Editing Information security (section)

== Laws and regulations ==
[[File:Privacy International 2007 privacy ranking map.png|thumb|[[Privacy International]] 2007 privacy ranking<br />green: Protections and safeguards<br />red: Endemic surveillance societies]]

Below is a partial listing of governmental laws and regulations in various parts of the world that have, had, or will have, a significant effect on data processing and information security.<ref name="dx.doi.org">{{Cite journal|title=Figure 1.10. Regulations in non-manufacturing sector have significant impact on the manufacturing sector |author=OECD |date=2016 |journal=Economic Policy Reforms 2016: Going for Growth Interim Report |series=Economic Policy Reforms |publisher=OECD Publishing |place=Paris |doi=10.1787/growth-2016-en |isbn=9789264250079 |url=http://dx.doi.org/10.1787/888933323807|access-date=2021-06-05|url-access=subscription }}</ref><ref>{{Cite book |title=Ahupuaʻa [electronic resource] : World Environmental and Water Resources Congress 2008, May 12-16, 2008, Honolulu, Hawaiʻi|date=2008|publisher=American Society of Civil Engineers|isbn=978-0-7844-0976-3 |oclc=233033926}}</ref> Important industry sector regulations have also been included when they have a significant impact on information security.<ref name="dx.doi.org"/>

* The UK [[Data Protection Act 1984|Data Protection Act 1998]] makes new provisions for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.<ref>{{Cite book |author=Great Britain. Parliament. House of Commons|title=Data protection [H.L.] A bill [as amended in standing committee d] intituled an act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information|date=2007|publisher=Proquest LLC|oclc=877574826}}</ref><ref>{{Citation|title=Data protection, access to personal information and privacy protection|date=2019 |url=http://dx.doi.org/10.5040/9781784518998.chapter-002|work=Government and Information Rights: The Law Relating to Access, Disclosure and their Regulation|publisher=Bloomsbury Professional|doi=10.5040/9781784518998.chapter-002|isbn=978-1-78451-896-7|s2cid=239376648|access-date=2021-06-05|url-access=subscription}}</ref> The European Union Data Protection Directive (EUDPD) requires that all E.U. members adopt national regulations to standardize the protection of [[information privacy|data privacy]] for citizens throughout the E.U.<ref>{{Cite book|last=Lehtonen|first=Lasse A.|chapter=Genetic Information and the Data Protection Directive of the European Union|date=2017-07-05|chapter-url=http://dx.doi.org/10.4324/9781315240350-8|title=The Data Protection Directive and Medical Research Across Europe|pages=103–112|publisher=Routledge|doi=10.4324/9781315240350-8|isbn=978-1-315-24035-0|access-date=2021-06-05}}</ref><ref name="UKDataProtAct">{{cite web |url=http://www.legislation.gov.uk/ukpga/1998/29/contents |title=Data Protection Act 1998 |work=legislation.gov.uk |publisher=The National Archives |access-date=25 January 2018}}</ref>
* The [[Computer Misuse Act]] 1990 is an Act of the [[Parliament of the United Kingdom|U.K. Parliament]] making computer crime (e.g., hacking) a criminal offense.<ref>{{Cite book|chapter=Computer Misuse Act 1990|date=2013-06-17|chapter-url=http://dx.doi.org/10.4324/9780203722763-42|title=Criminal Law Statutes 2011-2012|pages=114–118|publisher=Routledge|doi=10.4324/9780203722763-42|isbn=978-0-203-72276-3|access-date=2021-06-05}}</ref> The act has become a model upon which several other countries,<ref>{{Cite web|last1=Dharmapala|first1=Dhammika|last2=Hines|first2=James|date=December 2006|title=Which Countries Become Tax Havens?|url=http://dx.doi.org/10.3386/w12802|series=Working Paper Series|location=Cambridge, MA|doi=10.3386/w12802}}</ref> including [[Canada]] and [[Republic of Ireland|Ireland]], have drawn inspiration from when subsequently drafting their own information security laws.<ref>{{Cite web|title=Figure 1.14. Participation rates have risen but labour force growth has slowed in several countries|url=http://dx.doi.org/10.1787/888933367391|access-date=2021-06-05|doi=10.1787/888933367391}}</ref><ref name="UKCompMisAct">{{cite web |url=http://www.legislation.gov.uk/ukpga/1990/18/contents |title=Computer Misuse Act 1990 |work=legislation.gov.uk |publisher=The National Archives |access-date=25 January 2018}}</ref>
* The E.U.'s [[Data Retention Directive]] (annulled) required internet service providers and phone companies to keep data on every electronic message sent and phone call made for between six months and two years.<ref name="EU24EC06">{{cite web |url=http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32006L0024 |title=Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 |publisher=European Union |work=EUR-Lex |date=15 March 2006 |access-date=25 January 2018}}</ref>
* The [[Family Educational Rights and Privacy Act]] (FERPA) ({{usc|20|1232}} g; 34 CFR Part 99) is a U.S. Federal law that protects the privacy of student education records.<ref>{{Cite book|chapter=Defamation, Student Records, and the Federal Family Education Rights and Privacy Act|date=2010-12-14|chapter-url=http://dx.doi.org/10.4324/9780203846940-22|title=Higher Education Law|pages=361–394|publisher=Routledge|doi=10.4324/9780203846940-22|isbn=978-0-203-84694-0|access-date=2021-06-05}}</ref> The law applies to all schools that receive funds under an applicable program of the [[U.S. Department of Education]].<ref name="ReferenceA">{{Cite journal|date=2004|title=Alabama Schools Receive NCLB Grant To Improve Student Achievement|url=http://dx.doi.org/10.1037/e486682006-001|access-date=2021-06-05|website=PsycEXTRA Dataset|doi=10.1037/e486682006-001|url-access=subscription}}</ref> Generally, schools must have written permission from the parent or eligible student<ref name="ReferenceA"/><ref>{{Cite book|first=Karen|last=Turner-Gottschang |title=China bound : a guide to academic life and work in the PRC : for the Committee on Scholarly Communication with the People's Republic of China, National Academy of Sciences, American Council of Learned Societies, Social Science Research Council|date=1987 |publisher=National Academy Press|isbn=0-309-56739-4|oclc=326709779}}</ref> in order to release any information from a student's education record.<ref name="FERPA">Codified at {{UnitedStatesCode|20|1232g}}, with implementing regulations in title 34, part 99 of the [[Code of Federal Regulations]]</ref>
* The [[Federal Financial Institutions Examination Council]]'s (FFIEC) security guidelines for auditors specifies requirements for online banking security.<ref name="FFIECAudit">{{cite web |url=https://ithandbook.ffiec.gov/it-booklets/audit.aspx |title=Audit Booklet |publisher=FFIEC |work=Information Technology Examination Handbook |access-date=25 January 2018}}</ref>
* The [[Health Insurance Portability and Accountability Act]] (HIPAA) of 1996 requires the adoption of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.<ref>{{Cite encyclopedia|last=Ray|first=Amy W.|title=Health Insurance Portability and Accountability Act (HIPAA)|url=http://dx.doi.org/10.4135/9781412950602.n369|encyclopedia=Encyclopedia of Health Care Management|year=2004|location=Thousand Oaks, CA|publisher=SAGE Publications, Inc.|doi=10.4135/9781412950602.n369|isbn=978-0-7619-2674-0|access-date=2021-06-05|url-access=subscription}}</ref> Additionally, it requires health care providers, insurance providers and employers to safeguard the security and privacy of health data.<ref name="HIPAAGPO">{{cite web |url=http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/content-detail.html |title=Public Law 104 - 191 - Health Insurance Portability and Accountability Act of 1996 |publisher=U.S. Government Publishing Office |access-date=25 January 2018}}</ref>
* The [[Gramm–Leach–Bliley Act]] of 1999 (GLBA), also known as the Financial Services Modernization Act of 1999, protects the privacy and security of private financial information that financial institutions collect, hold, and process.<ref name="GLBAGPO">{{cite web |url=https://www.gpo.gov/fdsys/pkg/STATUTE-113/pdf/STATUTE-113-Pg1338.pdf |title=Public Law 106 - 102 - Gramm–Leach–Bliley Act of 1999 |publisher=U.S. Government Publishing Office |access-date=25 January 2018}}</ref>
* Section 404 of the [[Sarbanes–Oxley Act|Sarbanes–Oxley Act of 2002 (SOX)]] requires publicly traded companies to assess the effectiveness of their internal controls for financial reporting in annual reports they submit at the end of each fiscal year.<ref>{{Cite thesis|title=The impact of the Sarbanes-Oxley Act (SOX) on small-sized publicly traded companies and their communities|url=http://dx.doi.org/10.17760/d20204801|publisher=Northeastern University Library|first=Abayomi Oluwatosin|last=Alase|year=2016|doi=10.17760/d20204801}}</ref> Chief information officers are responsible for the security, accuracy, and the reliability of the systems that manage and report the financial data.<ref>{{Cite thesis|title=Educational and Professional Trends of Chief Financial Officers|url=http://dx.doi.org/10.15760/honors.763|publisher=Portland State University Library|first=Lupita|last=Solis|year=2019|doi=10.15760/honors.763}}</ref> The act also requires publicly traded companies to engage with independent auditors who must attest to, and report on, the validity of their assessments.<ref name="SOAGPO">{{cite web |url=https://www.gpo.gov/fdsys/pkg/PLAW-107publ204/html/PLAW-107publ204.htm |title=Public Law 107 - 204 - Sarbanes-Oxley Act of 2002 |publisher=U.S. Government Publishing Office |access-date=25 January 2018}}</ref>
* The [[Payment Card Industry Data Security Standard|Payment Card Industry Data Security Standard (PCI DSS)]] establishes comprehensive requirements for enhancing payment account data security.<ref>{{Citation|title=Pci Dss Glossary, Abbreviations, and Acronyms|date=2015-09-18|url=http://dx.doi.org/10.1002/9781119197218.gloss|work=Payment Card Industry Data Security Standard Handbook|pages=185–199|place=Hoboken, NJ, US|publisher=John Wiley & Sons, Inc.|doi=10.1002/9781119197218.gloss|isbn=978-1-119-19721-8|access-date=2021-06-05}}</ref> It was developed by the founding payment brands of the PCI Security Standards Council — including [[American Express]], [[Discover Card|Discover Financial Services]], JCB, MasterCard Worldwide,<ref>{{Citation|title=PCI Breakdown (Control Objectives and Associated Standards)|date=2015-09-18|url=http://dx.doi.org/10.1002/9781119197218.part2|work=Payment Card Industry Data Security Standard Handbook|pages=61|place=Hoboken, NJ, US|publisher=John Wiley & Sons, Inc.|doi=10.1002/9781119197218.part2|isbn=978-1-119-19721-8|access-date=2021-06-05|url-access=subscription}}</ref> and [[Visa Inc.|Visa International]] — to help facilitate the broad adoption of consistent [[data security]] measures on a global basis.<ref>{{Cite web|last1=Ravallion|first1=Martin|last2=Chen|first2=Shaohua|date=August 2017|title=Welfare-Consistent Global Poverty Measures|series=Working Paper Series |url=https://www.nber.org/papers/w23739 |access-date=18 January 2022|doi=10.3386/w23739}}</ref> The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, [[network architecture]], software design, and other critical protective measures.<ref name="PCIDSS3.2">{{cite web |url=https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf |title=Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures - Version 3.2 |publisher=Security Standards Council |date=April 2016 |access-date=25 January 2018}}</ref>
* State [[security breach notification laws]] (California and many others) require businesses, nonprofits, and state institutions to notify consumers when unencrypted "personal information" may have been compromised, lost, or stolen.<ref name="NCSLStateSecBreach17">{{cite web |url=http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx |title=Security Breach Notification Laws |publisher=National Conference of State Legislatures |date=12 April 2017 |access-date=25 January 2018}}</ref>
* The Personal Information Protection and Electronics Document Act ([[Personal Information Protection and Electronic Documents Act|PIPEDA]]) of Canada supports and promotes electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances,<ref>{{Cite book|editor1-last=Stein|editor1-first=Stuart G.|editor2-last=Schaberg|editor2-first=Richard A.|editor3-last=Biddle|editor3-first=Laura R.|title=Financial institutions answer book, 2015 : law, governance, compliance|date=23 June 2015|publisher=Practising Law Institute |isbn=978-1-4024-2405-2|oclc=911952833}}</ref><ref>{{Citation|title=Personal Information and Data Protection|date=2019|url=http://dx.doi.org/10.5040/9781509924882.ch-002|work=Protecting Personal Information|publisher=Hart Publishing|doi=10.5040/9781509924882.ch-002|isbn=978-1-5099-2485-1|s2cid=239275871|access-date=2021-06-05|url-access=subscription}}</ref> by providing for the use of electronic means to communicate or record information or transactions and by amending the [[Canada Evidence Act]], the Statutory Instruments Act and the Statute Revision Act.<ref>{{Cite book|title=Chapter 5. An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act|date=2000|publisher=Queen's Printer for Canada|oclc=61417862}}</ref><ref>{{Cite journal|date=1984|title=Comments|url=http://dx.doi.org/10.1093/slr/5.1.184|journal=Statute Law Review|volume=5|issue=1|pages=184–188|doi=10.1093/slr/5.1.184|issn=0144-3593|url-access=subscription}}</ref><ref name="PIPEDA">{{cite web |url=http://laws-lois.justice.gc.ca/PDF/P-8.6.pdf |title=Personal Information Protection and Electronic Documents Act |publisher=Canadian Minister of Justice |access-date=25 January 2018}}</ref>
* Greece's Hellenic Authority for Communication Security and Privacy (ADAE) (Law 165/2011) establishes and describes the minimum information security controls that should be deployed by every company which provides electronic communication networks and/or services in Greece in order to protect customers' confidentiality.<ref>{{Cite journal|last=Werner|first=Martin|date=2011-05-11|title=Privacy-protected communication for location-based services|url=http://dx.doi.org/10.1002/sec.330|journal=Security and Communication Networks|volume=9|issue=2|pages=130–138|doi=10.1002/sec.330|issn=1939-0114|url-access=subscription}}</ref> These include both managerial and technical controls (e.g., log records should be stored for two years).<ref name="RACEC">{{cite web |url=http://www.adae.gr/fileadmin/docs/nomoi/kanonismoi/ADAE_REGULATION_165.2011.pdf |title=Regulation for the Assurance of Confidentiality in Electronic Communications |work=Government Gazette of the Hellenic Republic |publisher=Hellenic Authority for Communication Security and Privacy |date=17 November 2011 |access-date=25 January 2018 |archive-date=June 25, 2013 |archive-url=https://web.archive.org/web/20130625211034/http://www.adae.gr/fileadmin/docs/nomoi/kanonismoi/ADAE_REGULATION_165.2011.pdf |url-status=dead }}</ref>
* Greece's Hellenic Authority for Communication Security and Privacy (ADAE) (Law 205/2013) concentrates around the protection of the integrity and availability of the services and data offered by Greek telecommunication companies.<ref>{{Citation|last=de Guise|first=Preston|title=Security, Privacy, Ethical, and Legal Considerations|date=2020-04-29|url=http://dx.doi.org/10.1201/9780367463496-9|work=Data Protection|pages=91–108|publisher=Auerbach Publications|doi=10.1201/9780367463496-9|isbn=978-0-367-46349-6|s2cid=219013948|access-date=2021-06-05|url-access=subscription}}</ref> The law forces these and other related companies to build, deploy, and test appropriate business continuity plans and redundant infrastructures.<ref name="205/2013">{{cite web |url=http://www.adae.gr/fileadmin/docs/nomoi/kanonismoi/Kanonismos_FEK_1742_B_15_07_2013_asfaleia_akeraiotita__ADAE_205_2013.pdf |title=Αριθμ. απόφ. 205/2013 |work=Government Gazette of the Hellenic Republic |publisher=Hellenic Authority for Communication Security and Privacy |date=15 July 2013 |access-date=25 January 2018 |archive-date=February 4, 2019 |archive-url=https://web.archive.org/web/20190204010458/http://www.adae.gr/fileadmin/docs/nomoi/kanonismoi/Kanonismos_FEK_1742_B_15_07_2013_asfaleia_akeraiotita__ADAE_205_2013.pdf |url-status=dead }}</ref>
The US Department of Defense (DoD) issued DoD Directive 8570 in 2004, supplemented by DoD Directive 8140, requiring all DoD employees and all DoD contract personnel involved in information assurance roles and activities to earn and maintain various industry Information Technology (IT) certifications in an effort to ensure that all DoD personnel involved in network infrastructure defense have minimum levels of IT industry recognized knowledge, skills and abilities (KSA). Andersson and Reimers (2019) report these certifications range from CompTIA's A+ and Security+ through the ICS2.org's CISSP, etc.<ref>[https://library.iated.org/view/ANDERSON2019CYB Andersson and Reimers, 2019, CYBER SECURITY EMPLOYMENT POLICY AND WORKPLACE DEMAND IN THE U.S. GOVERNMENT, EDULEARN19 Proceedings, Publication year: 2019 Pages: 7858-786]</ref>