REGULATIONS BCIS 4630 Fundamentals of IT Security Dr. Andy Wu
Overview • All public corporations • SOX • Industries • Financial: GLBA, Availability regulation, PCI DSS • Healthcare: HIPAA • Data breach notification laws
Sarbanes-Oxley Act (SOX) • Public Company Accounting Reform and Investor Protection Act of 2002 • Intended to prevent Enron scandals of the future. • Protects investors by requiring accuracy and reliability in corporate disclosures. • Created new penalties for acts of wrongdoing, both civil and criminal. • CEOs and CFOs are personally liable. Certification of fraudulent reports may be punished by fines up to $1 million and/or imprisonment of up to 10 years.
Critical Aspects of SOX • Specifies new financial reporting requirements. • Section 302 requires CEOs and CFOs to certify their company’s SEC reports. • Requires all financial reports to include an internal control report. • Section 404 requires CEOs and CFOs to report on the effectiveness of the company’s internal controls over financial reporting. • To comply with Section 404, companies have to ensure that their data are accurate. • Auditing firms are also required to attest to the accuracy of the assessment.
Concern for Privacy Based on: Wu, Prybutok, Koh, and Hanus, “A nomological model of RFID privacy concern,” Business Process Management Journal, 18(3), 2012, pp. 420-444. Original work by Smith, Milberg, and Burke, MIS Quarterly, 20(2), 1996, pp. 167-196.
Concern for Privacy Source: Wu, Prybutok, Koh, and Hanus, “A nomological model of RFID privacy concern,” Business Process Management Journal, 18(3), 2012, pp. 420-444. Original work by Smith, Milberg, and Burke, MIS Quarterly, 20(2), 1996, pp. 167-196.
Gramm-Leach-Bliley Act (GLBA) • The Financial Modernization Act of 1999 • Protects personal financial information held by financial institutions • Privacy Rule • Safeguards Rule • Pretexting Rule
GLBA – Privacy Rule • A financial institution may not share non-public information about a consumer with non-affiliated third parties unless it gives notice to the consumer (notice of privacy). • The customer must be given a chance to opt out.
GLBA – Safeguards Rule • The federal bank regulatory agencies, the Securities and Exchange Commission (SEC), and the Federal Trade Commission (FTC) are required to issue security standards for financial institutions. • Standards for: • Protecting the security and confidentiality of customer information. • Protecting against threats to the security or integrity of customer information. • Protecting against unauthorized access to or use of customer information that could result in harm to a customer.
GLBA – Safeguards Rule • FTC requires financial institutions to create an information security program. • Specifies the administrative, technical, and physical controls to protect information. • Assign an “owner” of the program. • Conduct risk assessments and address identified risks. • Review the program on an ongoing basis. • Financial institutions must also ensure that its service providers protect customer information.
GLBA – Pretexting Rule • It is illegal to make false, fictitious, or fraudulent statements to a financial institution or its customers to obtain customer information. • It is illegal to use forged, counterfeited, lost, or stolen documents to achieve the same end. • Violations are subject to criminal penalties. • Security awareness training is a primary protection measure in this respect.
Oversight of GLBA Compliance • Oversight of GLBA compliance are based on the type of financial institutions. • Each of the bank regulatory agencies enforces GLBA for the institutions it regulates: • Federal Reserve System • Office of the Comptroller of the Currency • Federal Deposit Insurance Corporation (FDIC) • National Credit Union Administration • Office of Thrift Supervision • The SEC oversees compliance by security brokers and dealers. • The FTC covers any financial institution that isn’t regulated by one of the above agencies.
Disaster Recovery Regulations • September 11 exposed the risks of data loss caused by disastrous events. • On April 7, 2003, the Securities and Exchange Commission (SEC), Comptroller of the Treasury, and the Federal Reserve issued the Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System. • Now, financial institutions that account for at least 5% of the transactions in critical financial markets are required to implement sound business continuity practices. C.F.: Yang and Wu, “Using virtualization to ensure uninterrupted access to software applications for financial services firms,” Proceedings of the 45th Hawaii International Conference on System Sciences, 2012, pp. 5623-5630.
Three-Datacenter Strategy • One required practice is to maintain sufficient geographically dispersed resources, most importantly, data centers. The targeted recovery time is two hours. • Largest institutions are required to maintain three data centers. • Although DR practices are not mandatory for other financial services firms, many of those firms are adopting the practices because it is prudent to do so. • Medium firms’ voluntarily compliance calls for two data centers. C.F.: Yang and Wu, “Using virtualization to ensure uninterrupted access to software applications for financial services firms,” Proceedings of the 45th Hawaii International Conference on System Sciences, 2012, pp. 5623-5630.
Self-Regulation – PCI DSS • The Payment Card Industry Security Council is a private industry organization. • Any credit card-accepting merchant or service provider must comply with the Payment Card Industry Data Security Standard (PCI DSS). • DSS provides an uniform approach to safeguarding sensitive cardholder data for all credit card issuers. • It identifies 12 basic categories of security requirements for credit card data protection.
PCI DSS • Applies only to the systems that process, store, or transmit credit card data. • Uses preventive, detective, and corrective controls to secure data. • Compliance level is based on the size of merchants’ credit card operations. • Compliance audits are performed periodically. • Questionnaire • Perimeter scan • On-site security audit • Enforcement is weak. Card companies use the threat of financial penalties to compel compliance.
HIPAA • Health Insurance Portability and Accountability Act of 1996 • Protects against loss of health insurance due to change of jobs. • Protects the privacy and security of personal health information. • Protected health information (PHI) is any individually identifiable information, including: • Info on the physical and mental health of a person. • Notes doctors put into a person’s medical record. • Billing and payment related to healthcare.
HIPAA • Covered entities include health plans, health care clearinghouses, and any health care provider that transmits certain types of health information in electronic form. • Covered entities must follow the HIPAA Privacy and Security Rules. • Office for Civil Rights (OCR) enforces the privacy and security rules. • Financial penalties for non-compliance.
HIPAA – Privacy Rule • The Privacy Rule dictates how covered entities must protect the privacy of PHI. • First time the U.S. government has specified federal privacy protections for PHI. • Covered entities may not use or disclose PHI without permission. They must limit how their employees use and access PHI. • The Rule requires covered entities to put safeguards in place to protect a person’s PHI.
HIPAA – Security Rule • The Security Rule dictates how covered entities must protect the confidentiality, integrity, and availability of electronic PHI (EPHI). • Covered entities must create, review, and update policies and procedures to comply with the Security Rule. • Covered entities must implement administrative, physical, and technical safeguards. • The Rule includes standards that must be implemented for each safeguard (“implementation specifications”).
California SB1386 • California’s Database Security Breach Notification Act of 2003 was the first notification law. • Created by and more commonly referred to as California Senate Bill 1386. • Realizing that identity theft was one of the fastest growing crimes. • Covers any entity that stores personal information on a California resident. • The entity must notify California residents of a breach of its computer systems.
Personal Information • CA SB1386 defines this broadly: • Social security number • Driver’s license/CA ID number • Account/CC number, with related security code, access code, password, etc. • Medical information • Health insurance information • Information accessible to the public through government records is not personal information. • If data are encrypted, then no notification is required.
Other States Follow Suit • After the ChoicePoint breach, many other states created their own notification laws. • As of January 2010, 45 states (incl. D.C.) • Many were modeled after the SB1386. • There are a number of differences across states.
Major Differences • An incident can be a breach in one state, but not in another. • State notification laws may differ from state to state in terms of: • Activities that constitute a breach • Entities covered by the law • Time for notifying residents • What to include in the notification • Minimum requirement for encryption • Civil/criminal penalties for failure to notify • If an entity operates in multiple states, it must comply in each and every one of those states.