Many laws exist in the United States related to information technology (IT) and security. Companies affected by the laws are expected to comply with the laws, which is commonly referred to as compliance. These laws are important to organizations as they develop a comprehensive risk management plan to guide their operations internally and to stay compliant externally.
Many organizations have internal programs in place to ensure they remain in compliance with relevant laws and regulations. These programs commonly use internal audits, and the organizations will frequently reference organizational governance processes that are in place. The organizations can also use certification and accreditation programs. When compliance is mandated by law, external audits are often done. These external audits provide third-party verification that the requirements are being met.
An old legal saying is “ignorance is no excuse.” In other words, a person can’t break the law and then say “I didn’t know.” The same goes for laws that apply to organizations. Knowing what the relevant laws and regulations are is important for organizations.
Organizations are not expected to be experts on these laws. However, managers and executives should be aware of them. The relevant laws and regulations can be rolled into a compliance program for more detailed checks.
This section covers the following U.S. laws:
The Federal Information Security Modernization Act (FISMA) of 2014 was initially passed in 2002 as the Federal Information Security Management Act. Its purpose is to ensure that federal agencies protect their data by assigning specific responsibilities to them. The 2014 update made significant changes to the original law.
First, the 2014 law authorizes the Secretary of the Department of Homeland Security (DHS) to assist the Office of Management and Budget (OMB) Director in administering the implementation of agency information and security practices for federal information systems. Second, the law changes the agency reporting requirements by modifying the scope of reportable information from primarily policies and financial information to specific information about threats, security incidents, and compliance with security requirements. Third, the update addresses cyberbreach notification requirements. Fourth, within one year of the passing of the updated law, the OMB Director is required to revise budget circular A-130 to remove inefficient reporting.
Agencies are responsible for:
FISMA requires annual inspections. Each year, agencies must have an independent evaluation of their program. The goal is to determine the effectiveness of the program. These evaluations are to include:
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. It ensures that health information data is protected. The passage of HIPAA has led to improved security of personal medical information, which was previously lax and often misused. There are three major areas that HIPAA covers in terms of compliance: administrative (ways to protect patient data and ensure that it can be accessed only by authorized parties), physical (ways to prevent physical theft and unauthorized access to systems with protected data), and technical (using technology to protect computer networks and devices from threats).
A link exists between these laws and IT corporate governance in organizations. IT corporate governance comprises a system of rules, practices, and processes that are essential to minimizing IT risks in organizations. Depending on the type and location of the organization, compliance requirements differ, such as those enumerated in FISMA, HIPAA, GLBA, or GDPR. An organization must account for corporate governance as part of developing a comprehensive IT risk management plan.
The Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey of 2019 identifies many of the trends in IT security. Some of this data helps to show the impact of HIPAA. The following data was gathered from survey respondents:
If an organization handles health information, HIPAA applies, which makes the definition of health information important. HIPAA defines health information as any data that:
Title II of HIPAA includes a section titled Administrative Simplification. This section includes the requirements and standards of HIPAA for IT:
Title I of HIPAA relates to insurance portability and identifies rules for insurance plans. For example, when employees change jobs, HIPAA helps them retain insurance. Title I rules aren’t related to IT compliance. Only Title II of HIPAA covers the protection of data, in particular the first of five rules, the Privacy Rule, which covers protected health information (PHI).
If an organization includes data covered by HIPAA, the organization must have a compliance plan. FIGURE 3-1 shows the process of creating a HIPAA compliance plan:
Personally identifiable information (PII) is a common term used with information security. PII is all data that can be used to identify a person. Such data can be a name, a Social Security number, biometric data, or data used to identify a person. Several laws and regulations specify that PII must be protected. PII in information security is synonymous with PHI in HIPAA.
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, was passed in 1999. GLBA is broad in scope. Most of it relates to how banking and insurance institutions can merge. However, two parts of GLBA are relevant to IT security and apply to financial institutions in the United States. They are:
The Sarbanes-Oxley Act (SOX) was passed in 2002. This law applies to all companies that are publicly traded. It is designed to hold company executives and board members personally responsible for financial data. If the data is not accurate, these people can be fined and sent to jail.
The goal is to reduce fraud. Because individuals can be held liable, there is more pressure to ensure the reported data is accurate. Chief executive officers (CEOs) and chief financial officers (CFOs) must be able to:
Most of SOX is outside the direct scope of IT. However, Section 404 has elements that are directly related. Section 404 pertains to the accuracy of data and requires that a company use internal controls to protect the data. Section 404 also requires reports from both internal and external auditors to verify compliance. For many companies, the cost of the audits represents the greatest impact of this law.
SOX was passed in response to several large scandals. In these scandals, executives deliberately misled the public, and investors lost billions of dollars. For example, Enron was reportedly worth over $100 billion in 2000, but it went bankrupt in 2001. Later, the failure was determined to be caused by fraud and corruption. Many senior officers and board members were directly involved.
The Family Educational Rights and Privacy Act (FERPA) was passed in 1974 and has been amended at least nine times since then. The goal of the act is to protect the privacy of student records, which includes education and health data.
FERPA applies to all schools that receive funding from the U.S. Department of Education. These schools include:
FERPA grants rights to parents of students under 18. The parent can inspect records and request corrections. When the student reaches 18, these rights pass to the student.
All PII about the student must be protected. Schools usually need permission from either the parent or the student to release PII.
There are a few exceptions to when PII can be accessed or released:
The Children’s Internet Protection Act (CIPA) was passed in 2000 and is designed to limit access to offensive content from school and library computers. All schools and libraries that receive funding from the E-Rate program are covered under CIPA. More information on the E-Rate program is available at https://www.fcc.gov/consumers/guides/universal-service-program-schools-and-libraries-e-rate.
CIPA requires that schools and libraries:
Some of these terms are difficult to define, such as what is obscene or harmful to minors. CIPA includes a definitions section that identifies other specific sections of U.S. code where some of these terms are defined.
The E-Rate program is under the Federal Communications Commission. It provides discounts to most schools and libraries for Internet access, ranging from 20 to 90 percent of the actual costs.
The Children’s Online Privacy Protection Act (COPPA), which is managed by the FTC, was passed in 1998 and took effect in 2000. The act was designed to protect the privacy of children under 13.
The act specifies the following:
Although COPPA does not define the process to gain parental consent, the FTC shares guidelines to help website operators. Some of these requirements are:
CIPA was challenged on freedom of speech grounds. The U.S. Supreme Court upheld the law in June 2003. All libraries were given until early 2004 to comply. At this point, all schools and libraries accepting E-Rate funds are expected to be complying with CIPA.