 |
 |
| Legal Obligations Detail
|
|
Corporate Legal Obligation in regard to information privacy
|
| List
of Laws |
|
|
| Applicable Law |
|
Legal Text |
| Sarbanes-Oxley Act |
|
Section 103: Auditing, Quality Control, And Independence Standards And Rules.
The Board must adopt an audit standard to implement the internal control review
required by section 404(b). This standard must require the auditor evaluate
whether the internal control structure and procedures include records that
accurately and fairly reflect the transactions of the issuer, provide
reasonable assurance that the transactions are recorded in a manner that will
permit the preparation of financial statements in accordance with GAAP, and a
description of any material weaknesses in the internal controls.
Section 302: Corporate Responsibility for Financial Report.
The signing officers have disclosed ... all significant deficiencies in the
design or operation of internal controls which could adversely affect the
issuer's ability to record, process, summarize, and report financial data and
have identified for the issuer's auditors any material weaknesses in internal
controls
Section 404: Management Assessment Of Internal Controls.
(1) state the responsibility of management for establishing and maintaining an
adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the issuer's fiscal year, of the
effectiveness of the internal control structure and procedures of the issuer
for financial reporting.
Section 1102: Tampering With a Record or Otherwise Impeding an Official
Proceeding
Makes it a crime for any person to corruptly alter, destroy, mutilate, or
conceal any document with the intent to impair the object's integrity or
availability for use in an official proceeding or to otherwise obstruct,
influence or impede any official proceeding is liable for up to 20 years in
prison and a fine.
Title IX: White Collar Crime Penalty Enhancements
Creates a crime for tampering with a record or otherwise impeding any official
proceeding
|
 |
|
| 1173(a) of the Social
Security Act |
|
SEC. 1173. [42 U.S.C. 1320d-2]
(a) STANDARDS TO ENABLE ELECTRONIC EXCHANGE.
(d) SECURITY STANDARDS FOR HEALTH INFORMATION.-
(1) SECURITY STANDARDS. The Secretary shall adopt security standards that
(A) take into account
(i) the technical capabilities of record systems used to maintain health
information;
(ii) the costs of security measures;
(iii) the need for training persons who have access to health information;
(iv) the value of audit trails in computerized record systems; and
(v) the needs and capabilities of small health care providers and rural health
care providers (as such providers are defined by the Secretary); and
(B) ensure that a health care clearinghouse, if it is part of a larger
organization, has policies and security procedures which isolate the activities
of the health care clearinghouse with respect to processing information in a
manner that prevents unauthorized access to such information by such larger
organization.
(2) SAFEGUARDS. Each person described in section 1172
(a) who maintains or transmits health information shall maintain reasonable and
appropriate administrative, technical, and physical safeguards-
(A) to ensure the integrity and confidentiality of the information;
(B) to protect against any reasonably anticipated
(i) threats or hazards to the security or integrity of the information; and
(ii) unauthorized uses or disclosures of the information; and
(C) otherwise to ensure compliance with this part by the officers and employees
of such person.
...
(f) TRANSFER OF INFORMATION AMONG HEALTH PLANS.
The Secretary shall adopt standards for transferring among health plans
appropriate standard data elements needed for the coordination of benefits, the
sequential processing of claims, and other data elements for individuals who
have more than one health plan.
SEC. 1176. [42 U.S.C. 1320d-5]
(a) GENERAL PENALTY.
(1) IN GENERAL. Except as provided in subsection
(b), the Secretary shall impose on any person who violates a provision of this part a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
|
|
|
European
Data Privacy Law
Directive 95/46/EC |
|
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
(2) Whereas data-processing systems are designed to serve man; whereas they
must, whatever the nationality or residence of natural persons, respect their
fundamental rights and freedoms, notably the right to privacy, and contribute
to economic and social progress, trade expansion and the well-being of
individuals;
(10) Whereas the object of the national laws on the processing of personal data
is to protect fundamental rights and freedoms, notably the right to privacy,
which is recognized both in Article 8 of the European Convention for the
Protection of Human Rights and Fundamental Freedoms and in the general
principles of Community law; whereas, for that reason, the approximation of
those laws must not result in any lessening of the protection they afford but
must, on the contrary, seek to ensure a high level of protection in the
Community;
(12) Whereas the protection principles must apply to all processing of personal
data by any person whose activities are governed by Community law; whereas
there should be excluded the processing of data carried out by a natural person
in the exercise of activities which are exclusively personal or domestic, such
as correspondence and the holding of records of addresses;
(15) Whereas the processing of such data is covered by this Directive only if
it is automated or if the data processed are contained or are intended to be
contained in a filing system structured according to specific criteria relating
to individuals, so as to permit easy access to the personal data in question;
(19) Whereas establishment on the territory of a Member State implies the
effective and real exercise of activity through stable arrangements; whereas
the legal form of such an establishment, whether simply branch or a subsidiary
with a legal personality, is not the determining factor in this respect;
whereas, when a single controller is established on the territory of several
Member States, particularly by means of subsidiaries, he must ensure, in order
to avoid any circumvention of national rules, that each of the establishments
fulfils the obligations imposed by the national law applicable to its
activities;
(20) Whereas the fact that the processing of data is carried out by a person
established in a third country must not stand in the way of the protection of
individuals provided for in this Directive; whereas in these cases, the
processing should be governed by the law of the Member State in which the means
used are located, and there should be guarantees to ensure that the rights and
obligations provided for in this Directive are respected in practice;
(25) Whereas the principles of protection must be reflected, on the one hand,
in the obligations imposed on persons, public authorities, enterprises,
agencies or other bodies responsible for processing, in particular regarding
data quality, technical security, notification to the supervisory authority,
and the circumstances under which processing can be carried out, and, on the
other hand, in the right conferred on individuals, the data on whom are the
subject of processing, to be informed that processing is taking place, to
consult the data, to request corrections and even to object to processing in
certain circumstances;
(26) Whereas the principles of protection must apply to any information
concerning an identified or identifiable person; whereas, to determine whether
a person is identifiable, account should be taken of all the means likely
reasonably to be used either by the controller or by any other person to
identify the said person; whereas the principles of protection shall not apply
to data rendered anonymous in such a way that the data subject is no longer
identifiable; whereas codes of conduct within the meaning of Article 27 may be
a useful instrument for providing guidance as to the ways in which data may be
rendered anonymous and retained in a form in which identification of the data
subject is no longer possible;
(27) Whereas the protection of individuals must apply as much to automatic
processing of data as to manual processing; whereas the scope of this
protection must not in effect depend on the techniques used, otherwise this
would create a serious risk of circumvention; whereas, nonetheless, as regards
manual processing, this Directive covers only filing systems, not unstructured
files; whereas, in particular, the content of a filing system must be
structured according to specific criteria relating to individuals allowing easy
access to the personal data; whereas, in line with the definition in Article 2
(30)... Member States may determine the circumstances in which personal data
may be used or disclosed to a third party in the context of the legitimate
ordinary business activities of companies and other bodies; whereas Member
States may similarly specify the conditions under which personal data may be
disclosed to a third party for the purposes of marketing whether carried out
commercially or by a charitable organization or by any other association or
foundation, of a political nature for example, subject to the provisions
allowing a data subject to object to the processing of data regarding him, at
no cost and without having to state his reasons;
(38) Whereas, if the processing of data is to be fair, the data subject must be
in a position to learn of the existence of a processing operation and, where
data are collected from him, must be given accurate and full information,
bearing in mind the circumstances of the collection;
(42) Whereas Member States may, in the interest of the data subject or so as to
protect the rights and freedoms of others, restrict rights of access and
information; whereas they may, for example, specify that access to medical data
may be obtained only through a health professional;
(46) Whereas the protection of the rights and freedoms of data subjects with
regard to the processing of personal data requires that appropriate technical
and organizational measures be taken, both at the time of the design of the
processing system and at the time of the processing itself, particularly in
order to maintain security and thereby to prevent any unauthorized processing;
whereas it is incumbent on the Member States to ensure that controllers comply
with these measures; whereas these measures must ensure an appropriate level of
security, taking into account the state of the art and the costs of their
implementation in relation to the risks inherent in the processing and the
nature of the data to be protected;
(55) Whereas, if the controller fails to respect the rights of data subjects,
national legislation must provide for a judicial remedy; whereas any damage
which a person may suffer as a result of unlawful processing must be
compensated for by the controller, who may be exempted from liability if he
proves that he is not responsible for the damage, in particular in cases where
he establishes fault on the part of the data subject or in case of force
majeure; whereas sanctions must be imposed on any person, whether governed by
private of public law, who fails to comply with the national measures taken
under this Directive;
(57) Whereas, on the other hand, the transfer of personal data to a third
country which does not ensure an adequate level of protection must be
prohibited;
Article 2
Definitions
For the purposes of this Directive:
(a) 'personal data' shall mean any information relating to an identified or
identifiable natural person ('data subject'); an identifiable person is one who
can be identified, directly or indirectly, in particular by reference to an
identification number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity;
(b) 'processing of personal data' ('processing') shall mean any operation or
set of operations which is performed upon personal data, whether or not by
automatic means, such as collection, recording, organization, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or
combination, blocking, erasure or destruction;
(c) 'personal data filing system' ('filing system') shall mean any structured
set of personal data which are accessible according to specific criteria,
whether centralized, decentralized or dispersed on a functional or geographical
basis;
(d) 'controller' shall mean the natural or legal person, public authority,
agency or any other body which alone or jointly with others determines the
purposes and means of the processing of personal data; where the purposes and
means of processing are determined by national or Community laws or
regulations, the controller or the specific criteria for his nomination may be
designated by national or Community law;
Article 8
The processing of special categories of data
1. Member States shall prohibit the processing of personal data revealing
racial or ethnic origin, political opinions, religious or philosophical
beliefs, trade-union membership, and the processing of data concerning health
or sex life.
Article 16
Confidentiality of processing
Any person acting under the authority of the controller or of the processor,
including the processor himself, who has access to personal data must not
process them except on instructions from the controller, unless he is required
to do so by law.
Article 17
Security of processing
1. Member States shall provide that the controller must implement appropriate
technical and organizational measures to protect personal data against
accidental or unlawful destruction or accidental loss, alteration, unauthorized
disclosure or access, in particular where the processing involves the
transmission of data over a network, and against all other unlawful forms of
processing.
Having regard to the state of the art and the cost of their implementation,
such measures shall ensure a level of security appropriate to the risks
represented by the processing and the nature of the data to be protected.
2. The Member States shall provide that the controller must, where processing
is carried out on his behalf, choose a processor providing sufficient
guarantees in respect of the technical security measures and organizational
measures governing the processing to be carried out, and must ensure compliance
with those measures.
3. The carrying out of processing by way of a processor must be governed by a
contract or legal act binding the processor to the controller and stipulating
in particular that:
- the processor shall act only on instructions from the controller,
- the obligations set out in paragraph 1, as defined by the law of the Member
State in which the processor is established, shall also be incumbent on the
processor.
4. For the purposes of keeping proof, the parts of the contract or the legal
act relating to data protection and the requirements relating to the measures
referred to in paragraph 1 shall be in writing or in another equivalent form.
Article 20
Prior checking
1. Member States shall determine the processing operations likely to present
specific risks to the rights and freedoms of data subjects and shall check that
these processing operations are examined prior to the start thereof.
2. Such prior checks shall be carried out by the supervisory authority
following receipt of a notification from the controller or by the data
protection official, who, in cases of doubt, must consult the supervisory
authority.
Article 22
Remedies
Without prejudice to any administrative remedy for which provision may be made,
inter alia before the supervisory authority referred to in Article 28, prior to
referral to the judicial authority, Member States shall provide for the right
of every person to a judicial remedy for any breach of the rights guaranteed
him by the national law applicable to the processing in question.
Article 23
Liability
1. Member States shall provide that any person who has suffered damage as a
result of an unlawful processing operation or of any act incompatible with the
national provisions adopted pursuant to this Directive is entitled to receive
compensation from the controller for the damage suffered.
2. The controller may be exempted from this liability, in whole or in part, if
he proves that he is not responsible for the event giving rise to the damage
|
|
|
European
Data Privacy Law
Regulation No 45/2001 |
|
Article 22
Security of processing
1. Having regard to the state of the art and the cost of their implementation,
the controller shall implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risks represented by
the processing and the nature of the personal data to be protected.
Such measures shall be taken in particular to prevent any unauthorised
disclosure or access, accidental or unlawful destruction or accidental loss, or
alteration, and to prevent all other unlawful forms of processing.
2. Where personal data are processed by automated means, measures shall be
taken as appropriate in view of the risks in particular with the aim of:
(a) preventing any unauthorised person from gaining access to computer systems
processing personal data;
(b) preventing any unauthorised reading, copying, alteration or removal of
storage media;
(c) preventing any unauthorised memory inputs as well as any unauthorised
disclosure, alteration or erasure of stored personal data;
(d) preventing unauthorised persons from using data-processing systems by means
of data transmission facilities;
(e) ensuring that authorised users of a data-processing system can access no
personal data other than those to which their access right refers;
(f) recording which personal data have been communicated, at what times and to
whom;
(g) ensuring that it will subsequently be possible to check which personal data
have been processed, at what times and by whom;
(h) ensuring that personal data being processed on behalf of third parties can
be processed only in the manner prescribed by the contracting institution or
body;
(i) ensuring that, during communication of personal data and during transport
of storage media, the data cannot be read, copied or erased without
authorisation;
(j) designing the organisational structure within an institution or body in
such a way that it will meet the special requirements of data protection.
Article 23
Processing of personal data on behalf of controllers
1. Where a processing operation is carried out on its behalf, the controller
shall choose a processor providing sufficient guarantees in respect of the
technical and organisational security measures required by Article 22 and
ensure compliance with those measures.
2. The carrying out of a processing operation by way of a processor shall be
governed by a contract or legal act binding the processor to the controller and
stipulating in particular that:
(a) the processor shall act only on instructions from the controller;
(b) the obligations set out in Articles 21 and 22 shall also be incumbent on
the processor unless, by virtue of Article 16 or Article 17(3), second indent,
of Directive 95/46/EC, the processor is already subject to obligations with
regard to confidentiality and security laid down in the national law of one of
the Member States.
3. For the purposes of keeping proof, the parts of the contract or the legal
act relating to data protection and the requirements relating to the measures
referred to in Article 22 shall be in writing or in another equivalent form.
Article 24
Appointment and tasks of the Data Protection Officer
1. Each Community institution and Community body shall appoint at least one
person as data protection officer. That person shall have the task of:
(a) ensuring that controllers and data subjects are informed of their rights
and obligations pursuant to this Regulation;
(b) responding to requests from the European Data Protection Supervisor and,
within the sphere of his or her competence, cooperating with the European Data
Protection Supervisor at the latter's request or on his or her own initiative;
(c) ensuring in an independent manner the internal application of the
provisions of this Regulation;
(d) keeping a register of the processing operations carried out by the
controller, containing the items of information referred to in Article 25(2);
(e) notifying the European Data Protection Supervisor of the processing
operations likely to present specific risks within the meaning of Article 27.
That person shall thus ensure that the rights and freedoms of the data subjects
are unlikely to be adversely affected by the processing operations.
Article 25
Notification to the Data Protection Officer
...
2. The information to be given shall include:
(a) the name and address of the controller and an indication of the
organisational parts of an institution or body entrusted with the processing of
personal data for a particular purpose;
(b) the purpose or purposes of the processing;
(c) a description of the category or categories of data subjects and of the
data or categories of data relating to them;
(d) the legal basis of the processing operation for which the data are
intended;
(e) the recipients or categories of recipient to whom the data might be
disclosed;
(f) a general indication of the time limits for blocking and erasure of the
different categories of data;
(g) proposed transfers of data to third countries or international
organisations;
(h) a general description allowing a preliminary assessment to be made of the
appropriateness of the measures taken pursuant to Article 22 to ensure security
of processing.
Article 26
Register
A register of processing operations notified in accordance with Article 25
shall be kept by each Data Protection Officer.
The registers shall contain at least the information referred to in Article
25(2)(a) to (g). The registers may be inspected by any person directly or
indirectly through the European Data Processing Supervisor.
Article 38
Directories of users
1. Personal data contained in printed or electronic directories of users and
access to such directories shall be limited to what is strictly necessary for
the specific purposes of the directory.
|
|
|
| Fair
and Accurate Credit Transactions Act of 2003 |
|
SEC. 113. TRUNCATION OF CREDIT CARD AND DEBIT CARD ACCOUNT NUMBERS
(G) (1) IN GENERAL- Except as otherwise provided in this subsection, no person
that accepts credit cards or debit cards for the transaction of business shall
print more than the last 5 digits of the card number or the expiration date
upon any receipt provided to the cardholder at the point of the sale or
transaction.
SEC. 114. ESTABLISHMENT OF PROCEDURES FOR THE IDENTIFICATION OF POSSIBLE
INSTANCES OF IDENTITY THEFT.
(A) establish and maintain guidelines for use by each financial institution and
each creditor regarding identity theft with respect to account holders at, or
customers of, such entities, and update such guidelines as often as necessary;
(B) prescribe regulations requiring each financial institution and each
creditor to establish reasonable policies and procedures for implementing the
guidelines established pursuant to subparagraph (A), to identify possible risks
to account holders or customers or to the safety and soundness of the
institution or customers;
|
|
|
| HIPAA Title 45
|
|
General Instructions:
2. This decision-making process should be applied to EACH database and to EACH
research project that uses 'protected health information' PHI contained in a
database. Specific HIPAA Privacy Rule requirements and documentation as well as
necessary IRB action will depend on the characteristics of each database or
each research use of a database.
Section 164.502(b) - Minimum Necessary Uses and Disclosures
The proposed rule required a covered entity to make all reasonable efforts not
to use or disclose more than the minimum amount of protected health information
necessary to accomplish the intended purpose of the use or disclosure
Section 164.502(e) - Business Associates
In the proposed rule, other than for purposes of consultation or referral for
treatment, we would have allowed a covered entity to disclose protected health
information to a business partner only pursuant to a written contract that
would, among other specified provisions, limit the business partner's uses and
disclosures of protected health information to those permitted by the contract,
and would impose certain security, inspection and reporting requirements on the
business partner. We proposed to define the term "business partner" to mean,
with respect to a covered entity, a person to whom the covered entity discloses
protected health information so that the person can carry out, assist with the
performance of, or perform on behalf of, a function or activity for the covered
entity
Physical Safeguards to Guard Data Integrity, Confidentiality, and Availability
b. Media Controls
Media controls would be required in the form of formal, documented policies and
procedures that govern the receipt and removal of hardware/software (for
example, diskettes, tapes) into and out of a facility. They are important to
ensure total control of media containing health information. These controls
would include the following mandatory implementation features:
-
Controlled access to media.
-
Accountability (tracking mechanism).
-
Data backup.
-
Data storage.
-
Disposal.
c. Physical Access Controls
Physical access controls (limited access) would be required. These would be
formal, documented policies and procedures for limiting physical access to an
entity while ensuring that properly authorized access is allowed. These
controls would be extremely important to the security of health information by
preventing unauthorized physical access to information and ensuring that
authorized personnel have proper access. These controls would include the
following mandatory implementation features:
-
Disaster recovery.
-
Emergency mode operation.
-
Equipment control (into and out of site).
-
A facility security plan.
-
Procedures for verifying access authorizations prior to physical access.
-
Maintenance records.
-
Need-to-know procedures for personnel access.
-
Sign-in for visitors and escort, if appropriate.
-
Testing and revision.
Technical Security Services to Guard Data Integrity, Confidentiality, and
Availability
a. Access Control
There would be a requirement for access control which would restrict access to
resources and allow access only by privileged entities. It would be important
to limit access to health information to those employees who have a business
need to access it. Types of access control include, among others, mandatory
access control, discretionary access control, time-of-day, classification, and
subject-object separation. The following implementation feature would be used:
-
Procedure for emergency access.
In addition, at least one of the following three implementation features would
be used:
-
Context-based access.
-
Role-based access.
-
User-based access.
The use of the encryption implementation feature would be optional
b. Audit Controls
Each organization would be required to put in place audit control mechanisms to
record and examine system activity. They would be important so that the
organization can identify suspect data access activities, assess its security
program, and respond to potential weaknesses.
|
|
|
|
| Safe
Harbor Privacy Principles |
|
PRIVACY PRINCIPLES
"Personal data" and "personal information" are data about an identified or
identifiable individual that are within the scope of the Directive, received by
a U.S. organization from the European Union, and recorded in any form.
For sensitive information (i.e. personal information specifying medical or
health conditions, racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership or information specifying the sex
life of the individual), they must be given affirmative or explicit (opt in)
choice if the information is to be disclosed to a third party or used for a
purpose other than those for which it was originally collected or subsequently
authorized by the individual through the exercise of opt in choice. In any
case, an organization should treat as sensitive any information received from a
third party where the third party treats and identifies it as sensitive.
ONWARD TRANSFER:
To disclose information to a third party, organizations must apply the notice
and choice Principles. Where an organization wishes to transfer information to
a third party that is acting as an agent, as described in the endnote, it may
do so if it first either ascertains that the third party subscribes to the
Principles or is subject to the Directive or another adequacy finding or enters
into a written agreement with such third party requiring that the third party
provide at least the same level of privacy protection as is required by the
relevant Principles. If the organization complies with these requirements, it
shall not be held responsible (unless the organization agrees otherwise) when a
third party to which it transfers such information processes it in a way
contrary to any restrictions or representations, unless the organization knew
or should have known the third party would process it in such a contrary way
and the organization has not taken reasonable steps to prevent or stop such
processing.
SECURITY:
Organizations creating, maintaining, using or disseminating personal
information must take reasonable precautions to protect it from loss, misuse
and unauthorized access, disclosure, alteration and destruction.
ENFORCEMENT:
Effective privacy protection must include mechanisms for assuring compliance
with the Principles, recourse for individuals to whom the data relate affected
by non-compliance with the Principles, and consequences for the organization
when the Principles are not followed. At a minimum, such mechanisms must
include (a) readily available and affordable independent recourse mechanisms by
which each individual's complaints and disputes are investigated and resolved
by reference to the Principles and damages awarded where the applicable law or
private sector initiatives so provide; (b) follow up procedures for verifying
that the attestations and assertions businesses make about their privacy
practices are true and that privacy practices have been implemented as
presented; and (c) obligations to remedy problems arising out of failure to
comply with the Principles by organizations announcing their adherence to them
and consequences for such organizations. Sanctions must be sufficiently
rigorous to ensure compliance by organizations.
Human Resources:
In addition, employers should make reasonable efforts to accommodate employee
privacy preferences. This could include, for example, restricting access to the
data, anonymizing certain data, or assigning codes or pseudonyms when the
actual names are not required for the management purpose at hand.
Dispute Resolution and Enforcement: A range of sanctions of varying
degrees of severity will allow dispute resolution bodies to respond
appropriately to varying degrees of non-compliance. Sanctions should include
both publicity for findings of non-compliance and the requirement to delete
data in certain circumstances. Other sanctions could include suspension and
removal of a seal, compensation for individuals for losses incurred as a result
of non-compliance and injunctive orders; Private sector dispute resolution
bodies and self regulatory bodies should notify failures of safe harbor
organizations to comply with their rulings to courts or to the governmental
body with applicable jurisdiction, as appropriate, and to notify the Department
of Commerce (or its designee).
Pharmaceutical and Medical Products:
Data used for pharmaceutical research and other purposes should be anonymized
as appropriate.
|
|
|
FTC
16 Privacy of Consumer Financial Information
Gramm-Leach-Bliley Act |
|
Sec. 6802. Obligations with respect to disclosures of personal
information
(a) Notice requirements
Except as otherwise provided in this subchapter, a financial institution may
not, directly or through any affiliate, disclose to a nonaffiliated third party
any nonpublic personal information, unless such financial institution provides
or has provided to the consumer a notice that complies with section 6803 of
this title.
(c) Limits on reuse of information
Except as otherwise provided in this subchapter, a nonaffiliated third party
that receives from a financial institution nonpublic personal information under
this section shall not, directly or through an affiliate of such receiving
third party, disclose such information to any other person that is a
nonaffiliated third party of both the financial institution and such receiving
third party, unless such disclosure would be lawful if made directly to such
other person by the financial institution.
(d) Limitations on the sharing of account number information for marketing
purposes
A financial institution shall not disclose, other than to a consumer reporting
agency, an account number or similar form of access number or access code for a
credit card account, deposit account, or transaction account of a consumer to
any nonaffiliated third party for use in telemarketing, direct mail marketing,
or other marketing through electronic mail to the consumer.
Exceptions:
* Disclosure to a consumer reporting agency.
* Disclosure to an agent or service provider to perform marketing of the
financial institution's own products or services, provided that the agent or
service provider is not authorized to directly initiate charges to the account.
* Disclosure to a participant in a private label credit card program or an
affinity program where the participants are identified to the customer when the
customer enters into the program.
* Disclosure of an encrypted account number to a nonaffiliated third party,
provided that the financial institution does not give the third party the means
to decode the number or code.
Sec. 6809. Definitions
(4) Nonpublic personal information
(A) The term ''nonpublic personal information'' means personally identifiable
financial information -
(i) provided by a consumer to a financial institution;
(ii) resulting from any transaction with the consumer or any service performed
for the consumer; or
(iii) otherwise obtained by the financial institution.
(5) Nonaffiliated third party
The term ''nonaffiliated third party'' means any entity that is not an
affiliate of, or related by common ownership or affiliated by corporate control
with, the financial institution, but does not include a joint employee of such
institution.
|
|
|
California’s
Financial Information Privacy Act
SB1 |
|
4051. (a) The Legislature intends for financial institutions to
provide their consumers notice and meaningful choice about how consumers'
nonpublic personal information is shared or sold by their financial
institutions.
4051.5. (2) To achieve that control for California consumers by requiring that
financial institutions that want to share information with third parties and
unrelated companies seek and acquire the affirmative consent of California
consumers prior to sharing the information.
4053 (b) (1) A financial institution does not disclose information to, or
share information with, its affiliate merely because information is maintained
in common information systems or databases, and employees of the financial
institution and its affiliate have access to those common information systems
or databases, or a consumer accesses a Web site jointly operated or maintained
under a common name by or on behalf of the financial institution and its
affiliate, provided that where a consumer has exercised his or her right to
prohibit disclosure pursuant to this division, nonpublic personal information
is not further disclosed or used by an affiliate except as permitted by this
division.
4053 (4) A financial institution does not disclose information to, or share
information with, its affiliate merely because information is maintained in
common information systems or databases, and employees of the financial
institution and its affiliate have access to those common information systems
or databases, or a consumer accesses a Web site jointly operated or maintained
under a common name by or on behalf of the financial institution and its
affiliate, provided that where a consumer has exercised his or her right to
prohibit disclosure pursuant to this division, nonpublic personal information
is not further disclosed or used by an affiliate except as permitted by this
division.
4053.5. Except as otherwise provided in this division, an entity that receives
nonpublic personal information from a financial institution under this division
shall not disclose this information to any other entity, unless the disclosure
would be lawful if made directly to the other entity by the financial
institution. An entity that receives nonpublic personal information pursuant to
any exception set forth in Section 4056 shall not use or disclose the
information except in the ordinary course of business to carry out the activity
covered by the exception under which the information was received.
4054. (a) Nothing in this division shall require a financial institution to
provide a written notice to a consumer pursuant to Section 4053 if the
financial institution does not disclose nonpublic personal information to any
nonaffiliated third party or to any affiliate
4057. (a) An entity that negligently discloses or shares nonpublic personal
information in violation of this division shall be liable, irrespective of the
amount of damages suffered by the consumer as a result of that violation, for a
civil penalty not to exceed two thousand five hundred dollars ($2,500) per
violation. However, if the disclosure or sharing results in the release of
nonpublic personal information of more than one individual, the total civil
penalty awarded pursuant to this subdivision shall not exceed five hundred
thousand dollars ($500,000).
(b) An entity that knowingly and willfully obtains, discloses, shares, or uses
nonpublic personal information in violation of this division shall be liable
for a civil penalty not to exceed two thousand five hundred dollars ($2,500)
per individual violation, irrespective of the amount of damages suffered by the
consumer as a result of that violation.
(d) In the event a violation of this division results in the identity theft of
a consumer, as defined by Section 530.5 of the Penal Code, the civil penalties
set forth in this section shall be doubled.
|
|
|
| FDA CFR
Title 21, Part 11 |
|
Subpart B -- Electronic Records
Sec. 11.10 Controls for closed systems
11.10 d) Limiting system access to authorized individuals.
11.10 e) Use of secure, computer-generated, time-stamped audit trails to
independently record the date and time of operator entries and actions that
create, modify, or delete electronic records. Record changes shall not obscure
previously recorded information. Such audit trail documentation shall be
retained for a period at least as long as that required for the subject
electronic records and shall be available for agency review and copying.
11.10 g) Use of authority checks to ensure that only authorized individuals can
use the system, electronically sign a record, access the operation or computer
system input or output device, alter a record, or perform the operation at
hand. |
|
|
| National Credit Union
Association (NCUA) 748 |
|
Part 748 Security Program, Report of Crime and Catastrophic Act and
Bank Secrecy Act Compliance.
Ensure the security and confidentiality of member information; protect against
any anticipated threats or hazards to the security or integrity of such
information; and protect against unauthorized access to or use of such
information that could result in substantial harm or inconvenience to any
member
|
|
|
| Payment Card Industry (PCI) Data
Security Standard |
|
Protect cardholder data
Requirement 3: Protect stored data
3.1Keep cardholder information storage to a minimum. Develop a data retention
and disposal policy.
3.2 Do not store sensitive authentication data subsequent to authorization (not
even if encrypted).
3.3 Mask account numbers when displayed.
3.4 Render sensitive cardholder data unreadable anywhere it is stored
(including data on portable media, backup media, in logs, and data received
from or stored by wireless networks).
Implement Strong Access Control Measures
Requirement 7: Restrict access to data by business need-to-know
7.1 Limit access to computing resources and cardholder information to only
those individuals whose job requires such access.
7.2 Establish a mechanism for systems with multiple users that restricts access
based on a user's need to know, and is set to "deny all" unless specifically
allowed.
Requirement 9: Restrict physical access to cardholder data
9.1 Use appropriate facility entry controls to limit and monitor physical
access to systems that store, process, or transmit cardholder data.
9.7 Maintain strict control over the internal or external distribution of any
kind of media that contains cardholder information
9.8 Ensure management approves all media that is moved from a secured area
(especially when media is distributed to individuals).
9.9 Maintain strict control over the storage and accessibility of media that
contains cardholder information.
9.10 Destroy media containing cardholder information when it is no longer
needed for business or legal reasons.
Requirement 10: Track and monitor all access to network resources and cardholder
data
10.2 Implement automated audit trails to reconstruct the following events, for
all system components.
10.5 Secure audit trails so they cannot be altered.
10.7 Retain your audit trail history for a period that is consistent with its
effective use, as well as legal regulations.
Note that these Payment Card Industry (PCI) Data Security
Requirements apply to all Members, merchants, and service providers that store,
process or transmit cardholder data. Additionally, these security requirements
apply to all "system components" ... Servers include, but are not limited to,
web, database, authentication, DNS, mail, proxy, and NTP. Applications include
all purchased and custom applications, including internal and external (web)
applications.
|
|
|
| Family Educational Rights and
Privacy Act (FERPA) (Buckley Amendment) |
|
99.1 To which educational agencies or institutions do these
regulations apply
(1) The educational institution provides educational services or instruction,
or both, to students; or
(2) The educational agency is authorized to direct and control public
elementary or secondary, or postsecondary educational institutions.
99.3 What definitions apply to these regulations
"Personally identifiable information" includes, but is not limited to:
(Authority: 20 U.S.C 1232g)
(a) The student's name;
(b) The name of the student's parent or other family member;
(c) The address of the student or student's family;
(d) A personal identifier, such as the student's social security number or
student number;
(e) A list of personal characteristics that would make the student's identity
easily traceable; or
(f) Other information that would make the student's identity easily
traceable.
99.33 What limitations apply to the redisclosure of information?
(1) An educational agency or institution may disclose personally identifiable
information from an education record only on the condition that the party to
whom the information is disclosed will not disclose the information to any
other party without the prior consent of the parent or eligible student.
(2) The officers, employees, and agents of a party that receives information
under paragraph (a)(1) of this section may use the information, but only for
the purposes for which the disclosure was made.
If this Office determines that a third party improperly rediscloses personally
identifiable information from education records in violation of § 99.33(a) of
this section, the educational agency or institution may not allow that third
party access to personally identifiable information from education records for
at least five years.
|
|
|
|
|
|