SCVdata helps companies understand how to be compliant with the technical requirements for their industry. There are a number of precautions and backup requirements that companies need to adhere to when they handle sensitive information. Here are some examples of requirements placed upon some of our clients:
Sarbanes-Oxley Act of 2002 - US Congress passed to ensure data and financials are properly being handled. In other circles, this is referred to as the Public Company Accounting Reform and Investor Protection Act of 2002. This is often regarded as the most significant financial reform to US Securities law since 1930's. It ensures the integrity of financial statements. Computer technology is used for most of these controls.
HIPAA - Health Insurance Portability and Accountability Act for medical records. The privacy portion of this act took effect in 2003 and the security portion took effect in 2005. It involves controlling, securing, managing medical data. The security rule of HIPAA is designed to assure the confidentiality and integrity of Protected Health Information (PHI). The privacy rule of HIPAA is intended to protect the privacy of all Individually Identifiable Health Information (IIHI).
Basel II - In 1988, Switzerland setup these rules to ensure international banks have capital requirements to take on risk. Governed by 3 pillars: 1) assessment of capital requirements vs. risk of economic loss 2) management set aside enough capital for risk 3) transparency of public reporting
SB-1386 - California's Security Breach Information Act of July 2003. Requires that individuals be notified if their information is compromised. Personal Identifying Information (PII) is defined as unencrypted first and last name and one other piece of information:
- Social Security Number
- Debit or credit card number
- Driver's license number or California ID card number
- Account Number in conjunction with a PIN or access code
Unfortunately, there is no requirement on the strength of encryption.
FACTA - The Fair and Accurate Credit Transactions Act (FACTA) of 2003 came into effect in 2005 (Extension of the Fair Credit Reporting Act (FCRA). Requires that you "take reasonable measures to protect against unauthorized access or use of the information." Also discusses destruction methods of shredding and erasing electronic data. Beyond credit bureaus, banks, and retailers... this may apply to anyone that has done background checks on employees and job applicants.
Gramm-Leach-Bliley (GLB) - Financial Modernization Act of 1999. 3 Sections: 1) Financial Privacy Rule - regulates collection/disclosure of private financial information, 2) Safeguards Rule - financial institutions need security programs, 3) Pretexting Provisions - prohibit accessing private info using false pretenses. Section 6805 (a) is particularly important for IT dictating the need for administrative, technical, and physical safeguards.
USA Patriot Act - Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001
