Getting through that Compliance-Only Mindset

December 1, 2016

We all need to work with leaders and other influencers who hold “compliance” as their prime (sometimes, only) risk management driver.   Sure, that is tiring and sometimes disheartening, but they are not going away…  In the course of your efforts to advance effective information and operations security motivating these individuals can be a challenge.  Because large scale financial services enterprises in the United States do business across the country, it is sometimes helpful to be able to demonstrate the scope of legislation (not regulation) that applies to various aspects of information and cyber security.  Below is a collection of lists of laws on related information security topics from the National Conference of State Legislatures (http://www.ncsl.org/aboutus.aspx) that may help you on that front.  I’ve included a couple of global resources as well, but that information is far more limited than is available to me about U.S. state laws.

At the story-telling level, one might use this list to demonstrate why it is critical to create, acquire, evolve and maintain ________ (this may be context-specific, use whatever is applicable: software, networks, servers, endpoints, databases, appliances, etc…) that are audit-ready, resilient and resistant to attack, and that protect sensitive resources & transactions while delivering the intended levels of service while under attack.  I am not a lawyer and this is not legal advice!  But I believe given the scope and complexity of the laws involved, along with the velocity of change, attempting to achieve and maintain tight compliance alignment with all applicable laws & regulations would be vastly more expensive than focusing most of our creativity & energy on fielding safe-enough software, infrastructure, and operations.

Sure, laws, regulations, and the professionals who focus on them are critically important in Financial Services.  That does not make them the center-of-the-universe for information security. Safe software, safe infrastructure, and safe operations are expected by all our constituencies and these characteristics also should satisfy information security-relevant compliance obligations. This seems like an achievable goal. Mapping every relevant law and regulation to every facet of every application and all aspects of our infrastructure and its operations seems impractical and unbusinesslike.

What do you think?

List of U.S. Security Breach Notification Laws:

Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information.
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

A running list of U.S. security breach-related legislation by year (2010 to present):

http://www.ncsl.org/research/telecommunications-and-information-technology/overview-security-breaches.aspx

List of U.S Data Disposal Laws:

At least 31 states and Puerto Rico have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.
http://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx

List of U.S. Identity Theft Laws:

http://www.ncsl.org/research/financial-services-and-commerce/identity-theft-state-statutes.aspx
Identity theft occurs when someone uses another person’s personally identifying information, like a person’s name, Social Security number, or credit card number or other financial information, without permission, to commit fraud or other crimes.
This chart summarizes the identity theft criminal penalties, restitution and identity theft passport laws. Every state has a law regarding identity theft or impersonation. Twenty-nine states, Guam, Puerto Rico and the District of Columbia have specific restitution provisions for identity theft. Five states—Iowa, Kansas, Kentucky, Michigan and Tennessee—have forfeiture provisions for identity theft crimes. Eleven states—Arkansas, Delaware, Iowa, Maryland, Mississippi, Montana, Nevada, New Mexico, Ohio, Oklahoma and Virginia—have created identity theft passport programs to help victims from continuing identity theft.

List of U.S. Cybersecurity Legislation for 2016:

http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2016.aspx
Cyber threats have enormous implications for government security, economic prosperity and public safety. States are addressing cybersecurity through various approaches, such as:

  • Requiring government or public agencies to implement security practices
  • Offering incentives to the cybersecurity industry
  • Providing exemptions from public records laws for security information
  • Creating cybersecurity commissions, studies or task forces
  • Promoting cybersecurity education.

Same for 2015:
http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2015.aspx

List of U.S. Computer Crime Statutes:

http://www.ncsl.org/research/telecommunications-and-information-technology/computer-hacking-and-unauthorized-access-laws.aspx
Computer crime laws encompass a variety of actions that destroy or interfere with normal operation of a computer system including hacking, unauthorized access, and malware, among others.

List of U.S. State Laws Associated with Phishing:

http://www.ncsl.org/research/telecommunications-and-information-technology/state-phishing-laws.aspx
Through 1/9/2015.
Phishing is a scam where fraudsters send spam or text messages or create deceptive websites to lure personal or financial information from unsuspecting victims.

U.S. State Spyware Laws

http://www.ncsl.org/research/telecommunications-and-information-technology/state-spyware-laws.aspx
Last update: 12/3/2015
Spyware, also sometimes called adware, is software that can track or collect the online activities or personal information of Web users, change settings on users computers, or cause advertising messages to pop up on users’ computer screens.  Web users are often unaware that spyware has been downloaded to their computers, and even when found, it can be very difficult to remove.
Twenty states, Guam and Puerto Rico have laws targeting spyware. Other states have laws that address computer crime, fraudulent or deceptive practices or identity theft and that possibly could apply to some practices involving spyware.

Also:

Perkins Coie’s list of U.S. State Security Breach Notification Laws:

https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html
(Last Revised June 2016)
Perkins Coie’s Privacy & Security practice maintains a comprehensive chart that summarizes state laws regarding security breach notification.  The chart is for informational purposes only and is intended as an aid in understanding each state’s sometimes unique security breach notification requirements.  Lawyers, compliance professionals, and business owners have told Perkins Coie that the chart has been helpful when preparing for and responding to data breaches.
This resource includes more detail than most of the links listed above.

DLA Piper “Data Protection Laws of the World”

Interactive Map Of Notification Status and more.
https://www.dlapiperdataprotection.com/index.html#handbook/world-map-section
Interactive map highlighting breach notification rules and regulations (per country). The colors of the countries below represent a data breach risk index. Red is the highest, orange is high, yellow is elevated, blue is general, and green is low risk.
There is also an on-demand PFD version of “Data Protection Laws of the World” available from DLA Piper at:
https://www.dlapiperdataprotection.com/system/modules/za.co.heliosdesign.dla.lotw/functions/export.pdf?country=all
When downloaded on November 29, 2016, this was a 510 page document covering the following 98 countries: Angola, Argentina, Australia, Austria, Belarus, Belgium, Bosnia and Herzegovina, British Virgin Islands, Bulgaria, Canada, Cape Verde, Cayman Islands, Chile, China, Colombia, Costa Rica, Brazil, British, Bulgaria, Canada, Cape, Cayman, Chile, China, Colombia, Costa, Croatia, Cyprus, Czech Republic, Denmark, Egypt, Estonia, Finland, France, Germany, Ghana, Gibraltar, Greece, Guernsey, Honduras, Hong Kong, Hungary, Iceland, India, Indonesia, Ireland, Israel, Italy, Japan, Jersey, Latvia, Lesotho, Lithuania, Luxembourg, Macau, Macedonia, Madagascar, Malaysia, Malta, Mauritius, Mexico, Monaco, Montenegro, Morocco, Netherlands, New Zealand, Nigeria, Norway, Pakistan, Panama, Peru, Philippines, Poland, Portugal, Romania, Russia, Saudi Arabia, Serbia, Seychelles, Singapore, Slovak Republic, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Thailand, Trinidad and Tobago, Turkey, UAE – Dubai (DIFC), UAE – General, Ukraine, United Kingdom, United States, Uruguay, Venezuela, and Zimbabwe.

This page below provides a brief summary of the requirements of each of the 47 U.S state data breach notification laws as of August 2014.
http://www.itgovernanceusa.com/data-breach-notification-laws.aspx

Advertisements

%d bloggers like this: