examples of international privacy legislation
DESCRIPTION
Examples of privacy legislation in US and IndiaTRANSCRIPT
US LegislationUS Legislation
US Laws - Examples• HIPAA Restrictions on Health Data
– Covered entity would risk a HIPAA violation by using such a provider for data storage.
• Breach Provisions Under HITECH Act– To the extent a HIPAA covered entity discloses PHI to a cloud provider, it risks exposure to federal data
security breach notification requirements under the HITECH Act.
• Gramm-Leach-Bliley Act - GLBA– GLB's Privacy and Safeguards Rules restrict financial institutions from disclosing consumers' nonpublic
personal information to non-affiliated third partiespersonal information to non-affiliated third parties
• State Information Security Laws– For example, California requires businesses that disclose personal information to nonaffiliated third
parties to include contractual obligations that those entities maintain reasonable security procedures
• State Breach Notification Laws– Over 45 U.S. states and other jurisdictions have data security breach notification laws that require data
owners to notify individuals whose computerized personal information has been subject to unauthorized access
• Massachusetts regulations – Must determine whether the cloud provider maintains appropriate security measures to protect the
data to be stored
Best Practices and Regulationsand Regulations
Case Study: Global Investment Banking and Securities
Investment banking division • Encryption of Deal related attributes and other MNPI data (i.e.
company name, company identifier, etc)
• Prevented development and technology people to identify entities involved
in deals
Compliance department • Compliance has TWO copies of Deal data – one for the Conflicts Process and
one for the Control Room one for the Control Room
• Encryption KEYS are DIFFERENT in Banking and Compliance
Encryption of compensation data
Encryption of firewall rules • Managed in a standalone application
Platforms: • Oracle, DB2, SQL Server, UNIX, Linux and Windows
Best Practices from NIST on PII Data - SP800-122
Examples of PII Data 1. Name2. Personal identification number, such as social security number
(SSN), passport number, driver‘s license number, taxpayer identification number, patient identification number, and financial account or credit card number
3. Address information3. Address information4. Asset information, such as Internet Protocol (IP) or Media Access
Control (MAC) address5. Telephone numbers6. Personal characteristics, including photographic image7. Information identifying personally owned property8. Information about an individual that is linked or linkable to one of
the above
Source: National Institute of Standards & Technology - NIST (http://csrc.nist.gov/)
1. Like GLB (Gramm-Leach-Bliley Act ), compliance with Regulation S-P (17 CFR Part 248) is mandatory since July 1, 2001
2. Regulation S-P provides the means of implementing GLB3. Every broker, dealer, and investment company, and every investment
adviser registered with the SEC must adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information
4. Insure the security and confidentiality of customer records and
SEC Adopted Regulation S-P to Address Privacy
4. Insure the security and confidentiality of customer records and information
5. Protect against any anticipated threats or hazards to the security or integrity of customer records and information
6. Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer
[1] Establishes a Federal Breach Notification requirement for health information that is not encrypted or otherwise made indecipherable. It requires that an individual be notified if there is an unauthorized disclosure or use of their health information.[2] Ensures that new entities that were not contemplated when the Federal privacy rules were written, as well as those entities that do work on behalf of providers and insurers, are subject to the same privacy and security rules as providers and health insurers.[3] Provide transparency to patients by allowing them to request an audit trail showing all disclosures of their health information made through an electronic record.[4] Shutting down the secondary market that has emerged around the sale and mining
HIPAA / HITECH Act – Title IV Legislation
[4] Shutting down the secondary market that has emerged around the sale and mining of patient health information by prohibiting the sale of an individual’s health information without their authorization.[5] Requires that providers attain authorization from a patient in order to use their health information for marketing and fundraising activities.[6] Strengthening enforcement of Federal privacy and security laws by increasing penalties for violations.
•Health Insurance Portability and Accountability Act (HIPAA) of 1996
•Health Information Technology for Economic and Clinical Health Act (HITECH Act), of 2009
1. Names2. Geographic subdivisions smaller than a state, including3. All elements of dates (e.g., date of birth, admission)4. Telephone numbers5. Fax numbers6. E-mail addresses7. Social Security numbers8. Medical record numbers9. Health plan beneficiary numbers10. Account numbers
US HIPAA – 18 Direct Identifiers
10. Account numbers11. Certificate/license numbers12. Vehicle identifiers and serial numbers, including license plate
numbers13. Device identifiers and serial numbers14. Web universal locators (URLs)15. IP address numbers16. Biometric identifiers, including fingerprints and voice prints17. Full-face photographic images and any comparable images18. Other unique identifying numbers, characteristics or codes
The Massachusetts law is the first in the nation to require
specific technology when protecting personal information.
Both "data at rest" and "data in transit" over a public
network, such as the Internet, that contain personal
information must be encrypted.
– Personal information is defined as a Massachusetts resident's
US MA 201 Privacy Law
– Personal information is defined as a Massachusetts resident's
name in combination with one of the following :
Social Security number , Driver's license number or state-issued
identification card number and Financial account number or
credit/debit card number
Past, Present and Future Privacy
Legislation in IndiaLegislation in India
In 2008, the IT Act was amended
• Damages for an entity that is – negligent in using “reasonable security practices and procedures” while
handling “sensitive personal data or information”
– resulting in wrongful loss or wrongful gain to any person.
• Criminal punishment for a person if
Information Technology Act of 2005
• Criminal punishment for a person if– he discloses sensitive personal information;
– does so without the consent of the person or in breach of the relevant
contract; and
– with an intention of, or knowing that the disclosure would cause wrongful loss
or gain.
11
Sensitive Personal Information (SPD) includes:
• passwords,
• financial information such as bank account or credit card or debit card or other payment instrument details;
• physical, physiological and mental health condition;
India Privacy Law of 2011
• physical, physiological and mental health condition;
• sexual orientation;
• medical records and history;
• biometric information.
12
For Multinationals in India
• Multinationals tend to maintain centralized databases of
information about their businesses all over the world,
including in particular, information about employees, service
providers and customers.
• Since the rules are in some parts more stringent than even
the European rules, overseas group entities who receive the
Implications of the Information Technology Act
the European rules, overseas group entities who receive the
information will have to build in processes to comply with the
rules.
• Further, the Indian entity will need to meet the requirements
for having a privacy policy, consent for collection, notification
about purpose of use of the information and who will be
collecting the information and consent from the providers for
providing such information to another party.
13
For the Outsourcing Industry
• The rules are framed under the Information Technology Act 2000
which applies to “the whole of India”.
• On a plain reading, this means that any business dealing with
information or SPD in India has to comply with the rules, even if
such information relates to an individual based outside India.
• The logical effect of this is that the vendor in India or his
Implications of the Information Technology Act
• The logical effect of this is that the vendor in India or his
customer overseas will need to fulfill the requirements of the law
with the concerned individual, such as the consent for collection,
notification obligations, right of access, correction and
withdrawal.
• This has grave implications for the outsourcing industry and
could lead to disruption of BPO operations in India.
14
Security measures
• The Data Privacy Rules require that the body corporate and the Data
Processor implement reasonable security practices and standards;
– These must contain managerial, technical, operational and physical security control
measures that are commensurate with the information assets being protected and
with the nature of business.
• The International Standard IS/ISO/IEC 27001 on ‘Information
Technology - Security Techniques - Information Security
The Information Technology Act 2000 (IT Act)
Technology - Security Techniques - Information Security
Management System
– Requirements’ is recognised as an approved security practices standard
• Under s 72A of the IT Act (introduced by IT Amendment Act 2008), a person who
is providing services under a lawful contract, may be liable to imprisonment for a
term of up to 3 years or a fine up to Rs. 5,00,000 (Rupees Five Lakhs) for
disclosure of personal information of any individual:(a) with the intent to cause, or knowing that he is likely to cause, wrongful loss or wrongful gain; and
(b) without the consent of such individual, or in breach of lawful contract.
15
Section 10.1 Cryptographic controls
• There should be a policy on the use of encryption,
• plus cryptographic authentication and
• integrity controls such as digital signatures and message authentication codes, and
Data Encryption And ISO 27001 - 27002
message authentication codes, and
• cryptographic key management.
Most organizations that adopt ISO/IEC 27001 also adopt ISO/IEC 27002
16
• Jail terms and fines for leak of sensitive personal data
• Context of data handled by the Indian IT industry for foreign clients
• Also cover information collected by the government and interception by intelligence agencies.
Proposed Law - The Right to Privacy Bill 2013
17