Abstract
This chapter reviews regulations and laws that are currently affecting information assurance and security policy in both the public and private sectors. Regulations and laws in different areas and at different levels are considered. Important industry sector regulations are also included when they have a significant impact on information security, such as the Health Insurance Portability and Accountability Act (HIPAA). Analysis of these regulations including evaluation of their effectiveness, enforceability, and acceptance is presented. Since the regulations in this field are in a state of continuous fluctuation, this chapter also attempts to make proposals for statutory improvements that would make security policy development more comprehensive and consistent, resulting in more secure systems throughout the world. It is also predicted that there will be a need for international information security regulations given the nature of the worldwide internet and cross-border information systems. Such developments will improve digital crime investigations worldwide.
TopBackground
There are many laws and regulations on security information issued at different levels in different countries all over the world. In Europe, for instance, there are the Computer Misuse Act 1990, UK Data Protection Act 1998 and the European Union Data Protection Directive (EUDPD) 95/46/EC. The Computer Misuse Act 1990 is an act of the UK Parliament which made computer related crime a criminal offence. The Act has inspired several other countries to draft their own information security laws. The UK’s Data Protection Act 1998 regulates the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. All European Union members are required to adopt national regulations to standardize the protection of data privacy for citizens throughout the European Union. The European Union Data Protection Directive 95/46/EC relates to the protection of individuals with regard to the processing of personal data and on the free movement of such data. This legislation has had a wide-ranging effect, both in the European Union and around the world because of its provisions allowing “transfers of personal data . . . only to non-EU countries that provide an ‘adequate’ level of privacy protection” (U.S. Department of Commerce, 2000). To keep information flows active between the European Union and the United States, the U.S. Department of Commerce negotiated Safe Harbor provisions to allow certain companies to transfer information if certain provisions are upheld. The nation of South Africa has felt the effects of legislation such as the “Basel Accord; Sarbanes-Oxley; FICA (Financial Intelligence Centre Act); Banks Act; ECT Act (Electronic Communication and Transaction Act); Gramm-Leach-Bliley Act; and others, have been created to help companies understand their rights and responsibilities among board members, business and IT managers.” (Maphakela, Pottas, & von Solms, 2005, p. 2)
Key Terms in this Chapter
Health Insurance Portability and Accountability Act (HIPAA): U.S. patient privacy law that impact information security regulations due to the storage and transmission of health care data over information technology systems.
Federal Information Security Management Act of 2002 (FISMA): A law governing information security practices within U.S. Federal government agencies that requires annual audits of information security within each agency.
European Union Directive 95/46/EC on the protection of personal data: A legislative act of the European Union which requires member countries to meet certain requirements for data privacy protection without specifying the process. Its impact has spread to the U.S. due to strict requirements governing transfer of data to non-EU nations.
The Computer Misuse Act 1990: an Act of the UK Parliament. It is to make provision for securing computer material against unauthorized access or modification; and for connected purposes. The Act has become a model for several other countries including Canada and the Republic of Ireland.
Gramm-Leach-Bliley Act: U.S. law initially intended to modernize the financial services sector but also placed requirements for securing the information systems of banks and other financial providers.
California Data Security Breach Notification Law: Law requiring companies to notify customers of information security breaches when the company is located in California or holds data about California residents.
UK Data Protection Act 1998: A United Kingdom Act of Parliament. It defines a legal basis for information security in the UK. It is the main piece of legislation that governs protection of personal data in the UK.
Sarbanes-Oxley Act of 2002 (SOX): Financial reforms introduced in the wake of the accounting scandals in the U.S. that also includes requirements for securing data and performing information system audits.