Tag: FISMA

History of Federal Data Privacy Regulations in the US

July 3, 2019 at 2:52 pm by Paul Falcone

Throughout history, the United States has passed quite a few different laws to protect privacy for its citizens. Generally, the laws focus on protecting one specific aspect of privacy, but they are extremely specific and in-depth on that one aspect. With the growing of the digital age, it is important to wonder if the United States is doing a good enough job keeping up with cybersecurity and data privacy.

data-privacy-history

4th Amendment

One of the first privacy laws the United States passed was the 4th Amendment, which protects people from unlawful searches. While the 4th Amendment protects people from physical and apparent searches, it has birthed some confusion regarding modern technology. In the case of Carpenter v. United States, it was ruled that the 4th Amendment protects searches of cell phone location data, but it went all the way to The Supreme Court, and was ruled 5-4 in favor of the cell phone privacy.

Fair Credit Reporting Act (FCRA) 1970

The FCRA protects citizens from their consumer reporting agencies files being used against them. A consumer reporting agency file holds personal information used to decide credit, insurance, banking info, and more. It prevents the use of information in their file being used without their knowledge and it allows a person to know what is in their file. The FCRA also allows a person to dispute inaccuracies and forces agencies to delete false or inaccurate information as well as incomplete information.

US Department of Health, Education, and Welfare (HEW) 1973 Computers and the Rights of Citizens

HEW is a report that was focused on the growing use of computers, and how that could impact the future of data keeping and protection. It focused on consequences of using automated personal data systems, how to stop those consequences, and policy for social security numbers.

Privacy Act of 1974

The Privacy Act of 1974 was a turning point in data privacy and security. It protects information that would be retrieved by an individual through their name or any other personally identifiable mark, and prevents said information from being disclosed without written consent of the individual in question. The Privacy Act of 1974 is the biggest step the United States took for data privacy and paved the way for more specific data privacy laws in the future.

Federal Educational Rights and Privacy Act (FERPA) 1974

FERPA protects educational information from being disclosed. Essentially, the Act prohibits schools from sending out information to anyone. Parents are allowed access to the educational info, but once the student turns 18 and continues schooling beyond high school, the rights transfer to the student. There are of course, certain people to whom the schools can send information, but they are all either financial, for the good of the student’s education, or for legal purposes. Schools can disclose certain information, such as name and date of birth of a student, but to do so, they must contact said student beforehand and give them a reasonable amount of time to request it not be shared.

Right to Financial Privacy Act (RFPA) 1978

RFPA protects the financial privacy of people. Essentially, it does not allow anyone to view financial information of a person without the person being notified and given a chance to object. In the words of this law, a “person” is judged to be an individual or a partnership of five or less individuals. In other words, it does not extend to corporations or large partnerships.

Video Privacy Protection Act of 1988 (VPPA)

The VPPA protects from the disclosure of rental records of “prerecorded video cassette tapes or similar audio-visual material.” Effectively, it means that without written consent or a valid warrant, no one can get the information of what a person has rented in the past.

The Gramm-Leach-Bliley Act of 1999 (GLBA)

GLBA ensures that financial institutions explain their information sharing processes with a customer. It also makes the institutions safeguard their consumer’s sensitive information. A financial institution constitutes a company that deals in the business of loans, investment advice, or insurance.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA protects the health information of individuals. It forces the protection and integrity of health information and it expects institutions to protect against anticipated threats against the security of the info as well as illegal disclosure.

Driver’s Privacy Protection Act of 1994 (DPPA)

The DPPA protects the information held by any state DMV. It disallows the use or release of personal info obtained from any department in relation to a motor vehicle. The information covered by this act includes name, address, SSN, phone number, and other personal effects. It does not cover traffic violations, accidents, or license status.

Children’s Online Privacy Protection Act of 1998 (COPPA)

COPPA protects children’s privacy from being collected or used. A child is defined as being under the age of 13. It requires the consent of a parent for the information of a child to be taken or used. This act works specifically for websites and online services that were targeted at children.

Federal Information Security Management Act of 2002 (FISMA)

FISMA in short is the government protecting its own cybersecurity and set guidelines for their own security moving forward. This act was the government acknowledging the importance of cybersecurity. It has since been replaced by the Federal Information Modernization Act of 2014, which is commonly referred to as FISMA reform or FISMA2014. FISMA2014 amended laws to give the government more room to increase their own cybersecurity.

Fair and Accurate Credit Transactions Act of 2003 (FACTA)

FACTA provides consumers with more accurate credit related records and entitles them to one free credit report per year from the three credit reporting agencies — Experian, Equifax, and TransUnion. It also grants consumers the ability to purchase additional credit reports for a reasonable price. The act also allows consumers to place alerts on their credit histories, to help prevent identity theft.

Telephone Records and Privacy Protection Act of 2006 (TRPPA)

TRPPA prevents pretexting – the imitation or impersonation of someone else in order to gain personal information – to buy or sell personal phone records. It should be noted that it does not affect information agencies or law officials.

State Laws and Federal Mandate

As it currently stands, many of the states have their own specific data privacy laws. Some states have more protection than others. For instance, Massachusetts have passed more data security laws than Tennessee, which has stayed closer to the federal laws alone.

In the digital era we live in, data security is a rising problem. As technology improves, more personal information becomes digital, and more security is needed. There needs to be a federal mandate that brings a unified guideline to all states that will encourage stronger cybersecurity protocols. In this current day and age, individual citizens want to be 100% certain that their personal information is well protected. Furthermore, if all the states have different laws, companies will not be able to comply with all of them, and will be forced to adhere to the strictest policies, or discontinue business with certain states all together.

The United States has consistently been putting out laws to protect privacy and enforce cybersecurity. With the way history has been it is safe to assume that they will continue to do so into the future. It is clear the cybersecurity is a major concern of the United States. The next step would logically be the United States releasing a federal mandate to standardize the data privacy laws for all states. Moving into the future, the United States needs to stay on top of new technology, and pass laws to better protect their citizens from cybercriminals.

Data Security Regulation Compliance: Challenges and Solutions

July 1, 2019 at 8:28 pm by Paul Falcone

GDPR. GLBA. FACTA. These are just a few of the recent onslaught of acronyms that have risen to govern federal and state privacy and data security regulations for businesses and organizations. Some are truly new, while others have been established for quite some time and are just getting more attention now. Indeed, consumer privacy laws and protocols have been the focus of society’s conversation at large for the last two years. And, this global conversation is only just getting started.

If you’re just joining in on the discussion, or even if you’re not and you want a quick refresher, continue reading for a quick overview of the most important national and international data security regulations currently in effect.

The Top 8 Data Security Regulations

HIPAA Privacy & Security Rules

Providers, professionals, and clearinghouses (hereto referred as covered entities) in the healthcare industry that are covered under HIPAA must also adhere to specific security regulations for all Protected Health Information (PHI) that the organization collects.

The HIPAA Privacy Rule requires the covered entity to implement appropriate physical (e.g., facility access and control; workstation and device security), technical (e.g., access control; audit controls; integrity controls; transmission security), and administrative (e.g., security management process; security personnel; information access management; workforce training; policy and procedure evaluation) safeguards for PHI to avoid prohibited as well as incidental use and disclosure of the PHI data. See 45 CFR 164.530(c). In addition, the HIPAA Security Rule also requires the covered entity to set policies and procedures for the disposal of electronic PHI (ePHI). As part of this mandatory safeguard process, covered entities must also train their workforce members on the proper disposal policies and procedures erected and enforce these policies. See 45 CFR 164.310(d)(2)(i).These rules hold especially true with the disposal of PHI and requires the covered entity to not only destroy the ePHI and the hardware or electronic media on which it is stored, but to first properly dispose of the ePHI data on the media before that media is made ready for reuse. Failure to adhere to the HIPAA Security and Privacy Rules could result in unlawful release of PHI, and consequently, the potential for identity theft, employment discrimination, or even harm to the individual’s reputation. Moreover, the covered entity can face serious penalties for noncompliance.

FACTA

The Fair and Accurate Credit Transactions Act (FACTA) is an addendum to the Fair Credit Reporting Act (FCRA) and covers creditors, accountants, lawyers, financial institutions, and other organizations dealing with consumer credit information. FACTA limits how consumer information can be shared as well as controls how this private data is disposed of, to ensure protection of the individual to whom the information pertains from identity theft.

When it comes to the proper disposal of consumer information, FACTA stipulates that reasonable measures must be taken by the organization to prevent the theft or otherwise unauthorized access and use of the protected data. The Rule mandates said data be destroyed by the pulverization, shredding, or burning of all papers in which the consumer information is printed, rendering the information unreadable and otherwise unable to be reconstructed in any manner. FACTA disposal policies also extend to the electronic media housing the protected consumer information.

Organizations under FACTA may also need to incorporate their data disposal policies into the organization’s security information program as required by the Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 CFR part 314 (“Safeguards Rule”) and for persons subject to the Gramm-Leach-Bliley Act.

GLBA

The Gramm-Leach-Bliley Act (GLBA) of 1999 mandates that financial institutions and any other companies that offer financial products to consumers such as loans, financial or investment advice, and insurance must have safeguards to protect their customers’ sensitive data and must also disclose in full their information-sharing practices and data security policies to their customers.

Check-cashing businesses, payday lenders, real estate appraisers, professional tax preparers, courier services, mortgage brokers, and nonbank lenders are examples of businesses that don’t necessarily fall under the “financial institution” category yet are included in the GLBA. Because these organizations are significantly involved in providing financial products and services, they therefore have access to personally identifiable and sensitive data like social security numbers, phone numbers, addresses, bank and credit card numbers, and income and credit histories.

GLBA-covered organizations must develop a written information security plan that details the policies put in place at the organization to protect customer information. The security measures must be appropriate to the size of the business and the complexity of the data collected. Moreover, each company must designate an employee or a group of personnel to coordinate and enforce its security measures. Lastly, the organization must continually evaluate the effectiveness of its developed security measures, identifying and assessing risks to improve upon the policy and measures taken as needed.

FISMA

To ensure the protection of proprietary United States data within government agencies and affiliated organizations, legislation to regulate proper data and information security management was passed as part of the Electronic Government Act of 2002. Called the Federal Information Security Management Act (FISMA), this law focuses on the importance of data security as it relates to the economic and national security interests of the US. As such, FISMA stipulates that all US government agencies, government contractors, and any organization that exchanges data directly with a government system must safeguard all of their information technology (IT) systems, including stored data, by developing, documenting, and implementing an information security program.

In 2014, this law was amended to the Federal Information Security Modernization Act (FISMA 2014) to bolster the authority of the Department of Homeland Security (DHS) to administer, implement, and provide technical assistance with policies for information security for non-national (civilian) security federal Executive Branch systems. FISMA 2014 also updated and clarified the oversight authority of the Office of Management and Budget (OMB) and its ability to eliminate inefficient and wasteful reporting of any organization under FISMA. It also sanctions DHS’ role in assisting OMB with this responsibility.

The purpose of FISMA is to protect government information, assets, and operations against natural threats and criminal activity, whether from within the US or outside. Therefore, any US organization directly related to or doing business with the US government, including federal- and state-level government agencies and contractors, state government departments, military subcontractors, and even data clearinghouses fall under FISMA regulations.

Failure to pass a FISMA inspection by DHS or OMB can result in unfavorable publicity for the organization and an IT budget cut, as well as significant administrative ramifications to the organization. However, failure to comply with FISMA, especially when it comes to breach-avoidance and proper data destruction, can have much grander and more catastrophic implications. Should any private, secured federal data be compromised and the organization was found to be noncompliant, there are serious civil and criminal federal consequences.

GDPR

While a security regulation of the EU, the General Data Protection Regulation (GDPR) of 2016 is applicable to those US-based organizations that do business internationally. GDPR effectively puts the customer first over the business, ruling that all private data is owned by the customer and not the business in which it was collected.

GDPR ensures the protection and privacy of consumer data as it is handled, stored, disclosed, and disposed of by the organization that holds it. Following GDPR requires obtaining consumer consent before collecting any data, providing consumers with a full report on what data has been collected and how it’s used if they request it, as well as a copy of the data itself and the immediate and proper destruction of data if the consumer requests it to be deleted. The organization must also have proper security controls in place for the safeguarding of consumer data and must place someone within the company to oversee and manage these compliance policies, including for data disposal.

gdpr-data-center

An organization under GDPR that is found to be noncompliant is subject to a fine equaling two to four percent of its global annual revenue for the most recent fiscal year (on average, calculated at as much as $11-24 million).

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal privacy law for the handling of personal information by all federally regulated organizations as well as private-sector commercial organizations, regardless of the industry.

Like GDPR, organizations covered by this law must first obtain a consumer’s permission and consent before collecting, using, disclosing, and/or storing any personally identifiable information (PII). In addition, PIPEDA mandates that the information obtained can only be used for the purpose in which it was originally collected or else the organization needs to obtain renewed consent by the consumer for the use change. Moreover, consumers have the right to access their stored personal information as well as the right to challenge its accuracy. (The only organizations exempt from PIPEDA are those that are already subject to the similar privacy laws for private-sector organizations within Alberta, British Columbia, and Quebec provinces.) Canadian-based organizations that handle PII crossing provincial or national borders are also subject to PIPEDA compliance.

SOX

Aptly referred to as the “Corporate and Auditing Accountability and Responsibility Act” or the “Public Company Accounting Reform and Investor Protection Act,” the Sarbanes-Oxley (SOX) Act of 2002 addresses the standards by which the management and board of directors of any US-domestic public company handle the financial information and financial reporting of the organization. The SOX Act also extends to public accounting firms as well as to other companies that do business with publicly traded companies, even if said company is not a publicly traded entity.

The SOX Act is made up of two main clauses. According to Section 404 under the Management Assessment of Internal Controls, Clause A requires these publicly traded companies to create a commission on behalf of the company that develops and enforces rules for maintaining an internal control report for each annual financial report by section 13(a) or 15(d) of the Securities
Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)). This internal control report must include information and policies on how management establishes and maintains an adequate structure for internal control as it pertains to the financial reporting of the company. Clause A also requires the commission to write up an annual report on the effectiveness of the internal control policies and financial reporting procedures at the end of each fiscal year.

Clause B expands on the regulations for the internal control evaluation and reporting, adding in required responsibility of the commission or registered public accounting firm issuing the audit report to accurately prepare the audit as stated in Clause A. That is, said commission or public accounting firm is also held liable to the reported information claimed about the management of the stated financial information in the internal control report.

Maintaining compliance with the SOX Act therefore means ensuring all financial information and reporting that pertains to the organization is kept secure and protected from unauthorized personnel and possible theft.

PCI DSS

The Payment Card Industry (PCI) Data Security Standard (DSS) protects consumer cardholder data by helping to alleviate the vulnerabilities experienced by credit card merchants for payment card transactions and processing systems.

Following common sense, PCI DSS mandates the credit processing merchant organization adhere to the following three steps: 1) Assessment, as in analyzing the IT assets and payment card processing protocols for the organization to identify any vulnerabilities with regard to the storage of cardholder data; 2) Remediation, as in the fixing of all identified vulnerabilities, and also applicable to ensuring cardholder data is not stored unless it is needed by the business; and 3) Reporting, as in the compilation of records to ensure validity of any remediation actions and the submission of all compliance reports to the bank and card brands with whom the organization does business. Finally, these DSS rules apply to all entities globally that store, process, and/or transmit cardholder data, and with guidance for software developers and manufacturers of applications and devices used in those transactions.

A Standard for Compliance

Depending on the type of business you manage or own, your organization may be subject to one or more of these data and privacy security laws. Rather than create varied sets of rules and policies for each, which could cause issues in overhead and personnel costs, not to mention unnecessary protocol confusion and training needs, it would behoove your business to develop one data security protocol to cover all applicable regulations.

Data Disposal Best Practices

This one-size-fits-all mindset is especially cost-effective when it comes to the data destruction policies under the various laws and regulations.

No matter which regulation your organization follows, it’s recommended that you first create a private space within your organization to house a data and/or drive destruction machine rather than work off-site with a third party at their establishment. You should also create a limited group of personnel with the sole authorization to oversee all data security compliance processes as it pertains to the destruction of data that’s reached end-of-life.

Furthermore, when it comes to the end-of-life cycle, both data and the device in which the data is housed must be destroyed via shredding, degaussing, disintegrating, incinerating, melting, or pulverizing machinery so that neither device nor data can be read or otherwise reconstructed. It may also behoove your organization to keep a record audit of all data destruction events to prove your company’s compliance if a breach at this level does occur.

To ensure these procedures remain as cost-effective as possible, you’ll want to choose a third-party vendor like SEM that has both documentation software, like the iWitness, as well as NIST- and NSA-approved data destruction machinery to purchase and keep at your organization.

FISMA Requirements: Are You Compliant?

May 2, 2019 at 6:55 pm by Heidi White

All US-based organizations and agencies, whether public or private, must comply with certain information security measures when it comes to data storage and disposal. For government agencies and affiliated organizations, information security is paramount because of the sensitive nature of the information housed within these parties. To ensure the protection of proprietary United States data, legislation to regulate proper data and information security management was passed as part of the Electronic Government Act of 2002.

FISMACalled the Federal Information Security Management Act (FISMA), this law focuses on the importance of data security as it relates to the economic and national security interests of the US. As such, FISMA stipulates that all government agencies, government contractors, and any organization that exchanges data directly with a government system must safeguard all of their information technology (IT) systems, including stored data, by developing, documenting, and implementing an information security program.

In 2014, this law was amended to the Federal Information Security Modernization Act (FISMA 2014) to bolster the authority of the Department of Homeland Security (DHS) to administer, implement, and provide technical assistance with policies for information security for non-national (civilian) security federal Executive Branch systems. FISMA 2014 also updated and clarified the oversight authority of the Office of Management and Budget (OMB) and its ability to eliminate inefficient and wasteful reporting of any organization under FISMA. It also sanctions DHS’ role in assisting OMB with this responsibility.

FISMA: Who It Affects and Why It’s Important

The purpose of FISMA is to protect government information, assets, and operations against natural threats and criminal activity, whether from within the US or outside. Therefore, any US organization directly related to or doing business with the US government, including federal- and state-level government agencies and contractors, state government departments, military subcontractors, and even data clearinghouses fall under FISMA regulations.

FISMA-cybersecurityFISMA, FISMAFailure to pass a FISMA inspection by DHS or OMB can result in unfavorable publicity for your organization and a cut to your IT budget, as well as significant administrative ramifications to your organization. However, failure to comply with FISMA, especially when it comes breach-avoidance and proper data destruction, can have much grander and more catastrophic implications for you and your organization. Should any of your private, secured federal data be compromised and your organization was found to be noncompliant, there are serious civil and criminal federal consequences.

How to Comply with FISMA

C-suite executives like chief information officers, information security officers, senior agency officials, and agency program officials are all responsible and held accountable for ensuring compliance of FISMA within their respective organization.

cybersecurity-governmentAs stated in FISMA, these federal or otherwise federally-affiliated organizations must develop, implement, and accurately manage an information security program to safeguard the IT systems and any ensuing data that is collected stored, and transferred. This includes documentation of both the security systems and access granted to stored federal information.

The National Institute of Standards and Technology (NIST) outlines steps that these individuals should take to comply with FISMA:

  1. Track and categorize all information and media devices that must be protected.
  2. Set baseline security controls. Implement and document their use in the appropriate security system.
  3. Regularly refine these controls using a defined risk-assessment procedure as part of an annual review process.
  4. Authorize the IT system for processing within the selected group of authorized personnel and monitor the systems on a regular basis.

Complying with FISMA also extends into data destruction and device disposal practices. Full data destruction requirements can be found under the Federal Information Processing Standards (FIPS) Publication 200: Minimum Security Requirements for Federal Information and Information Systems. According to FIPS, organizations under FISMA must: i) set and enforce policies for protecting all data and information systems, whether on paper or in digital format, ii) appoint authorized personnel for sole access of the IT systems and federal information and iii) ensure complete and total destruction of both the data and the media in which it is stored upon reaching end-of-life.

When it comes to the disposal of this federally-protected private data, FIPS also states that the organization must develop and enforce a set of policies for how the data and media should be destroyed, and accurately document every data disposal event, most easily accomplished by using an audit-friendly media tracking system such as SEM’s iWitness. It’s recommended to purchase on-site data destruction machinery and limit access to the data and the data destruction machinery to a small group of authorized personnel.

media-tracking
SEM’s iWitness media tracking system provides audit-friendly compliance with FISMA’s documentation requirements

Furthermore, when it comes to the data end-of-life cycle, the device in which the data is housed must also be destroyed via degaussing, incinerating, melting, or pulverizing machinery so that neither device nor data can be read or otherwise reconstructed. And, you want to choose a vendor like SEM that has NIST- and NSA-approved data destruction machinery.