|
|
Encrypted Email - Regulatory Compliance
|
- You are NOT in HIPPA, GLBA, Sox compliance
if any un-authorized person can read your unencrypted emails and web brower activity
- Simplified compliance audit can be done with Sniffers
- a trivial solution for compliance is to use an inhouse WebMail server
|
| Howto Comply with Privacy Compliance Laws |
- It does NOT mean to simply encrypt your emails
- It does mean you have done "best effort" and applied "industry standard common practices" to properly define and enforce computer and data security policy
- It does mean your computer is virus free, especially of keyboard loggers
- It does mean you send and receive only encrypted emails
- It does mean you save your encrypted email in its encrypted form
- It does mean you delete your emails and documents properly following a certified proceedure
- It does mean your encryption keys are properly managed
- It does mean your computers does NOT leave your secure environment
- It does mean your computers are physically locked when not in use
- It does mean your computers are kept current without any known exploits
- It does mean your data backups are also properly encrypted
- Think, does the employee really really need to take the laptop with hundreds of thousands of credit card numbers and social security numbers to their
unlocked cars, homes, local coffee shop, motels/hotels and using insecure wireless access points of strangers that are looking to sniff YOUR userID and passwd
- when a computer or data security breach has occured, where and why did it happen ??
- usually it is by sniffing userID and passwd and ez to guess passphrases
- working from home, local coffee shops, hotels, airports, etc
- lost or missing computers from being left in cars, homes
- ez access to walk out of the "secure office" with "confidential computers"
|
| Mandatory Privacy Compliance Laws |
- UK Data Protection Act 1998
- Canadian Data Protection
- PIPEDA == The Personal Information Protection and Electronic Documents Act
- FIPPA = Freedom of Information (? Financial Institution ?) and Privacy Protection Act of 2001
- Federal Data Security Requirements
smarsh.com Laws and Regs
cms.hhs.gov HIPAA
- HIPAA = Health Insurance Portability and Accountability Act of 1996
hhs.gov HIPAA summary
- HIPAA Privacy Rule (effective April 14, 2003) regarding PHI in all forms (oral, written, and electronic)
- HIPAA Security Rule (full compliance required by April 21, 2005) regarding PHI in electronic form
- anyone not in compliance can face up to $250,000 in fines and jail time of up to 10 years
- HITECH = Health Information Technology for Economic and Clinical Health Act
- GLBA = Gramm-Leach-Bliley Act
aka Financial Services Modernization Act of 1999
- compliance required of insurance agencies, tax preparers, finance companies, collections agencies, leasing agencies, travel agencies and financial advisor
- SOX = Sarbanes Oxley Act 2001
- requires the CEO and CFO of publicly traded companies to be held accountable for financial statements filed with the SEC
- SEC's Regulation S-P
- FINRA (NASD/NYSE)
- FRCP, FERC
- PCI DSS, PIPEDA
- COBIT
- ISO 27001 27002
- various additional state and city privacy requirements
- State's "Data Security Breach Law"
- California - SB1386
- Massachusetts - 201 CMR 17
- Nevada - NRS 603.A, SB227
- Nevada - NRS 597.970 -- since October 1, 2008
- West Virginia - SB 340
|
| Typical Types of Data Requiring Privacy Compliance |
- Types of data proteced by federal and state laws
- birthdate, social security
- medical records, insurance records, financial/banking records
- Other important data protected by corp law or equiv laws
- Business plans, mergers/aquisitions
- Research and product development plans
- employment history/status
|
|
|
