Cyber Security Laws

Introduction

Laws around Cyber Security and Data Protection have recently become much more prevalent with the emerging concern around Data Security; However, Data Security laws have been around since before the tech industry.

Todays, Laws in the US and EU around Data security are as follows:

• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry Data Security Standard (PCI-DSS)
• Gramm-Leach-Bliley (GLBA) and Sarbanes-Oxley (SOX)
• General Data Protection Regulation (GDPR) (European Union that has gone global)

First, we will cover a brief history of these laws, a General Description, Who must comply with these laws, What they control, The Enforcement mechanisms and penalties, and the difficulties of complying with each law’s benefits and drawbacks.

Health Insurance Portability and Accountability Act (HIPAA)

History and Description

HIPAA was signed into Law on August 21st 1996, to “improve the portability and accountability of health insurance coverage” in the US. In addition, it was intended to combat waste, fraud and abuse in the health insurance industry.

In 2003 the Privacy rule was introduced, and the date of compliance was April 14th 2003. This rule establishes national standards to protect individuals medical records and personal health information. It requires appropriate safeguards to be established for these protections. In addition, it gives the patient rights over their own health information, including the right to examine and obtain a copy of their health records and request corrections.

The Security Rule then was followed into the law, and compliance with this rule was April 21st 2005. This rule established national standards to protect electronic personal health information. This requires appropriate administrative, physical, and technical safeguards and ensures this electronic data’s confidentiality, integrity, and security.

The Breach Notification Rule came into effect on September 23rd 2009. This rule requires organisations to notify individuals and the media following a security breach.

Finally, the Omnibus Final Rule came into effect on March 26th 2013. This rule implements several health information technology provisions for the economic and clinical health act to strengthen privacy and security protections.

Who must comply?

Healthcare providers of any kind must comply with HIPAA, including Doctors, Clinics, Dentists and Hospitals. Any Healthcare plans, including Government or Private healthcare insurance plans and insurance companies. Healthcare clearinghouses include public and private entities that process other health care information such as billing services and repricing companies. Finally, Business associates such as a person or organisation may be processing any information on behalf of the Healthcare providers.

Specific Controls

Privacy Rule

These controls include the national standard to protect individuals’ medical records. In addition, it requires safeguards to protect the privacy of personal health information, sets limits and conditions on the use and disclosure of health information surrounding patient consent, and gives patients the right to their own health information.

Security Rule

This rule was meant to deal with Electronic stored Personal Health Information specifically; the three main safeguards are.

• Administrative, creating policies and procedures to show how the organisation will comply with the act
• Physical, to control physical access to data storage areas
• Technical, protecting communication over open networks (such as the internet)

Breach Notification Rule

This rule requires entities to provide notification following a breach of personal health information and must be reported without delay or could result in a HIPAA Violation. If the breach involves less than 500 people, only the HSS (Secretary) must be notified; however, the media must be informed if the breach involves more than 500 people.

Final Omnibus Rule

This rule barely made any real change to the HIPAA Act; however, it fills the gaps in HIPAA and HITECH regulations, introduced specific encryption standards for electronic communication of Health Information and allowed the privacy and security rules to hold patient information indefinitely.

Penalties

Categories of HIPAA Violations

There are four categories of HIPAA Violations:

1. Entity was unaware, could not have realistically known
2. Should have been aware but could not have reasonably prevented
3. Willful neglect of HIPAA Rules where violation has been addressed within 30 days
4. Willful neglect of HIPAA Rules without being timely addressed

Penalties are based on the number of violations, with the maximum fine can be evaluated for any violation. Each of these categories is per violation:

1. $100 minimum, max $50,000
2. $1,000 minimum, max $50,000
3. $10,000 minimm, max $50,000
4. $50,000 minimum, no max fine

Individuals may also face criminal charges personally with up to 10 years in prison.

Ease of Implementation

There is a lot an organisation is required to do to comply with the law. This law is time-sensitive and costly to implement, ranging from $10,000 to $14,000,000 for large organisations to implement with an average of $3,100,000 for implementation.

Any small violation could result in a heavy fine, and so compliance is required at all times to reduce this risk. However, this also requires coordination across departments and organisations to ensure compliance which can prove difficult in bureaucratic organisations.

Benefits and Drawbacks

The benefits of this law are the improvement of security and trust within the healthcare industry of the US. However, the effort to become and stay compliant takes away from the budget for care-related activities, increasing the pricing for care in the US, which is already very costly. In addition, requiring patient consent for record disclosure could also delay care, and the expenses of implementing these controls increase overhead and complexity.

Payment Card Industry Data Security Standard (PCI-DSS)

History and Description

The first iteration of PCI-DSS was implemented in December of 2004, and the latest revision was released in May 2018. Founded by a collection of financial authorities including American Express, Discover Financial Services, JCB International, Mastercard and Visa to create a common standard and counter the rise of payment fraud.

PCI-DSS is a guideline that clearly defines the technical and operational requirements that focus on cardholder information.

Who must comply?

Industry Stakeholders are anyone who processes, uses, or stores credit or debit card information online or offline for any reason. All businesses that also deal with card information are required for compliance in PCI-DSS.

Controls

The Goals of PCI-DSS are clear, and the requirements of this Goal are clear.

Building and Maintaining a Secure network is the first goal that can be achieved by installing and maintaining firewalls and firewall configurations to protect cardholder data and not to use vendor-supplied defaults for system passwords and other security parameters (Blue team remember, defaults are BAD! change them!).

Protecting Cardholder Data can be achieved by Protecting the stored cardholder data with encryption and encrypting this data in transit over open or public networks such as the internet.

Maintain a Vulnerability Management Program which is achieved with the Use and regular update of anti-virus software or programs and the Development and maintenance of secure systems and applications.

Implement Strong Access Control Measures, which is achieved by restricting access to cardholder data by business need-to-know, Assigning a unique ID to each person with computer access (User accounts per employee) and restricting physical access to cardholder data.

Regularly Monitor and Test Networks that are achieved in Tracking and monitoring all network resources and cardholder data with regular testing of security systems and processes.

Maintain an Information Security Policy, which is achieved by creating and adhering to a security policy that addresses information security for employees and contractors.

Enforcement Methods

A DSI Certificate is not required; however, it may cause additional fees during payment processing and validation. Failure to comply with the regulation standards with result in a revocation of compliance certification.

Enforcement is carried out by the merchant bank that is responsible for the company, such as one of the founding members, and PCI compliance fines vary in amount depending on the company size, duration of failure in compliance and scope of non-compliance but range between $5,000 and $100,000 per month.

Benefits and Drawbacks

The benefits of PCI-DSS would be creating a uniform standard regarding data security in the payment card industry, which is now the most popular payment method. In addition, the regulation updates every couple of years to address new issues, and implementation of security now means that the cost of data loss would be less than if you had no security in place.

However, some drawbacks of the standard are that it can be unrealistic to cover all controls exactly as the yare defined, and there will be some overlap per organisation; additionally, new forms of business such as apple pay and Venmo caused issues with PCI-DSS resulting in vague instructions regarding third-party certification.

General Data Protection Regulation (GDPR)

History and Background

In the wake of World War Two, the European Convention of Human Rights was drafted in 1950, which defined “Everyone has the right to respect for his private and family life, his home and his correspondence”. In addition, the European Human Right to Privacy and multiple other Human Rights was drafted and implemented into each European Country’s own Legal Systems.

This led to more modern protections with the emerging tech industry in the 1980s and 1990s. The 1995 European Data Protection Directive Establishes minimum Data privacy and security standards across Europe, soon a more “comprehensive approach on personal data protection” was required, and GDPR was put into effect on May 25th 2018.

GDPR is targeted at “organisations anywhere so long as they target or collect data related to people in the EU” designed to streamline data protection laws across Europe and provide consistency across the European Union.

Who must Comply?

Organisations with at least 250 employees or conduct high-risk data processing, such as collecting and processing any personal information with residence in the EU or organisations within or have customers within the EU.

Controls and Requirements

Organisations must create a comprehensive Privacy Policy and let users know about the tracking technologies they may be using, including cookies. Explain what these are doing and why they are required, and obtain valid consent to store any tracking software on their device.

They must also give users access to services even if they do not consent to track and collect data after valid consent. Document and store valid consent from users and offer a simple opt-in and opt-out system for tracking.

GDPR defines the differences between the two operators in data processing. The data controllers and data processors. These are the data controllers responsible for the secure handling and processing of data within an organisation. In contrast, the data processors carry out these actions on the controller’s behalf.

GDPR gives particular rights to individuals over their data, including the following:

• The Right to be Informed – This right defines that people should know what information is being collected, why and how it is being used
• The Right of Access- this right defines the people have the right to see what information and organisation may have on them
• The Right to Rectification – this right gives people the right to change or modify data they provide you when they believe it is inaccurate without delay
• The Right to be Forgotten – This gives people the right to have an organisation erase all information that individual may have on them
• The Right to Restriction of Processing – This gives individuals the right to temporarily stop the processing of their data within an organisation
• The Right to Object – This allows a data subject to object to their data being processed
• The Right to Avoid Automated Decision Making – Allows for the request of human review of decisions

Penalties

Penalties of non-compliance include hefty fines, which are administered by national authorities. These fines include between €20,000,000 or up to 4% of the annual global turnover of an organisation.

At the time of writing, this 4% of the annual global turnover at Amazon is $17 billion.

Benefits and Drawbacks

The requirements of GDPR are easy to understand and digest for an organisation with an easy checklist with people helping understand the process. It strongly values the customers’ right to privacy and control over their information and will improve organisations’ data security.

The Requirements of GDPR are easy to understand but difficult to implement. Complying with GDPR can be expensive for organisations due to the infrastructure required and difficult controls if an organisation has an automated service for decision making. This automated service about people and their data when requesting information to be stopped on the collection, deleted, right to human review of decisions etc., will require human resources and further infrastructure to implement. This makes the cost for compliance with GDPR very high and difficult, but the alternative option is equally as high and damaging fines if compliance is not met.

Gramm-Leach-Bliley (GLBA) and Sarbanes-Oxley (SOX)

History and General Description

GLBA was enacted on November 12th 1999, in an attempt to update the financial industry was meant to appeal to the Glass-Steagall Act of 1933. The Glass-Steagall Act said that commercial banks were not allowed to provide financial services such as insurance and investment services as part of their business operation and was created to protect bank depositors from risk, especially stock market volatility, after the Great Depression.

In 1997 the Charter Pacific Bank of Agoura Hills in California sold millions of credit card numbers to an adult website company. As a result, customers were billed for accessing these adult websites and other services they did not use.

In 1998 Nations Bank shared customer information with third party marketers (which violated their policies) without the customer’s knowledge, and the telemarketers charged those customers using the data provided

Due to those events and more, Congress added Title V in the GLBA provisions, giving privacy protections for financial information.

GLBA Requires companies that provide consumers with financial products or services such as loans, financial or investment advice, or insurance to explain their information-sharing practices to customers while safeguarding sensitive data.

SOX was passed in Congress in July of 2002 and responded to the financial scandals at the beginning of the 21st century. Companies such as Tyco International PLC, WorldCom, and Enron Corporation are examples of high-profile frauds that negatively affected investors’ confidence and trust in corporate financial statements. This led to many people asking for regulatory standards.

The act created rules that require accounts, auditors and corporate officers to impose more strict recordkeeping requirements, and if they did not follow these rules would face criminal charges against them.

SOX mandates certain practices in financial record keeping. The act improved auditing and public disclosure of accounting information to prevent fraudulent financial practices while protecting shareholders and employees.

Controls

GLBA

GLBA Compliance Requires Financial Organisations to create and disclose a privacy policy and clearly state how they collect personal information about their customers and intend to use it.

Customers also retain the right to decide which information an organisation can take and use for their operations.

GLBA Can be broken down into three groups:

The Financial Privacy Rule

This rule requires organisations to outline their intentions with the customer’s financial information before their relationship with them. This ensures that the customer is well informed of what they will be submitting and how it is used for them to decide if they wish to proceed or not.

The Safeguard Rule

This rule requires organisations to implement security controls to protect customer personal information; this includes implementing audit procedures and information disclosure controls.

The Pretexting Rule

This rule is designed to counter identity theft and stop organisations or employees from collecting information under false pretences, such as through social engineering.

SOX

SOX is similar with three primary sections, Section 302, Section 404 and Section 802

Section 302

This section mandates that senior corporate officers certify in writing that the companies financial statements comply with SEC disclosure requirements. This means that officers who sign off on these operational and financial statements are personally subject to criminal penalties, including prison time, if any inaccuracies or falsifications are discovered.

Section 404

This section requires that internal controls and reporting methods are established to prevent or discover problems, and that controls are used adequately (Similar to the Safeguard rule in GLBA).

Section 802

This section contains recordkeeping rules and auditing. This deals with falsification and destruction of records, states a retention period for keeping records such as:

• 7 Years for Accounting records
• 5 years for invoices
• Permanently keeping audits, contracts, training manuals and employee records

As well as any communications the company may have with customers or business partners.

Enforcement Mechanisms

The Federal Trade enforces GLBA Commission (FTC) and federal baking agencies and authorities. Breaches of GLBA could see institutions fined up to $100,000 per violation and individuals up to $10,000 per violation and five years in prison.

However, SOX is enforced by the Securities and Exchange Commission (SEC) with penalties for executives up to $1 million and ten years imprisonment with “Willingly” certifying noncompliant financial reports increasing these to up to $5 million 20 years imprisonment.

Benefits and Drawbacks

Complying with these laws and regulations can be difficult. The drawbacks of these laws are that if one or two people commit a violation, it can invalidate and bring down the trust of the entire organisation, which can be hard to recuperate after reporting.

However, the financial transparency between companies and shareholders with SOX combating fraud and holding corporations accountable for their actions gives a much greater sense of trust and security within the industry.

Final Overall Take

Laws governing privacy and data security do have their benefits for all involved. However, it comes with their costs, financially and logistically, to those required to comply and their customers. Implementing security controls and hardware adds more overhead, which will naturally become a factor when billing a client for medical or financial transactions.

But with that, the cost of security is, as it always is, an insurance business. Paying that extra money to keep your financial data safe could be saving you all of your wealth in the event of an attack, so compliance with these laws is essential.