Legally Speaking

Some of the legislation, regulation, and industry standards that affect information technology Who among us isnt touched daily by something your local, state, or Federal government is doing? Legislation is pervasive and invasive, assisting and resisting, helping and hindering us during our entire personal and professional life. Where there is no formal regulation, industry standards sometimes take their place and in many cases, act as de facto legislation. If an entity runs afoul of such industry standards, they are almost certainly going to be liable for damages which can be just as financially disastrous as a fine. Today, in an ever increasing technological world, it is incumbent upon information technology professionals to manage for capability, capacity, and efficiency, all the while keeping an eye on regulations, legislation, and industry standards.

Healthcare

HIPPA Health Insurance Portability and Accountability Act of 1996 HITECH Act Health Information Technology for Economic and Clinical Health Act (part of the
American Recovery and Reinvestment Act of 2009 (part of the The Stimulus or The Recovery Act) PSQIA Patient Safety and Quality Improvement Act of 2005 Enacted in 1996, HIPPAs main concern was insuring the insurability of workers when they change or lose their job. But HIPPA is a mammoth piece of legislation and it goes well beyond this simple purpose. What HIPPA is commonly known for today is the requirement of healthcare providers (defined as practically any person, entity, insurer or provider who wields a band aid, a bite wing, or a spinal adjustment bench, or who pays for someone to do such) to protect the privacy and security of the health information of individuals (the so-called, protected health information).1 Title II of the Act addresses Administrative Simplification *AS+ provisions that concern electronic health care and privacy of medical records. Furthermore, the HIPPA Privacy Rule (45 CFR Part 160 and subparts A and E of Part 164) established national standards to protect individuals medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.2

HIPPAA/HITECH compliance for healthcare organizations, Sophos, 2010. http://www.himss.org/content/files/sophos-hipaa-hitech-compliance-for-healthcare-organizations-sbna.pdf 2 Understanding Health Information Privacy, U. S. Department of Health and Human Services, http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html

In 2009, these privacy provisions were then bolstered by Subtitle D of HITECH which addressed privacy and security concerns associated with the electronic transmission of health information.3 HITECH widened the scope of privacy and security protections under HIPPA, increasing noncompliance liability, and providing more HIPPA enforcement.4 While HITECH promotes electronic health records (EHR) to improve efficiency and lower health care costs, it also introduces new security and privacy requirements to go protect all the EHR data.5 So HIPPA and HITECH present medical providers with a conundrum. The legislation demands that patient data be protected, yet encourages the proliferation of electronic data use. Obviously, with arrival of Web 2.0 and utilization of mobility in the workforce, this challenge becomes more acute. In fact, HITECH goes so far as to dictate the protection of data in motion, that is any data that is moving through a network.6 In 2010, there were a record number of breaches of unsecured protected health information: 8,524 cases.7 The penalty for such violations can range from $100 to $1.5 million in fines and individuals could face a jail sentence of up to 10 years, depending on the circumstances.8 Also noteworthy, the PSQIA, though concerned with the medical profession, is very different than HIPPA and HITECH. It was enacted to allow the sharing of data used to assess and resolve patient safety and health care quality issues, i.e. medical errors. It does entail confidentiality and privilege protections for patient safety work product.9 Still, not only patient data is required to be protected, but the information regarding providers who report the errors dictated by PSQIA are also lent protection.10

Accounting, Banking, and Finance

SOX - Sarbanes-Oxley Act of 2002

After a number of major corporate accounting scandals at the turn of millennium, SOX was enacted to implement far-reaching responsibilities for public companies by requiring compliance in financial, accounting, and corporate accountability. SOX was conceived so as to force better financial accountability on corporations and avoid a repeat of the billions of dollars that investors had lost at the hands of such companies as Enron and WorldCom. At first blush, one might not consider this legislation to concern IT professionals, with the exception of budgeting and reporting. However, complying with SOX requirements requires support from many business units, including IT. Of greatest importance to IT are Sections 302 (Disclosure Controls) and 404 (Assessment of internal control).
3 4

Health Insurance Portability and Accountability Act, Wikipedia HIPPA Survival Guide. http://www.hipaasurvivalguide.com/ 5 Sophos, Id. 6 Id. 7 Health Information Privacy Complaints Received by Calendar Year, U. S. Department of Health and Human Services. 8 HIPPA Health Insurance Portability Accountability Act, American Medical Association. ww.amaassn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealthinsurance-portability-accountability-act/hipaa-violations-enforcement.page 9 Understanding Patient Safety Confidentiality.U. S. Department of Health and Human Services. http://www.hhs.gov/ocr/privacy/psa/understanding/index.html 10 Id.

Section 302 defines how a companys internal procedures should be designed to ensure accurate financial disclosure.11 Specifically, this section compels public companies to use adequate internal controls to present a fair representation of the companys financial condition.12 Corporate officers and public accounting firms have a responsibility to evaluate internal controls over financial reporting and any deficiency or fraud must be reported.13 The big stick that SOX provided was in assessing penalties for not following truthful accounting procedures: offenders would go to jail which is detailed in Section 906. There is nothing like a possible stretch in prison to ensure that people give proper attention to details. Section 404 is a contentious requirement of SOX, demanding that management and the companys auditor test the adequacy of companys internal control and financial reporting.14 This provision is expensive for companies, as compliance requires the use of valuable corporate resources as well as the retainer of outside expertise. For IT professionals, SOX does not give specific instruction of how this laws control framework or IT governance is needed for compliance.15 It does give assistance by referencing the COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework.16 This guideline provides a framework that is relevant to the IT management in regard to SOX: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. In addition, the IT Governance Institute defines various IT general controls (ITGC) which includes management of the information technology environment, computer operations, access to programs and data, program development and program changes.17 These controls are summarized in The COBIT Framework toolset which defines good IT practices. COBIT (Control Objectives for Information Technology) is the policies used by companies to stay SOX compliance. In summary, SOX requires that IT managers be on guard for network security breaches. Also, internal control to information is required, meaning that the processing, recording, and storage of financial information is documented and isolated. Remember, that a company has to show that it is following SOX through an internal audit. There has to be documentation that the financial IT system integrity has not been compromised, and the monitoring of station activity, the examinations of communications, log in security, intrusion warnings, and historical network information becomes keenly important. While SOX compliance is expensive, the investment needed can and should be managed and there are tools to do just that and they are available.

GLBA Gramm-Leach-Bliley Act (a/k/a Financial Modernization Act of 1999 or GLB Act)
The GBLA controls the way financial institutions deal with private information of individuals and consists of three sections: The Financial Privacy Rule, which regulates the collection and disclosure of
11 12

Sarbanes-Oxley Act, Wikipedia Sarbanes-Oxley Act of 202, Title 302 13 SOX and IT, Network Instruments. http://www.networkinstruments.com/assets/pdf/SOX_WP.pdf 14 Id. Wikipedia 15 Id. Network Instruments 16 Id. 17 Information technology controls, Wikipedia

private financial information; the Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information; and the Pretexting provisions, which prohibit the accessing of private information using false pretenses.18 The provision of GLBA for financial institutions that is of most importance is Section 501(b) which sets the standards for protecting nonpublic customer information through administrative, technical, and physical safeguards.19 Surprisingly, the term financial institution is defined in the GLBA as any institution that is significantly engaged in financing activity and includes businesses like banks and bank holding companies investment and security brokerage real estate and personal property appraisers credit bureaus insurers against personal or property loss; injury, health, et al real estate settlement companies mortgage lenders or brokers check casher pay day lender credit counseling and other financial advisors medical service providers that establish long-term payment plans that involve interest charges tax planning and preparation retailer that issues its own credit card auto dealers that lease and/or finance collection agencies relocation services sale of money orders, savings bonds, or travelers checks government entities that provide financial products such as student loans or mortgages20

Therefore, according to this list, banks, hospitals, insurance companies, and universities all are subject to GLBA. GBLA compliance requires institutions to analyze risks before moving customer information into emerging technology models such as voice over IP (VoIP) systems or cloud computing.21 Some of the areas that need to be addressed to be GBLA compliant are enforcing secure passwords restricting file and folder access to authorized personnel restricting firewalls/router access lists
18

Gramm-Leach-Bliley Act (GLBA), Search CIO, http://searchcio.techtarget.com/definition/Gramm-Leach-BlileyAct 19 Data Privacy and Gramm-Leach-Bliley Act Section 501(b), Enterprise Risk Management, 2007. http://www.emrisk.com/wpcontent/uploads/2010/07/Data_Privacy_and_Gramm_Leach_Bliley_Act_Section_501b.pdf 20 The Gramm-Leach-Bliley Act, Privacy of Consumer Financial Information. Federal Trade Commission. http://www.ftc.gov/privacy/glbact/glboutline.htm 21 Rohmeyer, Paul. GLBA compliance and emerging technologies, TechTarget. 3/2010. http://searchfinancialsecurity.techtarget.com/tip/GLBA-compliance-and-emerging-technologies

protecting antimalware restricting and securing remote access fault tolerance and continuity of service for critical systems auditing and logging of security events ongoing monitoring of network security securing wireless networks22

Education

FERPA The Family Educational Rights and Privacy Act of 1974 (a/k/a the Buckley Amendment)
Speaking of colleges and universities, one should at least an overall knowledge of this legislation because it applies to all educational facilities, from kindergarten to graduate school. FERPA stipulated that institutions must provide student access to, and maintain privacy of, educational records.23 So, in many ways, FERPA is the educational version of HIPPA, though interestingly, FERPA privacy rules do not generally address student health records.24 In 2009, FERPA was significantly amended and such addressed three categories: school safety (this was done as a result of the aftermath of the 2007 Virginia Tech tragedy), better access to educational data for research and accountability, and safeguarding privacy and education records. The last category was a result of technological changes which has stretched privacy laws to the limit.25 Indeed, is it any wonder that the protection of a students personal information draws such high scrutiny? The Department of Education has emphatically stated that computer systems at colleges and universities have become favored targets because they hold many of the same records as banks but are much easier to access. 26

OFPPA Office of Federal Procurement Policy Act FAR Federal Acquisition Regulation EDGAR Education Department General Administration Regulations Uniform Administrative Requirements for Grants and Cooperative Agreements to State and Local Governments EDAR Education Department Acquisition Regulation

22

Bradley, Tom. GLBA risk assessment steps to success, TechTarget, 2/2010. http://searchfinancialsecurity.techtarget.com/tip/GLBA-risk-assessment-steps-to-success 23 Gramm-Leach-Bliley Information Sheet, Wesleyan University. 24 Reihhart-Thompson, Laurie A., Amendments to FERPA Regulations, Journal of Ahima 80, no. 7, July 2009. http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_043997.hcsp?dDocName=bok1_043997 25 Fact Sheet 29: Privacy in Education, Privacy Rights Clearinghouse, September, 2010. http://www.privacyrights.org/fs/fs29-education.htm 26 Id. Quoting the Federal Register (73 Fed Register 747806, 74843 (December 9, 2008).

These regulations are related inasmuch as they govern not how technology is treated, but rather, how technology is acquired. The OFPPRA legislation, established the Office of Federal Procurement Policy inside the Office of Management and Budget (the OMB), which is part of the Executive Branch responsible for overall direction of procurement policies, regulations, and forms.27 FAR brings together the acquisition regulations applicable to all executive agencies of the Federal government. 28 EDAR is a subset of FAR as it deals with the Department of Education acquisition regulations. EDGAR establishes uniform administrative requirement for Federal grants and contracts with higher education, hospitals, and other non-profit organizations29 All of these regulations deal with how any governmental entity obtains technology, including laying out the bidding process, contracting by negotiation, the types of contracts, and the awarding of contracts. It specifies not only the buying process, but the contract terms as well. FAR is the broadest category as it covers (1) need recognition and acquisition planning; (2) contract formation, and (3) contract administration.30 For the most part, regulations like FAR and its progeny govern the conduct of the government, not the contractor. However, even private sector firms, while not specifically regulated, can be brought under the provisions of the legislation by their being incorporated into government solicitations and contracts by reference.31

Sales and Commerce

PCI DSS Payment Card Industry Data Security Standards

PCI DSS is not Federal law; rather, it is a set of industry standards that have been, in many cases, written into various state laws. In this case, the payment card industry which includes entities such as American Express, Discover Financial Services, MasterCard Worldwide, and Visa International joined together to craft standards so that they could self-police the industry and address security issues inherent in their businesses. In 2005, PCI DSS arose because banks were concerned about the high cost of fraud. Just one security breach causes the reissue of hundreds or thousands of cards, which meant that the cards had to charge higher fees. Thus, in order to halt the rise in fees, the credit card companies imposed their own standards.32 Now these standards apply to all retailers, both large and small. Any retailer, even the smallest e-retailer who accepts one credit card charge a month, who fails to follow PCI DSS and suffer a breach, could have their bank freeze their funds and basically put them

27 28

GSA, A Guide to Planning, Acquiring, and Managing Information Technology Systems. 48 CFR 1.101 et seq. 29 34 CFR Parts 74-99 30 Federal Acquisition Regulation, Wikipedia. 31 Id. 32 When and Why did PCI DSS first go into effect, PCI Compliance, www.pcicompliancesaq.com

out of business.33 Furthermore, from a liability standpoint, proof of PCI compliance limits liability because it shows that a business is using reasonable business measures to protect its commerce, while failure to be compliant demonstrates that the merchant could have done more to prevent loss, thus increasing the prospect of liability.34 Therefore, the question is not whether a business should follow PCI DSS, but how. What is there to be afraid of? Cybercrime complaints rose 22% in 2009 to 336,655 cases and the losses doubled from 2008 to 2009 and amounted to $560 million due to identity theft, phishing scams, and outright fraud.35 A hacker, via a virtual attack, can make off with as much as twenty times as much as the average bank robber in half the time and with limited risk.36 Techniques, like brute force attacks where a criminal attempts to pry his way into a system by randomly guessing users password and user ID, are available through readily available software programs.37 In July 2009, the PCI Standards Council published wireless guidelines for PCI DSS recommending the use of Wireless Intrusion Prevention System (WIPS) to automate wireless scanning and the deployment of Wireless LAN (WLAN) in cardholder data environments (CDE).38 A CDE is a network environment that transmits credit card data. Companies fall into four levels of required PCI compliance depending on how many transactions that they perform in a year. Regardless of the level, PCI-DSS applies to every business that takes credit or debit cards as payment. The standards apply even if they take such only over the phone and even if they use a third-party processor.39 Generally, there are 12 PCI requirements (presented with their corresponding general categories):

BUILD AND MAINTAIN A SECURE NETWORK 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters PROTECT CARDHOLDER DATA 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications
33 34

Id. Why Comply with PCI Security Standards? PCI Security Standards Council. www.pcisecuitystandards.org 35 Barrett, Larry, Cyber Crooks Doubled Their Take in 09: FBI, eSecurity Planet, March 18, 2010. http://www.esecurityplanet.com/trends/article.php/3871456/Cyber-Crooks-Doubled-Their-Take-in-09-FBI.htm 36 What are Brute Force Attacks and how to Prevent them, PCI Compliance. 37 Id. 38 Payment Card Industry Data Security Standard, Wikipedia. 39 PCI Compliance Guide, http://www.pcicomplianceguide.org

IMPLEMENT STRONG ACCESS CONTROL MEASURES 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data REGULARLY MONITOR AND TEST NETWORKS 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes MAINTAIN AN INFORMATION SECURITY POLICY 12. Maintain a policy that addresses information security for employees and contractors40 In general, certain technologies need to be addressed to meet these requirements: Firewalls Authentication Encryption Tokenization Routers Antivirus (network and endpoint) Data backup and retention Network access control Application-level access control Network intrusion detection/prevention Host-based intrusion detection/prevention Vulnerability management VPN Authentication Change and patch management Log management and analysis Physical security controls41

Summary While this document, Legally Speaking, is certainly not a complete list of all regulations and standards that have an effect on IT today, there is no doubt that the laws that are presented here are applicable to most, and in some cases all, businesses. Over the last decade or so, there has been a creeping aggregation of regulations, and no IT manager is master of them all.42 Therefore, the mere

40

A Brief Description of the 12 PCI DSS Requirements, NDB Advisory. http://www.pciassessment.org/12-pci-dssrequirements.php 41 Shimel, Alan and Ferguson, Alan, PCI compliance: A technology overview, StillSecure and Coalfire Systems, Inc, July, 2009. http://www.stillsecure.com/docs/StillSecure_PCI_Technology_whitepaper.pdf 42 Gross, Grant, Cybersecurity laws affecting business on the way, InfoWorld, July 10, 2003.

mention of some of these regulations and standards will get the attention of IT and corporate management. If a business owner believes that it cant happen to me, ask them if their computer at home ever got a virus or worm or now runs sluggishly because of hidden bloatware, even though they had a firewall program to protect the device. Its a sad fact that problems are out there in search of victims, and there is no safety in numbers because many times we are unknowingly inviting the malware in. In this home example, the victim may have lost a computer. However, if an IT professional fails to provide the security demanded by legislation, they could lose their company and even their personal freedom. Under these circumstances, its at least worth real consideration.

About the Author: Michael LeBrun has written and published a number of white papers regarding technology and social networking. A business person, technologist, and a lawyer, he has a unique viewpoint based upon the interaction of those areas of expertise. Midaire, LLC provides visionary business guidance to companies in the areas of technology, operations, sales and marketing, and law.

Michael A. LeBrun Midaire, LLC malebrun@gmail.com http://www.linkedin.com/in/mlebrun