Information Security:
U.S. Federal Law
- 15 U.S.C. § 6801, et seq.
Gramm-Leach-Bliley Act of 1999 (GLBA) (Public Law 106-102, 113 STAT 1338) —
Restricts the disclosure of nonpublic customer information by financial institutions.
All financial institutions must provide customers the opportunity to "opt-out" of the
sharing of the customers' nonpublic information with unaffiliated third parties.
The Act imposes criminal penalties on anyone who obtains customer information from a
financial institution under false pretenses. November 12, 1999.
- 18 U.S.C. § 1029.
Fraud and Related Activity in Connection with Access Devices —
Defines federal crimes related to counterfeit access devices, unauthorized access devices,
device-making equipment, telecommunications instruments that have been modified or altered to
obtain unauthorized use of telecommunications services, scanning receivers, etc.
- 18 U.S.C. § 1030.
Fraud and Related Activity in Connection with Computers (Computer Fraud and Abuse Act) —
Establishes federal penalties for fraudulent use of or unauthorized access to computer systems.
Unauthorized attempts to upload information or change information are prohibited and may be punishable
under this law. Amended 1994 and 1996 and on October 26, 2001, by the USA Patriot Act (see below).
- 18 U.S.C. § 1362. Communication
Lines, Stations, or Systems
- 18 U.S.C. § 2511. Interception
and Disclosure of Wire, Oral, or Electronic Communications Prohibited
- 18 U.S.C. § 2701. Unlawful Access
to Stored Communications — Defines it a federal crime to intentionally access without authorization
a facility through which an electronic communication service is provided, or to intentionally exceed an authorization to access
that facility and thereby obtain, alter, or prevent authorized access to a wire or electronic communication while
it is in electronic storage in such system.
- 18 U.S.C. § 2702. Disclosure
of Contents
- 18 U.S.C. § 2703. Requirements
for Governmental Access
- Health Insurance
Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) —
The privacy provisions of this federal law apply to health information created or
maintained by health care providers who engage in certain electronic
transactions, health plans, and health care clearinghouses. The
Department of Health and Human Services issued the regulation,"Standards
for Privacy of Individually Identifiable Health Information,"
applicable to individuals and entities covered by HIPAA. December 28, 2000.
- Electronic
Signatures in Global and National Commerce Act (E-Sign Act) (Public Law 106-229) —
Allows the use of electronic signatures and electronic records in executing contracts.
June 30, 2000.
- Uniting
and Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism (USA Patriot Act) Act of 2001 (Public Law 107-56) —
This large and complex Act was enacted a few weeks after and in response to the September 11, 2001,
terrorist attacks. Some parts of the Act are scheduled to expire on December 31, 2005 —
while other parts have been revised by subsequent acts and court decisions. October 26, 2001.
- Sarbanes-Oxley
Act of 2002 (SOX) (Public Law 107-204) —
Snuffs out fraud inside of publicly traded businesses by requiring expanded record-keeping rules and
audit requirements. This large and complex Act deeply impacts the controls, security, and IT
infrastructure of public companies. Note that SOX requires improved information security in
all public companies — not just financial institutions and health care organizations.
July 30, 2002.
- Federal
Information Security Management Act of 2002 (FISMA) and E-Government Act of 2002 (Public Law 107-347) —
Establishes a framework for securing federal assets and information. Requires each agency to
develop, document, and implement an agency-wide information security (IS) program, including periodic tests
and evaluation of IS controls and techniques to assure its effectiveness. Defines FISMA
compliance as a priority to be audited by the highest levels of government. Applies to all
organizations that possess or use federal data, or that use or have access to federal information systems,
such as contractors, state governments, and other local governments.
December 17, 2002.
- Fair Credit
Reporting Act (FCRA) (16 C.F.R. Part 600) — Sets forth legal
standards governing the collection, use, and communication of credit data
and certain other information about consumers. Amended 1996, 1997, 1998, 2001, and by the
Fair and Accurate Credit Transactions Act (FACTA) (Public Law 108-159) of December 4, 2003.
The FACTA includes many new provisions to prevent identity theft. It requires that account
numbers on credit card receipts be shortened or "truncated" to limit access to the full numbers.
- Controlling
the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act of 2003)
(Public Law 108-187) —
Requires unsolicited commercial e-mail messages to include opt-out instructions and the sender's address,
and to not have deceptive subjects or false headers. Authorizes the FTC to have a "do-not-email"
registry. Pre-empts certain state laws on unsolicited commercial e-mail messages, but state
laws govering deception may not be pre-empted.
December 16, 2003.
Copyright © 2003 - 2007 by Daniel W. Hancock. All Rights Reserved.
Home Page