Fri Apr 8 06:51:39 PDT 2016

Management: Legal issues: How do legal issues interact with protection management?


Options:

Option 1: Regulatory mandates are specified by Legal and integrated into the duties to protect.
Option 2: Civil litigation drivers are integrated into the duties to protect.
Option 3: Criminal statutes from all relevant jurisdictions are identified to all relevant workers.
Option 4: Timely notice is given to all individuals and organizations for all enterprise activities requiring such notice.
Option 5: Contract language is compatible with implementation and included in duties to protect.
Option 6: Liability limitations are appropriately managed in risk management related to information and related technologies.
Option 7: All jurisdictional requirements are met and considered in architecture, design, and implementation of protection functions.
Option 8: Investigative processes meet all regulatory requirements and are suitable for all intended and reasonably anticipated uses.
Option 9: Chain of custody issues are addressed in processes that could ultimately lead to the introduction of evidence in court.
Option 10: Transparency requirements are met for all legal mandates and contracts.
Option 11: Evidential issues are reasonably satisfied by enterprise record keeping and record retention and disposition processes.
Option 12: Forensics requirements are met for all information associated with information protection issues.

For each identified applicable law and/or regulations and/or contract type, identify applicability and status with regard to the relevant above elements.


Decision:

Each should be applied in ALL cases to all applicable situations.

Approach Status
Regulatory mandates are specified by Legal and integrated into the duties to protect.
Civil litigation drivers are integrated into the duties to protect.
Criminal statutes from all relevant jurisdictions are identified to all relevant workers.
Timely notice is given to all individuals and organizations for all enterprise activities requiring such notice.
Contract language is compatible with implementation and included in duties to protect.
Liability limitations are appropriately managed in risk management related to information and related technologies.
All jurisdictional requirements are met and considered in architecture, design, and implementation of protection functions.
Investigative processes meet all regulatory requirements and are suitable for all intended and reasonably anticipated uses.
Chain of custody issues are addressed in processes that could ultimately lead to the introduction of evidence in court.
Transparency requirements are met for all legal mandates and contracts..
Evidential issues are reasonably satisfied by enterprise record keeping and record retention and disposition processes.
Forensics requirements are met for all information associated with information protection issues.
The interaction of legal issues with protection management.

Identify contractual requirements associated with legal mandates:

Select (non-comprehensive) applicable laws / regulations:

  • The Health Information Portability and Accountability Act (HIPAA).
  • The Health Information Technology for Economic and Clinical Health Act (HITECH).
  • The Gramm-Leach-Bliley Act (GLBA).
  • The Sarbanes-Oxley act (SOX).
  • The Payment Card Industry Data Security Standard (PCI-DSS).
  • The Fair and Accurate Credit Transaction Act (FACTA).
  • The Digital Millennium Copyright Act (DMCA).
  • The EU Data Directive.
  • The Canadian Records Act.
  • The EU Right to be Forgotten laws.
  • The interaction of cryptographic use regulations and laws worldwide.
  • The interaction of Import and Export control regulations worldwide.
  • The Electronic Fund Transfer Act, Regulation E (EFTA).
  • The Customs-Trade Partnership Against Terrorism (C-TPAT).
  • The Children's Online Privacy Protection Act (COPPA).
  • The Federal Rules of Civil Procedure (FRCP).
  • The Federal Information Security Management Act (FISMA).
  • The North American Electric Reliability Corp. (NERC) standards.
  • The interaction of Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records.
  • The interaction of Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule).
  • The interaction of H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation.
  • The interaction of California SB1386, Massachusetts 201 CMR 17 (aka Mass Data Protection Law), Nevada Personal Information Data Privacy Encryption Law NRS 603A, and similar and subsequent state laws.
  • The interaction of Law on the Mexican Protection of Personal Data Held by Private Parties law.
  • The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).
  • The EU Data Protection Directive and Safe Harbor Act.
  • The NAME-OTHER-APPLICABLE-LAWS-OR-REGULATIONS.

Also as appropriate,

  • Argentina: Personal Data Protection Act of 2000 (aka Habeas Data)
  • Austria: Data Protection Act 2000, Austrian Federal Law Gazette part I No. 165/1999 (Datenschutzgesetz 2000 or DSG 2000).
  • Australia: Privacy Act of 1988
  • Belgium: Belgium Data Protection Law and Belgian Data Privacy Commission Privacy Blog
  • Brazil: Privacy currently governed by Article 5 of the 1988 Constitution.
  • Bulgaria: The Bulgarian Personal Data Protection Act, was adopted on December 21, 2001 and entered into force on January 1, 2002. More information at the Bulgarian Data Protection Authority
  • Canada: The Privacy Act - July 1983 , Personal Information Protection and Electronic Data Act (PIPEDA) of 2000 (Bill C-6)
  • Chile: Act on the Protection of Personal Data, August 1998
  • Colombia: Two laws affecting data privacy - Law 1266 of 2008: (in Spanish) and Law 1273 of 2009 (in Spanish) Also, the constitution provides any person the right to update their personal information
  • Czech Republic: Act on Protection of Personal Data (April 2000) No. 101
  • Denmark: Act on Processing of Personal Data, Act No. 429, May 2000.
  • Estonia: Personal Data Protection Act of 2003. June 1996, Consolidated July 2002.
  • European Union: European Union Data Protection Directive of 1998
  • EU Internet Privacy Law of 2002 (DIRECTIVE 2002/58/EC) With a discussion here.
  • Finland: Act on the Amendment of the Personal Data Act (986) 2000.
  • France: Data Protection Act of 1978 (revised in 2004)
  • Germany: Federal Data Protection Act of 2001
  • Greece: Law No.2472 on the Protection of Individuals with Regard to the Processing of Personal Data, April 1997.
  • Guernsey: Data Protection (Bailiwick of Guernsey) Law of 2001
  • Hong Kong: Personal Data Ordinance (The "Ordinance")
  • Hungary: Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests (excerpts in English).
  • Iceland: Act of Protection of Individual; Processing Personal Data (Jan 2000)
  • Ireland: Data Protection (Amendment) Act, Number 6 of 2003
  • India: Information Technology Act of 2000
  • Italy: Data Protection Code of 2003
  • Italy: Processing of Personal Data Act, January 1997
  • Japan: Personal Information Protection Law (Act) (Official English Translation)
  • Japan: Law for the Protection of Computer Processed Data Held by Administrative Organs, December 1988.
  • Korea: Act on Personal Information Protection of Public Agencies, Act on Information and Communication Network Usage
  • Latvia: Personal Data Protection Law, March 23, 2000.
  • Lithuania: Law on Legal Protection of Personal Data (June 1996)
  • Luxembourg: Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data.
  • Malaysia - Common Law principle of confidentiality Personal data Protection Bill (Not finalized) Banking and Financial Institutions Act of 1989 privacy provisions.
  • Malta: Data Protection Act (Act XXVI of 2001), Amended March 22, 2002, November 15, 2002 and July 15, 2003
  • Mexico: Federal Law for the Protection of Personal Data Possessed by Private Persons (Spanish) - The regulations deal with data subjects' rights, security and breach notification provisions, cloud computing, consent and notice requirements, and data transfers. Good summary of the law in English at the IT Law Group
  • Morocco: Data Protection Act
  • Netherlands: Dutch Personal Data Protection Act 2000 as amended by Acts dated 5 April 2001, Bulletin of Acts, Orders and Decrees 180, 6 December 2001
  • New Zealand: Privacy Act, May 1993; Privacy Amendment Act, 1993; Privacy Amendment Act, 1994
  • Norway: Personal Data Act (April 2000) - Act of 14 April 2000 No. 31 Relating to the Processing of Personal Data (Personal Data Act)
  • Philippines: DATA PRIVACY ACT OF 2011 There is also a recognized right of privacy in civil law and a model data protection code.
  • Romania: Law No. 677/2001 for the Protection of Persons concerning the Processing of Personal Data and the Free Circulation of Such Data
  • Poland: Act of the Protection of Personal Data (August 1997)
  • Portugal: Act on the Protection of Personal Data (Law 67/98 of 26 October)
  • Singapore - The E-commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce. Other related Singapore Laws and E-commerce Laws .
  • Slovak Republic: Act No. 428 of 3 July 2002 on Personal Data Protection.
  • Slovenia: Personal Data Protection Act , RS No. 55/99.
  • South Africa: Electronic Communications and Transactions Act, 2002
  • South Korea: The Act on Promotion of Information and Communications Network Utilization and Data Protection of 2000 http://www.internet.org.za/ect_act.html
  • Spain: ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data
  • Switzerland: The Federal Law on Data Protection of 1992
  • Sweden: Personal Data Protection Act (1998:204), October 24, 1998
  • Taiwan: Computer Processed Personal data Protection Law - applies only to public institutions. (English Translation)
  • Thailand: Official Information Act, B.E. 2540 (1997) for state agencies. ( Personal data Protection bill under consideration.)
  • United Kingdom: UK Data Protection Act 1998
  • Privacy and Electronic Communications (EC Directive) Regulations 2003 official text, and a consumer oriented site at the Information Commissioner's Office.
  • Vietnam: The Law on Electronic Transactions 2008

Basis:

Regulatory mandates are specified by Legal and integrated into the duties to protect.
Regulatory drivers impact all corporations. Whether your enterprise has EU privacy requirements, US financial reporting requirements, US, Canadian, or Australian health and benefits information requirements, Chinese and French encryption requirements, or other similar requirements, regulatory drivers are increasingly forcing changes in information protection programs.

Civil litigation drivers are integrated into the duties to protect.
Civil litigation drives many enterprises in legal areas. A good example of a protection policy that resulted in a lost civil suit comes from a recent case in which a published Web site policy guaranteed privacy of personal information. The policy was not followed and a million dollar law suit was lost as a result. If there were no such policy there would have been no such loss.

Criminal statutes from all relevant jurisdictions are identified to all relevant workers.
Criminal litigation is pending against many executives who failed to report to shareholders on potentially serious negative consequences associated with information technology failures, inadequate assurance associated with financial records, and other similar violations of law. Failures of due diligence are increasingly being treated severely because of prior executive misdeeds.

Timely notice is given to all individuals and organizations for all enterprise activities requiring such notice.
Notice is required for legal protections to be effective. Good examples are trade secret, telecommunications recording, and worker monitoring notice requirements. Timely notice is also required for breach notification laws, to meet management mandates, for contractual obligations, for insurance coverage, and other similar reasons.

Contract language is compatible with implementation and included in duties to protect.
Contracts with inadequate language related to information protection are widespread and result in a wide range of problems, particularly associated with access into enterprise networks used for trading partners. Customer contracts relating to records are similarly problematic. Peering agreements associated with financial and health-related information require a level of due diligence in their perfection. Safe harbor agreements and other similar contracts require that protections be in place and effective. Many existing contracts should be updated to reflect the need to include encryption, access controls, and other protective measures in storage, movement, and use of exchanged information.

Liability limitations are appropriately managed in risk management related to information and related technologies.
Liability issues associated with holding information of certain types, operating systems that interact with third parties, actions of employees with respect to intellectual property, and similar information protection issues are widespread. Even an infection with a computer virus may lead to liability issues associated with the lack of due diligence in protecting peering partners from the infection. Break-ins to unpatched or unnecessarily vulnerable systems at perimeters may lead to liabilities associated with consequential damages to downstream providers and others attacked from your site.

All jurisdictional requirements are met and considered in architecture, design, and implementation of protection functions.
Jurisdiction is a critical issue for large multinationals, however, because of the global reach of the Internet, most businesses are now international. Attacks, scams, and legal processes associated with individuals around the world are commonplace in today's information environment. A business with a Web site has presence everywhere in the world, and sales to foreign nations may result in violations of laws that the seller or buyer are not familiar with. Jurisdictions affect legal issues across the board and mandate a dramatically more complex information protection program than would otherwise be needed.

Investigative processes meet all regulatory requirements and are suitable for all intended and reasonably anticipated uses.
Investigative processes are linked to legal proceedings including but not limited to legal issues associated with employee sanctions, employee rights in investigative processes, prosecutions associated with criminal acts, civil proceedings related to employee misdeeds, and many other similar types of issues.

Chain of custody issues are addressed in processes that could ultimately lead to the introduction of evidence in court.
Chain of custody issues must be addressed in processes that could ultimately lead to the introduction of evidence in court. While the business record exception in the United States generally provides for these records, other jurisdictions have varying requirements for chain of custody. Records retention processes increasingly require chain of custody to be maintained in order to assure integrity of records and prevent loss of critical information that must be retained in case requested by authorities.

Transparency requirements are met for all legal mandates and contracts.
Transparency requirements for all relevant jurisdictions relative to the type of enterprise and content and processes involved must be met. Contractual requirements for transparency must also be met. State laws, like California SB-1386, privacy laws related to records of a wide variety of sorts, and mandates for transparency associated with public records are all examples of drivers for transparency. Contractual drivers will also mandate elements of transparency such as providing status relative to identified standards, requirements for supply chain verification, contracts associated with disclosed policies, and a wide range of other transparency requirements.

Evidential issues are reasonably satisfied by enterprise record keeping and record retention and disposition processes.
Evidential issues come up whenever information protection issues end up in legal venues. The data presented has to have adequate integrity and accuracy to assure that it can be accepted by the courts and it has to be presented by an expert who is responsible for those records and can attest to how they came to be and what they are supposed to represent. They have to be normal business records to be admissible under the hearsay exception, and as a result, they must be collected in the normal course of business. Preservation orders may require that records be retained beyond their normal life cycles for evidential purposes and these orders must be followed in order to avoid criminal legal sanctions associated with obstruction of justice and disobeying judicial orders.

Forensics requirements are met for all information associated with information protection issues.
Forensics efforts associated with identification, collection, preservation, analysis, and presentation of evidence in court require special training and expertise and are involved in almost all investigations associated with information protection issues.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved