Chp 1 Privacy Laws and Regulations
Employee Privacy Issues and Expectation of Privacy
organizations must give employees the proper notice of any monitoring that might be used. Organizations must also ensure that the monitoring of employees is applied in a consistent manner. Many organizations implement a no-expectation-of-privacy policy that the employee must sign after receiving the appropriate training.
USA Freedom Act of 2015
reauthorizes parts of the USA PATRIOT Act but dissolves its notorious bulk data collection of Americans' phone records and Internet metadata.
General Data Protection Regulation (GDPR)
strengthens individual privacy rights to include the following: Valid consent: Organizations must follow stricter rules for consent as a legal basis for processing. Transparency: Organizations must be transparent regarding what information is collected and how the information is processed. Correction: Organizations must allow individuals to correct inaccurate personal data. The right to be forgotten, also known as the right to Erasure: Organizations must allow individuals to request that their personal data be erased under certain conditions. Data portability: Organizations must allow individuals to move personal data from one service provider to another. Automated processing: Organizations must not use automated processing as the sole decision maker.
Economic Espionage Act of 1996
makes the theft of trade secrets by foreign entities a federal crime in the US
Basel II
main purpose is to protect against risks the banks and other financial institutions face. It is an international accord, and compliance is not mandatory.
Electronic Communications Privacy Act (ECPA)
It extended government restrictions on wiretaps from telephone calls to include transmissions of electronic data by computer and prohibited access to stored electronic communications.
Communications Assistance for Law Enforcement Act (CALEA) of 1994
It requires telecommunications carriers and manufacturers of telecommunications equipment to modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities. This allows federal agencies to monitor all telephone, broadband Internet, and Voice over IP (VoIP) traffic in real time.
USA PATRIOT Act of 2001
Strengthens the federal government's power to conduct surveillance, perform searches, and detain individuals in order to combat terrorism.
European Union
The EU Principles on Privacy include strict laws to protect private data. The EU's Data Protection Directive provides direction on how to follow the laws set forth in the principles. The EU then created the Safe Harbor Privacy Principles to help guide U.S. organizations in compliance with the EU Principles on Privacy. Some of the guidelines include the following: Data should be collected in accordance with the law. Information collected about an individual cannot be shared with other organizations unless given explicit permission by the individual. Information transferred to other organizations can be transferred only if the sharing organization has adequate security in place. Data should be used only for the purpose for which it was collected. Data should be used only for a reasonable period of time.
Federal Intelligence Surveillance Act (FISA)
first act to give procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between "foreign powers" and "agents of foreign powers" and only applied to traffic within the United States.
Health Care and Education Reconciliation Act of 2010
act increases some of the security measures that must be taken to protect healthcare information.
Gramm-Leach-Bliley Act (GLBA)
affects all financial institutions, including banks, loan companies, insurance companies, investment companies, and credit card providers. It provides guidelines for securing all financial information and prohibits sharing financial information with third parties.
Federal Privacy Act of 1974
affects any computer that contains records used by a federal agency. It provides guidelines on collection, maintenance, use, and dissemination of PII about individuals
Computer Fraud and Abuse Act
affects any entities that might engage in hacking of "protected computers" as defined in the act.A "protected computer" is a computer used exclusively by a financial institution or the U.S. government.
Federal Information Security Management Act (FISMA)
affects every federal agency. It requires the federal agencies to develop, document, and implement an agency-wide information security program.
Personal Information Protection and Electronic Documents Act (PIPEDA)
affects how private sector organizations collect, use, and disclose personal information in the course of commercial business in Canada.
Sarbanes-Oxley (SOX)
an act that affects any organization that is publicly traded in the United States. It controls the accounting methods and financial reporting for the organizations and stipulates penalties and even jail time for executive officers.