Privacy LegislationInformation PrivacyInformation PrivacyKey LegislationThe Financial Service Modernization Act of 1999GLB SummaryCompliance TipsFederal Trade Commission Act Section 5Summary of § 5Security Breach NotificationSummary of Breach Notification LegislationHealth Insurance Portability and Accountability ActSummary of HIPAAFACTA & Disposal RuleSummary of FACTAChildren’s Online Privacy Protection Act of 1998Summary of COPPAControlling the Assault of Non-Solicited Pornography and Marketing Act of 2003CAN-SPAM SummaryThe Sarbanes-Oxley Act of 2002SARBOXSOXSARBOX SummaryConclusionThank youPrivacy LegislationPrivacy LegislationSteve CreasonSteve CreasonMetropolitan State UniversityMetropolitan State UniversityInformation PrivacyInformation PrivacyzzWhat privacy laws have been enacted? What privacy laws have been enacted? p. 585 Fig. 11-30Information PrivacyInformation PrivacyzzWhat privacy laws have been enacted? (cont’d)What privacy laws have been enacted? (cont’d)p. 585 Fig. 11-30Key LegislationKey LegislationzzGrammGramm--LeachLeach--Bliley ActBliley ActzzFederal Trade Commission ActFederal Trade Commission ActzzData Security Breach NotificationData Security Breach NotificationzzHealth Insurance Portability and Accountability Health Insurance Portability and Accountability ActActzzFACTA and the Disposal RuleFACTA and the Disposal RulezzChildren’s Online Privacy Protection ActChildren’s Online Privacy Protection ActzzCANCAN--SPAMSPAMzzSarbanesSarbanes--Oxley ActOxley ActThe Financial Service The Financial Service Modernization Act of 1999Modernization Act of 1999zzAKA AKA GrammGramm--LeachLeach--Bliley (GLB)Bliley (GLB)zzDesigned to protected consumers’ personal Designed to protected consumers’ personal information held by financial institutionsinformation held by financial institutionszzEight Federal agencies have promulgated Eight Federal agencies have promulgated regulations to carry out the purpose of GLBregulations to carry out the purpose of GLBzzImposes obligation on Companies to Imposes obligation on Companies to “Safeguard” personal information“Safeguard” personal informationzzFTC wants it extended to Companies that are FTC wants it extended to Companies that are not financial institutionsnot financial institutionsGLB SummaryGLB SummaryzzWho is covered?Who is covered?Financial Institutions definition is very Financial Institutions definition is very broad and extends to any institution “significantly broad and extends to any institution “significantly engaged” in financial activities and their service engaged” in financial activities and their service providersproviderszzWhat is required for compliance?What is required for compliance?Companies must Companies must develop, implement and maintain and develop, implement and maintain and appropriate appropriate and and comprehensive information security programcomprehensive information security programzzDesignate responsible employeesDesignate responsible employeeszzConduct risk assessmentConduct risk assessmentzzDesign safeguards to control risks identified through the risk Design safeguards to control risks identified through the risk assessmentassessmentzzOversee service providersOversee service providerszzTest, monitor and adjustTest, monitor and adjustCompliance TipsCompliance TipszzRead the follow the Safeguards RuleRead the follow the Safeguards RulezzHave GLB language drafted for Have GLB language drafted for SLAsSLAszzConduct a risk assessment NOW if it hasn’t Conduct a risk assessment NOW if it hasn’t already been donealready been donezzEnsure your information security programEnsure your information security programzzIs designed to control your company’s risk, andIs designed to control your company’s risk, andzzMatches any statements in your company’s privacy Matches any statements in your company’s privacy policy, RFP responses, or other statements regarding policy, RFP responses, or other statements regarding data privacy and securitydata privacy and securityzzImplement review process for internal and Implement review process for internal and external service providersexternal service providersFederal Trade Commission Act Federal Trade Commission Act Section 5Section 5zzProhibits deceptive and unfair trade practices in or Prohibits deceptive and unfair trade practices in or affecting commerceaffecting commercezzIf your company maintains data collected through If your company maintains data collected through interstate commerce you are subject to the actinterstate commerce you are subject to the actzzThe FTC says: “Under the FTC Act, the Commission The FTC says: “Under the FTC Act, the Commission guards against unfairness and deception by enforcing guards against unfairness and deception by enforcing companies’ privacy promises about how they collect, use companies’ privacy promises about how they collect, use and secure consumers’ personal information.” and secure consumers’ personal information.” http://http://www.ftc.gov/privacy/privacyinitiatives/promises.htmlwww.ftc.gov/privacy/privacyinitiatives/promises.htmlSummary of Summary of §§55zzWho is covered?Who is covered?zzAny organization subject to FTC jurisdiction (most Any organization subject to FTC jurisdiction (most companies)companies)zzWhat is required to comply?What is required to comply?zzNo engaging in activities that would constitute an No engaging in activities that would constitute an unfair or deceptive trade practiceunfair or deceptive trade practicezzCompliance TipsCompliance TipszzReview any statements regarding your company’s Review any statements regarding your company’s data security and privacy to make sure you are doing data security and privacy to make sure you are doing what you saywhat you sayzzEnsure appropriate safeguards are in place Ensure appropriate safeguards are in place ––consider complying with GLB Safeguards Rule even if consider complying with GLB Safeguards Rule even if you are not covered by GLByou are not covered by GLBSecurity Breach NotificationSecurity Breach NotificationzzAt least 20 states have enacted laws requiring owners At least 20 states have enacted laws requiring owners and licensees of computerized personal information to and licensees of computerized personal information to notify individuals if their unencrypted personal notify individuals if their unencrypted personal information has been obtained without authorizationinformation