1
00:00:00,000 --> 00:00:02,000
- [Narrator] Many of the laws that impact

2
00:00:02,000 --> 00:00:04,004
information security
professionals are designed

3
00:00:04,004 --> 00:00:07,000
to protect the privacy of individuals

4
00:00:07,000 --> 00:00:10,006
and protect individuals
against both identity theft

5
00:00:10,006 --> 00:00:13,009
and the unwanted disclosure
of personal information.

6
00:00:13,009 --> 00:00:16,009
In the United States we
have a patchwork of laws

7
00:00:16,009 --> 00:00:19,000
that affect different industries

8
00:00:19,000 --> 00:00:21,002
depending upon the
nature of their business

9
00:00:21,002 --> 00:00:24,003
and the types of sensitive
information that they handle.

10
00:00:24,003 --> 00:00:27,003
Probably the most well
known of these laws is the

11
00:00:27,003 --> 00:00:31,003
Health Insurance Portability
and Accountability Act or HIPAA

12
00:00:31,003 --> 00:00:35,004
Passed in 1996 HIPAA places strict privacy

13
00:00:35,004 --> 00:00:39,004
and security regulations
on healthcare providers

14
00:00:39,004 --> 00:00:43,002
health insurers and health
information clearinghouses.

15
00:00:43,002 --> 00:00:45,007
These three groups collectively known

16
00:00:45,007 --> 00:00:47,004
as HIPAA covered entities

17
00:00:47,004 --> 00:00:50,006
must insure the privacy and security

18
00:00:50,006 --> 00:00:55,003
of protected health information
or PHI that they handle.

19
00:00:55,003 --> 00:00:58,007
HIPAA was updated in 2009
with the passage of the

20
00:00:58,007 --> 00:01:00,005
Health Information Technology

21
00:01:00,005 --> 00:01:04,007
for Economic and Clinical
Health or HITECH Act.

22
00:01:04,007 --> 00:01:08,007
the Family Educational Rights
and Privacy Act or FERPA

23
00:01:08,007 --> 00:01:12,003
regulates how educational
institutions may handle

24
00:01:12,003 --> 00:01:14,007
student educational records.

25
00:01:14,007 --> 00:01:17,002
FERPA provides students and their parents,

26
00:01:17,002 --> 00:01:18,005
if the student is under 18

27
00:01:18,005 --> 00:01:21,004
the right to inspect educational records

28
00:01:21,004 --> 00:01:24,006
and request corrections to those records.

29
00:01:24,006 --> 00:01:26,006
FERPA also restricts the ways

30
00:01:26,006 --> 00:01:28,008
that educational institutions may use

31
00:01:28,008 --> 00:01:31,002
and release educational records

32
00:01:31,002 --> 00:01:33,005
without the students consent.

33
00:01:33,005 --> 00:01:36,000
The Gramm Leach Bliley Act GLBA

34
00:01:36,000 --> 00:01:40,006
passed in 1999 covers the
financial services sector.

35
00:01:40,006 --> 00:01:44,001
GLBA requires that all
financial institutions

36
00:01:44,001 --> 00:01:46,008
have a written information
security program

37
00:01:46,008 --> 00:01:49,003
and designate a specific individual

38
00:01:49,003 --> 00:01:52,000
who is responsible for
information security.

39
00:01:52,000 --> 00:01:55,007
GLBA also regulates the ways
that financial institutions

40
00:01:55,007 --> 00:01:58,002
may share private information

41
00:01:58,002 --> 00:02:00,006
even when sharing it
with other subsidiaries

42
00:02:00,006 --> 00:02:02,008
of the same company.

43
00:02:02,008 --> 00:02:06,002
The Children's Online
Privacy Protection Act COPPA

44
00:02:06,002 --> 00:02:09,005
protects the privacy of
children under the age of 13

45
00:02:09,005 --> 00:02:11,006
when they are accessing websites.

46
00:02:11,006 --> 00:02:14,000
COPPA requires that websites

47
00:02:14,000 --> 00:02:16,008
that knowingly collect
information from children

48
00:02:16,008 --> 00:02:18,009
have a written privacy policy

49
00:02:18,009 --> 00:02:21,000
and provide parents with the ability

50
00:02:21,000 --> 00:02:24,005
to review and delete
information about their child.

51
00:02:24,005 --> 00:02:26,006
COPPA also requires that parents

52
00:02:26,006 --> 00:02:29,002
give concent for the
collection of information

53
00:02:29,002 --> 00:02:31,004
from children under the age of 13

54
00:02:31,004 --> 00:02:34,002
before that collection takes place.

55
00:02:34,002 --> 00:02:36,006
One often misunderstood law is the

56
00:02:36,006 --> 00:02:39,004
Privacy Act of 1974.

57
00:02:39,004 --> 00:02:42,000
The name of this act seems very broad

58
00:02:42,000 --> 00:02:43,009
and people often misinterpret it

59
00:02:43,009 --> 00:02:46,006
as applying to all organizations.

60
00:02:46,006 --> 00:02:48,004
The Privacy Act does restrict

61
00:02:48,004 --> 00:02:50,005
the sharing of personal information

62
00:02:50,005 --> 00:02:53,006
but it only applies to
federal government agencies

63
00:02:53,006 --> 00:02:55,009
and has no affect on regulating

64
00:02:55,009 --> 00:02:58,008
private individuals or organizations.

65
00:02:58,008 --> 00:03:01,006
While the United States
has a patchwork of laws

66
00:03:01,006 --> 00:03:03,007
that cover very specific use cases

67
00:03:03,007 --> 00:03:06,009
the European Union approaches data privacy

68
00:03:06,009 --> 00:03:08,008
in a completely different way.

69
00:03:08,008 --> 00:03:11,009
The European Union's Data Protections laws

70
00:03:11,009 --> 00:03:14,005
cover many different types
of personal information

71
00:03:14,005 --> 00:03:16,005
in a very broad fashion.

72
00:03:16,005 --> 00:03:20,003
EU law requires that
organizations handling information

73
00:03:20,003 --> 00:03:23,003
about EU citizens follow six principles

74
00:03:23,003 --> 00:03:27,001
first personal information
must be processed

75
00:03:27,001 --> 00:03:30,009
lawfully, fairly and
in a transparent manner

76
00:03:30,009 --> 00:03:33,005
in relation to the data subject.

77
00:03:33,005 --> 00:03:36,000
Information must be collected for specific

78
00:03:36,000 --> 00:03:37,005
and legitimate purposes

79
00:03:37,005 --> 00:03:39,008
and not further processed in a way

80
00:03:39,008 --> 00:03:42,006
that's incompatible with those purposes.

81
00:03:42,006 --> 00:03:44,009
Information collection must be limited

82
00:03:44,009 --> 00:03:46,008
to the minimum information necessary

83
00:03:46,008 --> 00:03:49,001
to achieve the specific purposes.

84
00:03:49,001 --> 00:03:53,004
And information must be kept
accurate and up to date.

85
00:03:53,004 --> 00:03:55,004
Information must also be kept in a form

86
00:03:55,004 --> 00:03:57,007
which permits the
identification of data subjects

87
00:03:57,007 --> 00:04:01,000
for no longer than is
absolutely necessary.

88
00:04:01,000 --> 00:04:04,004
And finally information
processing must take place

89
00:04:04,004 --> 00:04:07,001
under the responsibility and liability

90
00:04:07,001 --> 00:04:09,009
of a designated data controller.

91
00:04:09,009 --> 00:04:12,001
European Union law on data privacy

92
00:04:12,001 --> 00:04:14,006
is currently in a state of transition.

93
00:04:14,006 --> 00:04:16,004
As the EU adopts a new

94
00:04:16,004 --> 00:04:20,005
General Data Protection Regulation or GDPR

95
00:04:20,005 --> 00:04:24,003
which is scheduled to
go into effect in 2018.