Getting a “Leg-Up” on Compliance

Legislative and Regulatory Currency and Completeness in a Highly Dynamic, Rule-Making World

Beckie Krantz, JD

Karen Worstell, CISM

Disclaimer

• This presentation intends to demonstrate an approach for establishing a baseline of compliance in accordance with ISO 27001 requirements using specialized automated tools.

• We are not offering legal advice and the information in this presentation should not be construed as such.

About Us

• Karen Worstell, CISM, is the Managing Principal for W Risk Group LLC– Defining due diligence for information protection to a defensible

standard of care • CobiT• ISO 20000 (ITIL)• ISO 27000 series

– Certified ISO 27001 trainer under British Standards Institute

– Comprehensive risk evaluation and compliance plans

About Us

• Beckie Krantz, JD, is the CEO of Legicrawler• Legicrawler provides automated tools for legislative tracking in

all 50 states and Congress– Email updates and notification

– Legislative alerts with committee information and member contact information

– Web publishing

– Trend analysis on legislation

Getting Started

• Recognize that a defensible standard of care requires us to establish a baseline for compliance:– “Define an ISMS policy in terms of the characteristics of the

business…that: takes into account business and legal or regulatory requirements and contractual security obligations”. ISO/IEC 27001:2005 Clause 4.2.1(b)2.

• Consider a basic list pertinent to our case study1 on the following page:

1 See handout. Note: PCI is not named as a primary because our case study does not involve payment card information

Dynamic, Yet:

No

Pla

usi

ble

De

nia

bilit

y

Exp

ect

atio

n o

f Du

e C

are

Min

ima

l Ha

rmo

niz

atio

n

Su

bsta

ntia

l Pe

nal

ties

Legislative/Regulatory History

1980

1985

19951990 2000

2005

2010

Computer Security Act of 1987PL 100-235Computer Security Act of 1987PL 100-235

Computer Fraud and Abuse Act of 198418 USC §1030

Computer Fraud and Abuse Act of 198418 USC §1030

Electronic Communications Privacy Act of 1986PL 100-235

Electronic Communications Privacy Act of 1986PL 100-235

Revised Federal Rules of Civil Procedure (Dec 2006)

Revised Federal Rules of Civil Procedure (Dec 2006)

Foreign Corrupt Practices Act 197715 USC § § 78dd-1

Foreign Corrupt Practices Act 197715 USC § § 78dd-1

Public Company Accounting Reform and Investor Protection Act, (2002)PL 107-204, 116 Stat 745

Public Company Accounting Reform and Investor Protection Act, (2002)PL 107-204, 116 Stat 745

Federal Information Security Management Act (FISMA) (2002)

Federal Information Security Management Act (FISMA) (2002)

PDD 63 (1998)PDD 63 (1998)

SB 1386 (2003)SB 1386 (2003)

GLBA (1999)GLBA (1999)EU Data Protection Directive (1995)EU Data Protection Directive (1995)

US Safe Harbor (1998)US Safe Harbor (1998)

Nevada SB17 (2010)Nevada SB17 (2010)

MA 201 CMR 17 (2009)MA 201 CMR 17 (2009)

44 Privacy Breach Notification at State level44 Privacy Breach Notification at State level

Enforcing Privacy Promises: Section 5 of the FTC Act (15 USC §§ 41-58 as amended (aka unfair and deceptive business practices) amended 1996

Financial Modernization Act (aka Gramm-Leach-Bliley Act) 1999California SB 1386 for Breach Notification (45 states) incl. Washington Revised Code 19.255.010 and RCW 42.56.590.Washington RCW 41.05 for the secure exchange of health informationMassachusetts 201 CMR 17 (M.G.L c 93H) - safeguarding personal information about residents of the CommonwealthNevada SB 227 to encrypt personal information (amendment to NRS 603A)

Automated Tools are Necessary

• Legicrawler was created to save time and cost in while tracking legislative updates– Roughly 250,000 new bills introduce nationwide every legislative

cycle

– Annual cost for tracking is at least an order of magnitude less with automated tools

– Added benefits: completeness, timeliness, validity

Methodology for Identifying Legislative and Regulatory Items

• Identify industry - e.g. insurance is part of financial services• Identify the key areas for regulatory/legislative compliance that

are part of the business process– Collection of SSN– Storage and transmittal of any record that contains at least name

and address

• Check FTC site for updates and links• If you have access to tools like Westlaw or Lexis-Nexis, use

them• If necessary, visit AG site in every state and search on “privacy,

security” and follow the threads• Once the baseline is established, utilize automated tools to keep

it current!

Aha! New Legislation

• Alaska (eff 7/1/09) SB 133 §18.23.310 Statewide Health Information

Exchange System, Info Confidentiality

• Louisiana (eff 7/6/09) HB 347 Confidentiality of Health Information

• Massachusetts (eff 3/1/10) 201 CMR 17 Safeguarding Personal

Information

• Maine (eff 6/12/09) LD 1490 Provides for individuals’ rights to prohibit

transfer of their healthcare information

• Nevada (3/1/10) Requires encryption of data and compliance with PCI

• Texas (eff 9/1/09) Breach of sensitive personal information and

protected health information.

• Washington (eff 7/26/09) Secure exchange of health information

QuickTime™ and a decompressor

are needed to see this picture.

QuickTime™ and a decompressorare needed to see this picture.

QuickTime™ and a decompressor

are needed to see this picture.

QuickTime™ and a decompressor

are needed to see this picture.

QuickTime™ and a decompressor

are needed to see this picture.

QuickTime™ and a decompressor

are needed to see this picture.

Partial List of Pending Legislation• AS 18.23.005• CA amendments to 56.10, 56.11

of Civil Code• DE SB 44• GA HB 507• IL HB 2572• MA HB 3535• MA SB 173• MA SB 200• MA SB 545• MN HF 1689• US S.778• US S.773

• To see a truly useful list, click here!

How This Gets Used

• Keep current on legislation that could have a significant impact on security budget planning (e.g. NV encryption/PCI statute)

• Provide for an informed dialogue between IT and Company Counsel, and professional associations

• Provide a basis for an informed action plan early in legislative lifecycle

• Supports the assertion of due diligence to a defensible standard of care relative to regulatory and legislative tracking

Legislative Lifecycle

DiscussionPolitical

Action

Legislative Action

Law & Regulation

Compliance

Legislative Take Action Plan

• Corporate Regulatory/Government Affairs• Personal Activism• Industry Response• Amicus Briefs

Key Takeaways

• Information security “standard of care” requires a thorough assessment and treatment of all pertinent regulations, statutes and contractual clauses.

• Establishing a baseline• Use automated tools to keep it fresh and identify areas of action• Get involved in the legislative process!

Questions?

@Legicrawler bkrantz@knsinfo.com@Konakaren karen@wriskgroup.net

Citations

• "Computer Security Act of 1987." Major Acts of Congress. Ed. Brian K. Landsberg. Macmillan-Thomson Gale, 2004. eNotes.com. 2006. 25 Oct 2009 <http://www.enotes.com/major-acts-congress/computer-security-act>

• “Computer Security Act of 1987” 25 Oct 2009 < http://epic.org/crypto/csa/>• “Enforcing Privacy Promises” 25 Oct 2009

http://www.ftc.gov/privacy/privacyinitiatives/promises.html• National Conference of State Legislatures, State Security Breach Notification

laws, 27 July 2009. 25 Oct 2009 http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx

• “Links to State and Federal Legislation”. 25 Oct 2009. http://www.privacyrights.org/links.htm#legal

• Complete this list…• “Revised Code of Washington (RCW)” 26 Oct 2009. http://apps.leg.wa.gov/RCW/