution's affiliates.

Implementation of significant security safeguards.

Online Applicability

Online, the onus is on financial institutions to:

Provide a privacy notice at all online application points
Ensure that appropriate opt-out notices and mechanisms are available at certain online information collection points
Implement security safeguards over the collection of financial information online
Ensure that personal financial information is not being passed to 3rd parties in contravention of sharing rules
Protect against any anticipated threats or hazards to the security or integrity of customer records
Protect against unauthorized access to or use of these records or information that could result in substantial harm or inconvenience to a customer.

Further Information

www.senate.gov/~banking/conf/

www.ftc.gov/bcp/conline/pubs/buspubs/glblong.htm

www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm

Health Insurance Portability and Accountability Act (HIPAA) Return to Home Page

Legislative Summary

The goal of this legislation is to enable the movement of health information among health-related organizations in a protected manner. It includes various stringent privacy and security protections including limits on sharing and use of encryption. HIPAA applies to US healthcare providers / health insurers and their business associates. If your financial institution has an employer-sponsored health care plan, this legislation also applies to you.

The Administrative Simplification section of HIPAA mandates a new security policy to protect an individual's health information, while permitting the appropriate access and use of that information by healthcare providers, clearinghouses and health plans.

Online Applicability

Entities covered by the act must:

Provide a comprehensive privacy notice on websites collecting personal health information (PHI)
Ensure that all collection of personal health information online is appropriate and secure
Ensure that personal health information is not being passed to 3rd parties in contravention of sharing rules
Protect against any reasonably anticipated:

threats or hazards to the security or integrity of the information

unauthorized uses or disclosures of the information

Ensure that personal health information is not being passed to 3rd parties in contravention Provide technical security services to guard data integrity, confidentiality and availability
Ensure that personal health information is not being passed to 3rd parties in contravention Establish audit control mechanisms to record and examine system activity

Further Information

www.hhs.gov/ocr/hipaa/

North American Electric Reliability Council (NERC) –

Security Guidelines for the Electricity Sector Return to Home Page

Legislative Summary

Presidential Decision Directive 63 (PDD-63), "Protecting America's Critical Infrastructures," officially identifies electricity as a critical infrastructure. PDD-63 calls for a framework for cooperation within individual infrastructure sectors and with government for the vital mission of protecting critical infrastructures. The U.S. Department of Energy (DOE) is the lead agency for the energy sectors, and has designated the North America Electric Reliability Council (NERC) as the Sector Coordinator for the Electricity Sector (ES).

As the Sector Coordinator, NERC is responsible for:

Ø assessing sector vulnerabilities

Ø developing a plan to reduce electric system vulnerabilities

Ø proposing a system for identifying and averting attacks

Ø developing a plan to alert electricity sector participants and appropriate government agencies that an attack is imminent or in progress

Ø assisting in reconstituting minimum essential electric system capabilities in the aftermath of an attack

NERC has issued security guidelines to help industry companies evaluate their own risks and exposures to vulnerabilities and perceived threats. Perpetrators include insiders and outsiders whose actions may be cyber or physical in nature.

Online Applicability

Cyber - Access Control: Effective access controls are critical to protecting electronic information systems and services that support and maintain the electric infrastructure. Anyone who owns and/or manages information systems and/or services that support the Electric Infrastructure should have documented policies and procedures in place to manage authorization, authentication, and monitoring of logical and physical access to such information systems and services. Such documentation should clearly define roles and responsibilities, procedures for establishing authorization, and the methods you select for authentication and monitoring.

This guideline is applicable to anyone who owns and/or manages information systems and/or services that support the electric infrastructure. A computer system environment is as critical as its most critical component and as vulnerable as its most vulnerable component. Therefore this guideline would be applicable across the enterprise.

Cyber -- Intrusion Detection: To implement and maintain a successful cyber intrusion detection program requires a proactive, ongoing effort. As technology changes, so do the tools used for network attacks. It is imperative that IT organizations remain current with changes in technology to understand new attack methods and tools, and to those attacks when they occur. Early detection is essential and staffing at the 24x7 level should be considered. Automated monitoring alarms that initiate alerts tied to pager, email, and/or voice messaging systems also should be considered.

Cyber -- Securing Remote Access: Electronic Control and Protection Systems (ECPS) control the systems that generate, transmit, and distribute electricity. For business reasons, it is necessary to provide a means for users to remotely access ECPS. Remote Access to these systems may require special considerations for security. Unauthorized Remote Access to an ECPS may result in interruption of electric service, damage to the elements of the electric grid, or a danger to life and property. ECPS vendors and other support personnel increasingly use Remote Access tools such as pcAnywhere™, telnet, and FTP for support purposes directly over the Internet to the internal controls networks. As a result, it is critical to preserve the security of the Remote Access to the ECPS. Authentication of the user is a critical element of the security policy.

This guideline is applicable to anyone who owns, manages, or maintains ECPS and/or services that support the Critical Electric Infrastructure. A computer system environment is as critical as its most critical component and as vulnerable as its most vulnerable component.

Further Information

http://www.nerc.com/~filez/cipfiles.html

Office of the Comptroller of the Currency (OCC) Web-Linking Guidelines Return to Home Page

Legislative Summary

The Office of the Comptroller of the Currency (OCC) Web-Linking Guidelines defines a set of steps banks must take to distinguish between products and services offered by the bank themselves and those offered through a third party. These guidelines also highlight the risks associated with third-party linking relationships, and mandate a requirement to:

Ø Effectively plan, implement and supervise the monitoring of the bank's Web-linking arrangements

Ø Conduct due diligence on third-parties and negotiate formal contracts in order to minimize transaction and reputation risk

This legislation applies to interstate banks in the United States regulated by the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), or Office of Thrift Supervision (OTS).

Compliance Risks

Financial institutions face compliance risks if a third party they link to offers less security and privacy protection than they do. If the third party's policies and procedures create security weaknesses or apply privacy standards that enable the third party to release confidential customer information, customers may blame the financial institution.(1)

As well, some web-linking agreements between a financial institution and a third party may involve additional information-sharing arrangements that require compliance with the Privacy Regulations of the Gramm-Leach-Bliley Act (GLBA).(2) Joint marketing agreements are an example of this type of web-linking arrangement.

Online Applicability

Financial institutions must:

Maintain an ongoing inventory of all third-party linking relationships
Conduct ongoing due diligence on linked websites to ensure appropriateness of the linked content
Ensure the security and privacy policies and procedures of third-party linking relationships are in accordance with the financial institution's policies. If the third party does not maintain a level of transaction security appropriate for online banking, customers should be made aware of these differences in security through various types of warnings and disclosures before entering into a third party transaction -- or even before going to the third party's website
Implement web-linking disclosures to distinguish between the bank's website and those of third parties

(A): Title V of the Gramm-Leach-Bliley Act (Pub. L. 106-102) and the agencies' implementing regulations (12 CFR Parts 40, 332, 573, and 716, hereinafter referred to as the "Privacy Regulations") govern the disclosure of nonpublic personal information by financial institutions to nonaffiliated third parties. The Agencies have also adopted the Guidelines Establishing Standards for Safeguarding Customer Information (12 CFR Parts 30, app. B; 364, app. B; 570, app. B; and 748, app. A).

(B): Under the Privacy Regulations, generally, financial institutions may not disclose non-public personal information about a customer to non-affiliated third parties without notifying the affected consumer about the disclosure and must provide him or her with an opportunity to exercise his or her opt-out right. However, there are certain exceptions to the notice and opt-out requirements, such as circumstances in which a financial institution discloses information in connection with the servicing or processing of a financial product that a consumer has requested (12 CFR §§ 40.14, 332.14, 573.14 and 716.14) and the disclosing of information to an unrelated financial institution under a "joint marketing agreement." (12 CFR §§ 40.13, 332.13, 573.13 and 716.13).

Payment Card Industry (PCI) Data Security Standards (DSS) Return to Home Page

Standards Summary

The PCI DSS were formed by merging Visa's Cardholder Information Security (CISP) programs with MasterCard's Site Data Protection (SDP) program. These combined Data Security Standards, which have now been endorsed by all the major credit card companies, were developed to provide a guideline to help organizations that process card payments prevent the loss of sensitive cardholder information through fraud, hacking or other security issues.

Does PCI Apply to me?

Any company that processes, stores or transmits credit card data must be PCI DSS compliant or they risk the ability to continue processing payments. These merchants or service providers must validate their PCI DSS compliance by undergoing regular compliance audits performed by Qualified Security Assessors (QSA).

What is involved in PCI Compliance?

Annual On-site Security Audit or Self-Assessment
- Depends on your merchant level
Quarterly Network Scans
- Performed by certified PCI Approved Scanning Vendor (ASV)

PCI 1.1 DSS 12 requirements organized in 6 logically related groups

Build and Maintain a Secure Network

Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Use and regularly update anti-virus software
Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes

Maintain an Information Security Policy

Maintain a policy that addresses information security

These 12 requirements apply to all “system components” which are defined as any network component, server or application that is included in or connected to the cardholder data environment.

Application Security Applicability

Referring back to the 12 PCI DSS Compliance requirements, the following apply specifically to an organization's online channel and the web applications used to conduct transactions:

#6: Develop and maintain secure systems and applications

#11: Regularly test security systems and processes

Privacy and Electronic Communications Regulations (EC Directive) 2003 Return to Home Page

Legislative Summary

The Privacy and Electronic Communications (EC Directive) Regulations, which came into effect in the UK in December 2003, impose strict restrictions on the use of cookies and direct marketing practices (who may be contacted, for what purpose and in what way). The UK Regulations are necessary for the implementation of the EC Directive on Privacy and Electronic Communications (Directive 2002/58/ECDPEC), which forms part of the new European regulatory framework for electronic communications networks and services.

The implementation of the Directive into UK law impacts direct marketers, website and online content businesses, providers of subscriber directories, Internet users and anyone who sends or receives commercial communications by email or SMS. The UK's Information Commissioner has issued guidance to help website owners understand and implement the Regulations.

Online Applicability

Use of Cookies
Under the Directive, organizations must disclose their information collection practices in their privacy policy, including the information they collect, how they will use or share the information, and the use of cookies or other tracking devices. At points where personal data is being collected, a link to the privacy policy must be provided. Website owners can only use cookies and other tracking devices if EU users:

Ø are given clear and comprehensive information about the purpose of website cookies

Ø give consent to the use of cookies

Ø are offered the chance to refuse these cookies

It is important to note that the Regulations do not distinguish between persistent and session cookies, so websites are required to provide information and the chance to refuse cookies. Also important to note is that if cookies do contain personal data, website owners must also comply with the UK Data Protection Act of 1998.

Many web application vulnerabilities may lead to security breaches of personal information, directly or indirectly, and could be considered as violations of the Regulations.

Direct Online Marketing
The Regulations require that all direct marketing campaigns be driven by an opt-in mechanism, unless you are marketing under an existing vendor-customer relationship; then an opt-out only mechanism is acceptable. As well, individuals or organizations must not disguise or conceal their identities in any marketing emails, and valid email addresses must be supplied in the email.

Further Information

http://www.opsi.gov.uk/si/si2003/20032426.htm

The Security Breach Information Act (California SB 1386) Return to Home Page

Legislative Summary

Effective July 1, 2003, California Senate Bill 1386, the Security Breach Information Act, attempts to stem the growth of identity theft by mandating the public disclosure of computer security breaches in which confidential information of any California resident may have been compromised. The California law defines personal information as a last name paired with a first name or first initial and one of the following: a social security number, a driver's license or California Identification Card number, or a number from a bank account, credit card or debit card, along with a password or security code that would give access to the account. (SB 1386 exempts personal information that a company has stored in an encrypted format.)

This law applies to:

Ø state agencies, individuals or businesses that conduct business with California residents, regardless of their location, even if they only handle the data of one resident of California

Ø organizations who have employees based in California or who provide outsourcing services for those employees in California

If the business maintains computerized data, but does not own the data, the business must notify the owner or licensee of the information of the breach and that the data owner owns the problem, regardless of what state they reside in.

Notification Requirements

Organizations who suffer a computer security breach must notify without delay the affected customer through one of the following methods:

Written notification
Electronic notice on the company's website
Email notice when the agency has a provided customer address

Organizations who can prove that notification will cost over $250,000 or if the notification must be provided to over 500,000 customers, can use an alternate program of notification. This alternate program must include the following mechanisms:

Email notification to customers
Notification to major statewide media outlets
Posting of the notice on the organization's website

Any agency or business failing to provide these notices is subject to civil actions from the injured party.

Online Applicability

SB 1386 defines a breach as "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information." Organizations must ensure they guard against theft and the tampering or disclosure of personal data:

Ø Applications should ensure the security and confidentiality of customer records and information

Ø The applications must not disclose to a nonaffiliated party any nonpublic personal information

Further Information

http://news.com.com/2100-1017-1022341.html

Information Security Breach & Notification Act (New York A.B. 4254) Return to Home Page

Legislative Summary

The law requires entities that conduct business in New York state and own or license “private” data to notify state residents affected by any security breach that results in unauthorized acquisition of that data.

“Private” data is defined as unencrypted computerized information that can identify the individual, combined with one of the following data elements:

1. social security number,

2. driver’s license or non-driver identification card number, or

3. financial account information such as credit or debit card numbers in combination with access codes or PIN Numbers.

Private data is considered to be unencrypted when either the identifying information or the data element is not encrypted or is encrypted with a key that has also been acquired.

Notification Requirements

Notification must be made to affected persons by:

1. written notice,

2. electronic notice if express consent is provided to receive information in that format,

3. telephone notice, or

4. under certain circumstances, email notice by conspicuous posting of the notice on the website of the affected business and notification to major statewide media.

If a person or business maintains, but does not own, the data that is unlawfully acquired, then the person or business must contact the entity that owns or licenses the use of the data.

Further Information

Section 207: Quality Web Compliance for Federal Agencies Return to Home Page

Legislation Summary

A significant challenge facing agencies is the ability to meet Office of Management and Budget reporting requirements. The OMB expects prompt and orderly implementation of the policies in Memorandum (M-05-04) and the requirements of Section 207(f) of the E-Government Act of 2002 (Pub. L. No. 107-347). The OMB will monitor agency compliance with these policies as part of its oversight of agency information resource management programs.

Section 208: Privacy Compliance (EGOV) for Federal Agencies Return to Home Page

Legislation Summary

On September 26, 2003, the OMB issued Guidance for implementing Section 208, the Privacy Provisions of the E-Government Act of 2002. This updates previous guidance in relation to privacy responsibilities, the posting of privacy policies, use of tracking technologies (agencies are forbidden to use persistent cookies and web beacons), and the requirement for parental consent for the collection of personal information from children consistent with the Children's Online Privacy Protection Act (COPPA). Agencies were to submit a report of their compliance plans to the Office of Management and Budget (OMB) by December of each year.

Further Information

http://www.whitehouse.gov/omb/memoranda/m03-22.html

Section 508: Accessibility Compliance for Federal Agencies Return to Home Page

Legislative Summary

Accessibility to government information continues to be an area of concern for many US citizens. Section 508 of the Rehabilitation Act Amendments of 1998 requires all US federal agencies to make their information technology accessible to their employees and customers with disabilities. Customers must be able to access information available to the public. According to the US Census, there are 54 million Americans with some form of disability including 14 million with visual impairments. This group makes up approximately 10% of the online population.

In reality, many government organizations continue to fail these standards. The 4th annual 'E-government' survey released by Brown University in August 2007 showed that only 54 percent of federal sites and 46 percent of state sites met the guidelines for Section 508.

Further Information

www.section508.gov/

Visa CISP (Cardholder Information Security Program) Return to Home Page

Legislative Summary

In April 2000, Visa launched its Cardholder Information Security Program (CISP) as a standard for securing Visa cardholder data. Effective since June 2001, CISP compliance has been required of all entities that store, process, or transmit Visa cardholder data. Financial institutions offering VISA cards must comply with CISP and are responsible for ensuring the compliance of their merchants and service providers for all payment channels, including retail, mail/telephone-order and ecommerce. Specifically, Level 1 Merchants, Level 1 Service Providers, and Level 2 Service Providers must be in compliance with the Visa U.S.A. Cardholder Information Security Program (CISP) and create reports on Compliance.

CISP has 12 compliance requirements:

Install and maintain a working firewall to protect data
Keep security patches up-to-date
Protect stored data
Encrypt data sent across public networks
Use and regularly update anti-virus software
Restrict access by "need to know"
Assign unique ID to each person with computer access
Don't use vendor-supplied defaults for passwords and security parameters
Track all access to data by unique ID
Regularly test security systems and processes
Implement and maintain an information security policy
Restrict physical access to data

Participating merchants and service providers must pay for their own CISP compliance assessment, and the cost of compliance depends on the extent to which they are already in compliance. If a merchant or service provider refuses to participate in CISP, Visa may impose a fine on the financial institution responsible for them. The bottom line is, merchants and their service providers must meet the CISP requirements to continue to accept Visa Payment products.

Compliance Penalties

Failure to comply with CISP standards or to rectify a security issue can result in:

Ø fines ($50,000 for the 1st violation; $100,000 for the 2nd violation)

Ø restrictions on the merchant

Ø permanent prohibition of the merchant or service provider's participation in Visa programs.

In the event of a security breach, financial institutions must immediately investigate the incident and limit the exposure of cardholder data, and must immediately notify Visa and report on its investigation of the incident. Financial institutions will not be fined for merchants or service providers that have been compromised but found to be CISP-compliant at the time of the security breach. However, any merchant or service provider that is compromised and not CISP-compliant at the time of the breach, then the financial institution is subject to fines-up to $500,000 per incident.

Compliance Requirements and Deadlines

Ø Merchants that process more than 6 million Visa transactions annually must submit compliance documentation by September 30, 2004. These merchants must undergo an annual onsite review performed according to the CISP Security Audit Procedures and Reporting document. Compliance must be documented in a Report On Compliance as specified by these procedures.

Ø Merchants that process between 500,000 and 6 million Visa transactions annually must submit compliance documentation by March 31, 2005. Compliance documentation must be made immediately available to Visa upon request. Compliance validation documentation includes:

Annual Compliance Questionnaire that addresses any system(s) or system component(s) involved in processing, storing, or transmitting Visa cardholder data.
Quarterly System Perimeter Scan performed by a security assessor approved by Visa. The system perimeter scan must be performed on the merchant's external-facing IP addresses.

Online Applicability

Referring back to the 12 CISP Compliance requirements, the following apply to an organization's online business:

Ø Install and maintain a working firewall to protect data

Ø Protect stored data

Ø Implement and maintain an information security policy

Ø Regularly test security systems and processes

Further Information

http://usa.visa.com/merchants/risk_management/cisp_overview.html?it=c|/merchants/risk_management/cisp.html|Compliance%20Validation#anchor_3

ISO 17799 Return to Home Page

Summary

ISO 17799 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). The Standard contains the twelve main sections:

· Risk assessment and treatment

· Security policy

· Organization of information security

· Asset management

· Human resources security

· Physical and environmental security

· Access control

· Information systems acquisition, development and maintenance

· Information security incident management

· Business continuity management

· Compliance

CobiT Return to Home Page

COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.

Personal Information Protection and Electronic Documents Act (PIPEDA) Return to Home Page

This Canadian law establishes a right to the protection of personal information collected, used or disclosed in the course of commercial activities, in connection with the operation of a governmental work, undertaking, business whether internal to Canada or internationally.

PIPEDA establishes the following principles to govern the collection, use and disclosure of personal information:

1. accountability,

2. identifying the purposes for the collection of personal information,

3. obtaining consent,

4. limiting collection,

5. limiting use,

6. disclosure and retention,

7. ensuring accuracy,

8. providing adequate security,

9. making information management policies readily available,

10. providing individuals with access to information about themselves, and

11. giving individuals a right to challenge an organization's compliance with these principles.

A Privacy Commissioner has been created to receive complaints concerning violations of the principles, conduct investigations and attempt to resolve such complaints. Unresolved disputes relating to certain matters can be taken to the Canadian courts for resolution.

PIPEDA establishes a legislative scheme by which requirements in Canadian laws and regulations that contemplate the use of paper or do not expressly permit the use of electronic technology may be administered or complied with in the electronic environment. Appropriate authorities are authorized to make regulations about how those requirements may be satisfied using electronic means. In addition, the characteristics of secure electronic signatures are defined and described and grants authority to make regulations prescribing technologies or processes for the purpose of the definition "secure electronic signature".