IT Regulatory Compliance in North America

IT Regulatory Compliance in North America

ALAN CALDER
Copyright Date: 2007
Published by: IT Governance Publishing
Pages: 52
https://www.jstor.org/stable/j.ctt5hh7hx
  • Cite this Item
  • Book Info
    IT Regulatory Compliance in North America
    Book Description:

    This pocket guide is intended as a brief, accessible survey of the major North American legislation relating to IT and information security. It provides a concise summary of the IT governance provisions currently in effect in Canada and the United States. Including advice on the requirements for preserving corporate records, the guide will help you to identify any gaps in your organization’s IT compliance regime.

    eISBN: 978-1-905356-32-4
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-5)
  2. Table of Contents
    (pp. 6-7)
  3. CHAPTER 1: INTRODUCTION
    (pp. 8-9)

    A key challenge for all IT executive teams is to ensure that the organization avoids breaches of any criminal or civil law, as well as any statutory, regulatory or contractual obligations, and of any security requirements.

    Control A.15.1.1 of ISO/IEC27001:2005 (the best-practice information security management standard) provides guidance that is relevant to the IT governance of every organization. It says that the organization should explicitly define and document the statutory, regulatory and contractual requirements for each of its information systems, and that this documentation should be kept up-to-date to reflect any relevant changes in the legal environment.

    The specific controls...

  4. CHAPTER 2: US LEGISLATION
    (pp. 10-11)

    Legislation and regulation that is relevant to North American organizations includes:

    The Sarbanes-Oxley Act, primarily a corporate governance act but with significant regulatory implications –seechapter 3, below

    Basel 2, which primarily affects banks and major financial institutions and has extensive IT compliance implications –seechapter 4, below

    The Californian Senate Bill 1386, which requires notification of breaches of personal data security, and a host of similar state-level laws –seepage 19, below

    Online personal privacy legislation, including the California Online Privacy Protection Act 2004 (‘OPPA’), which requires websites serving Californians (irrespective of their geographic or jurisdictional...

  5. CHAPTER 3: CORPORATE GOVERNANCE Sarbanes-Oxley
    (pp. 12-16)

    The Sarbanes-Oxley Act of 2002 (SOX), introduced in the United States in the aftermath of Enron, has important IT governance implications for listed American companies, their foreign subsidiaries and foreign companies that have US listings. It applies to all Securities and Exchange Commission (‘SEC’)-registered organizations, irrespective of where their trading activities are geographically based. Compliance is mandatory and there are significant potential sanctions for individual directors.

    While the Act lays down detailed requirements for the governance of listed corporations, the three highest profile and most critical sections – which were implemented in phases – are 302, 404 and 409.

    The...

  6. CHAPTER 4: BASEL 2
    (pp. 17-18)

    The Bank for International Settlements¹ (‘BIS’) is an international organization based in Basel, Switzerland, which fosters international monetary and financial cooperation and serves as a bank for central banks.

    BIS supports the Basel Committee on Banking Supervision, which is made up of members from 13 countries around the world. It has over 30 technical working groups dealing with financial issues from capital adequacy to risk management.

    The Basel 2 Accord is formally titled: ‘International Convergence of Capital Measurement and Capital Standards: a Revised Framework’. It was first published in June 2004 and has been revised and updated since; the most...

  7. CHAPTER 5: BREACH NOTIFICATION
    (pp. 19-21)

    Identity theft and personal privacy have become extremely important issues for IT compliance executives and there has been a proliferation of state-level legislation requiring breaches of individual privacy to be notified.

    Security breach notification laws require companies and other entities that have lost data to notify affected consumers.

    Security freeze laws allow consumers to prevent identity theft by freezing their credit reports from access for new credit.

    These laws are largely based on the Federation of State Public Interest Research Groups’ Consumers Union Clean Credit and Identity Theft Model Act.² The first relevant state-level breach notification law was California’s SB-1386,...

  8. CHAPTER 6: ONLINE PERSONAL PRIVACY
    (pp. 22-23)

    The primary goal of the Children’s Online Privacy Protection Act (‘COPPA’) is to give parents control over what information is collected from their children online and how that information is used.⁴

    COPPA applies to operators of:

    commercial websites and online services directed to children under 13 that collect personal information from them;

    general audience sites that knowingly collect personal information from children under 13; and

    general audience sites that have a separate children’s area and that collect personal information from children under 13.

    COPPA requires operators to:

    post a privacy policy on the homepage of the website and link to...

  9. CHAPTER 7: WORKPLACE PRIVACY
    (pp. 24-25)

    The Electronic Communications Privacy Act (‘ECPA’) 1986 is a complicated act. It makes it unlawful under certain circumstances for someone to read or disclose the contents of an electronic communication (18 USC § 2511). ECPA is also known as the Pen Register Act, because it governed the usage of pen registers, which included restrictions on private and law enforcement uses. A pen register is a device or process which records or decodes dialling, routing, addressing or signalling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.

    Private parties were generally restricted from using...

  10. CHAPTER 8: HIPAA
    (pp. 26-27)

    HIPAA – the Health Insurance Portability and Accountability Act 1996 – applies to health plans, health care clearing houses and health care providers, which are known in the Act as ‘covered entities’.

    The Act requires health care organizations to protect – and keep up-to-date – their patients’ health care records (which includes patient account handling, billing and medical records), in order to streamline health industry processes, reduce paperwork, make the detection and prosecution of fraud easier, and enable workers to more easily change jobs, even if they have pre-existing medical conditions.

    The information security requirements of the Act are contained...

  11. CHAPTER 9: GLBA
    (pp. 28-31)

    The Financial Services Modernization Act 1999, usually called the Gramm-Leach-Bliley Act (‘GLBA’) after its sponsors, covers all US-regulated financial services corporations. It applies to

    banks, securities firms and insurance companies,

    lending, brokering or servicing any type of consumer loan,

    transferring or safeguarding money,

    preparing individual tax returns,

    providing financial advice or credit counselling,

    providing residential real estate settlement services,

    collecting consumer debts, and

    an array of other activities.

    The GLBA charges the boards of these entities with protecting their customers’ personal information against any ‘reasonably foreseeable’ threats to its security, confidentiality or integrity. The GLBA also applies to a wide...

  12. CHAPTER 10: ANTI-SPAM LEGISLATION
    (pp. 32-33)

    Closely allied to the issues of privacy and data protection is the global challenge of spam. Spam, or unsolicited commercial email, has been the subject of regulatory concern because it upsets so many of its recipients.

    The Controlling the Assault of Non-Solicited Pornography and Marketing Act 2003 – the ‘CAN-SPAM Act’ – set national standards for the sending of commercial bulk and unsolicited email and requires the Federal Trade Commission (FTC) to enforce its provisions. This act permits email marketers to send unsolicited commercial email as long as it contains:

    an opt-out mechanism,

    a functioning return email address,

    a valid...

  13. CHAPTER 11: FEDERAL INFORMATION SECURITY MANAGEMENT ACT (‘FISMA’)
    (pp. 34-35)

    The E-Government Act 2002 recognized the importance of information security to the economic and national security interests of the United States.

    Title III of the E-Government Act, entitled ‘Federal Information Security Management Act’ (‘FISMA’), requires each federal agency to develop, document and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by any other agency, contractor or other source.

    FISMA, along with the Paperwork Reduction Act 1995 and the Information Technology Management Reform Act 1996, explicitly emphasizes a risk-based policy for...

  14. CHAPTER 12: FFIEC
    (pp. 36-37)

    US banks were required to comply, by December 2006, with an updated set of standards for online banking issued in October 2005 by the Federal Financial Institutions Examination Council (FFIEC)⁶ and called ‘Authentication in an Internet Banking Environment’.

    FFIEC requires multi-factor authentication (‘MFA’) because single-factor authentication (‘SFA’) has proven inadequate against the tactics of increasingly sophisticated hackers, particularly on the internet. In MFA, more than one form of authentication is used to verify the legitimacy of a transaction. In contrast, SFA involves only a user ID and password.

    Authentication methods that can be used in MFA include biometric verification such...

  15. CHAPTER 13: EU REGULATION
    (pp. 38-39)

    The two most important European Union instruments, for North American organizations working with or within the EU, are the EU Data Protection Directive 1995 and the EU Privacy Directive 2003.

    This allows US corporations that are regulated by the Federal Trade Commission (‘FTC’) and have operations in the EU to receive European data. They can comply with the EU Data Protection Directive by adopting the seven Safe Harbor Principles (these compliance standards are certified through the Department of Commerce and enforced by the FTC) which are set out on the Commerce Department’s website⁷ and submitting themselves to Commerce Department certification....

  16. CHAPTER 14: PIPEDA
    (pp. 40-43)

    Canada’s Personal Information Protection and Electronic Documents Act (‘PIPEDA’) has applied to all Canadian businesses (both paper-based and online), unless they are subject to substantially similar provincial laws, since 1 January 2004.Seewww.privcom.gc.ca/legislation/ss_index_e.aspfor more information on what is considered to be ‘substantially similar’.

    A separate Privacy Act applies to personal information held by the Canadian central government.

    These Acts are both overseen by the Privacy Commissioner of Canada (www.privcom.gc.ca) and the Federal Court.

    PIPEDA was designed to satisfy the EU that Canadian privacy laws were adequate for the protection of EU citizens. It incorporates and makes mandatory provisions...

  17. CHAPTER 15: INTELLECTUAL PROPERTY RIGHTS (IPR)
    (pp. 44-45)

    Every organization needs to implement appropriate procedures to ensure compliance with legal restrictions on the use of material to which IPR might apply and on the use of proprietary software products.

    Organizations deal with all sorts of third party material, some of which may contain IPR, in the form of copyright, design rights or trademarks. The cornerstone of US copyright law is the 1976 Copyright Act; the more recent, 1998, Digital Millennium Copyright Act made important advances, particularly in criminalization of attempts to circumvent digital rights management (‘DRM’) software.

    Copyright protection is applied to specific expressions of ideas, not to...

  18. CHAPTER 16: SAFEGUARDING OF ORGANIZATIONAL RECORDS
    (pp. 46-49)

    Every organization must protect its important records from loss, destruction or falsification.

    It is important to define ‘record’. According to the Federal Records Act 1950,⁸ a record is:

    ‘recorded information, regardless of medium or characteristics, made or received by an organization that is evidence of its operations and has value requiring its retention for a specific period of time’.

    According to the National Archives and Records Administration (NARA) records include:

    ‘all books, papers, maps, photographs, machine-readable materials, or other documentary materials, regardless of physical form or characteristics, made or received […] or in connection with the transaction of public business...

  19. APPENDIX: IT GOVERNANCE RESOURCES
    (pp. 50-52)