Each year, legislators create additional requirements that have security and privacy implications for enterprises. Such mandates are driving many corporate security initiatives designed to keep corporations competitive by avoiding fines, lawsuits, and perhaps even forcible shutdowns by regulatory agencies. Here are some brief descriptions and links to additional information for several requirements that are particularly relevant to medical and financial enterprises.
HIPAA. Patient privacy protections constitute an important part of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA includes provisions designed to protect the security and confidentiality of health information. The final regulations to go into effect cover health plans, health-care clearinghouses, and health-care providers that conduct certain financial and administrative transactions (e.g., enrollment, billing, and eligibility verification) electronically. Most health insurers, pharmacies, doctors, and other health-care providers were required to comply with these federal standards beginning April 14, 2003. You can find more information at http://www.hhs.gov/ocr/hipaa.
Gramm-Leach-Bliley. The Financial Services Modernization Act of 1999 (aka Gramm-Leach-Bliley - US) restricts third-party data sharing. Business Web sites must provide notice and opt-out options before sharing information with non-affiliated third parties. For more information, see the Senate Banking Committee's Web site at http://www.senate.gov/~banking/conf/confrpt.htm.
USAPA. Also known as the USA PATRIOT Act, USAPA is the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of October 25, 2001. Among other things, the act introduced a variety of government reporting regulations (e.g., Bank Secrecy Act Amendments) aimed at compelling financial institutions to "know their customers and their customers' customers" For example, it requires the reporting of various activity regarding many different kinds of transactions (e.g., automated clearing house—ACH, electronic funds transfer—EFT). It also includes requirements for screening customers and employees against lists such as the economic and trade-sanction lists that the US Treasury Department's Office of Foreign Assets Control (OFAC) administers and enforces based on US foreign policy. For more information about this act, see http://thomas.loc.gov/cgi-bin/bdquery/z?d107 :HR03162:%5D; for OFAC information, see http://www.treas.gov/offices/eotffc/ofac.
EUDPD. The European Union Data Protection Directive (EUDPD) standardizes protection of data privacy for EU citizens, while allowing for a protected flow of information between member states and multinational entities. Originally adopted in 1995, the directive's implementation date was October 24, 1998. Corporations outside of the EU that are trading with EU entities (or hope to) are increasingly motivated to understand and appropriately implement the EUDPD into business operations. The EU and the US Department of Commerce have some agreements providing for guidelines pertinent to how US companies can collect, store, and maintain personal information about European citizens. The agreements include references to "safe-harbor" programs meant to assure adherence to certain privacy principles that provide US companies that comply with the voluntary pact some measure of protection from prosecution. The currently applicable version is Directive 2002/58/Ec Of The European Parliament And Of The Council Concerning The Processing Of Personal Data And The Protection Of Privacy In The Electronic Communications Sector (Directive On Privacy And Electronic Communications), Brussels, 12 July 2002 2000/0189 (Cod)Lex 365 Pe-Cons 3636/02 Eco 217 Codec 778. For information about the EUDPD, see http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_20120020731en00370047.pdf.
