Keep data confidential -- or else

Plenty of statutes on the books protect data, but those involving encryption don’t offer prescriptive guidance

Multiple laws and regulations exist to protect customer data. The unfortunate consequence of multiple laws governing confidential data and encryption is that none offers prescriptive guidance. Whether encryption solutions and strategies satisfy a particular law is left up to the auditors and lawyers. Still, there are several legal requirements that address confidential data.

Universal Declaration of Human Rights Article 12 of the Universal Declaration of Human Rights, passed in the wake of World War II, established the right for individuals to have privacy. Although its signatories did not foresee today’s computers, this declaration is often used as the basis for personal data protection.

Sarbanes-Oxley This law was passed in 2002 to help restore public confidence after corporate scandals. (Section 404 targets the effectiveness of IT controls.) Willful disregard can result in civil and criminal penalties.

Gramm-Leach-Bliley The Gramm-Leach-Bliley Act of 1999 is intended to protect the privacy of confidential information held by financial institutions that collect, hold, and process consumer financial information.

Health Insurance Portability and Accountability Act Enacted in 1996, HIPAA restricts disclosure of personally identifying health-related data to third parties without patient consent. It also gives patients the right to request their own records. One common criticism is that it  lacks strong enforcement measures.

Electronic Communications Privacy Act ECPA gives legal protection to electronically transmitted data, including e-mail. It essentially specifies who can read what information and under what conditions. For instance, in general employers are legally able to read employees’ e-mail, whereas data carriers would need a court order to do so.

European Union DPD EUDPD provides baseline privacy requirements that all E.U. member states must achieve through national regulations. Its default protections are normally much stronger than those mandated in the United States.

ISO-17799/BS-7799 An international holistic IT security guideline and standard, ISO-17799 is quickly becoming the international security standard in much of the world. Internal and external ISO-17799 audits are required to determine compliance.