CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [245]
The penalties for HIPAA violations are very stiff: They can be as high as $250,000 based on the circumstances. Medical practices are required to appoint a security officer. All related parties, such as billing agencies and medical records storage facilities, are required to comply with these regulations.
For more information on HIPAA, you can visit http://www.cms.hhs.gov/HIPAAGenInfo/.
The Gramm-Leach-Bliley Act of 1999
The Gramm-Leach-Bliley Act, also know as the Financial Modernization Act, requires financial institutions to develop privacy notices and to notify customers that they are entitled to privacy. The act prohibits banks from releasing information to nonaffiliated third parties without permission. Many consumer groups have criticized the implementation of this act by financial institutions.
Employees need to be trained on information security issues, and security measures must be put into place and tested to verify information privacy. The act includes a number of other provisions that allow banks and financial institutions to align and form partnerships.
The act requires banks to explain to individual consumers information-sharing policies. Customers have the ability to “opt out” of sharing agreements.
The act prohibits institutions from sharing account information for marketing purposes. It also prohibits the gathering of information about customers using false or fraudulent methods.
The law went into effect in July 2001. Financial officers and the board of directors can be held criminally liable for violations.
For more information on the Gramm-Leach-Bliley Act, visit http://www.ftc.gov/privacy/privacyinitiatives/glbact.html.
The Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act was introduced into law in 1986. The original law was introduced to address issues of fraud and abuse that weren’t well covered under existing statutes. The law was updated in 1994, in 1996, and again in 2001.
This act gives federal authorities, primarily the FBI, the ability to prosecute hackers, spammers, and others as terrorists. The law is primarily intended to protect government and financial computer systems from intrusion. Technically, if a governmental system, such as an Internet server, were used in the commission of the crime, virtually any computer user who could be shown to have any knowledge or part in the crime could be prosecuted.
The law is comprehensive and allows for stiff penalties, fines, and imprisonment of up to 10 years for convictions under this statute.
For more information on the Computer Fraud and Abuse Act, visit http://cio.doe.gov/Documents/CFA.HTM.
The Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act (FERPA) dictates that educational institutions may not release information to unauthorized parties without the express permission of the student or, in the case of a minor, the parents of the student. This act also requires that educational institutions must disclose any records kept on a student when demanded by that student. This law has had a huge impact on privacy requirements of student records. It jeopardizes the federal funding of schools by government agencies if any violations occur.
For more information on FERPA, visit http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html. To view a database of losses involving personally identifiable information, visit http://attrition.org/dataloss/.
The Computer Security Act of 1987
The Computer Security Act requires federal agencies to identify and protect computer systems that contain sensitive information. This law requires agencies that keep sensitive information to conduct regular training and audits, and to implement procedures to protect privacy. All federal agencies must comply with this act.
For more information on the Computer Security Act, visit http://epic.org/crypto/csa/.