SlideShare uma empresa Scribd logo

Examples of international privacy legislation

Ulf Mattsson
Ulf Mattsson

Examples of privacy legislation in US and India

Tecnologia
1 de 17
Baixar para ler offline
US Legislation
US Laws - Examples • HIPAA Restrictions on Health Data – Covered entity would risk a HIPAA violation by using such a provider for data storage. • Breach Provisions Under HITECH Act – To the extent a HIPAA covered entity discloses PHI to a cloud provider, it risks exposure to federal data security breach notification requirements under the HITECH Act. • Gramm-Leach-Bliley Act - GLBA – GLB's Privacy and Safeguards Rules restrict financial institutions from disclosing consumers' nonpublic personal information to non-affiliated third parties • State Information Security Laws – For example, California requires businesses that disclose personal information to nonaffiliated third parties to include contractual obligations that those entities maintain reasonable security procedures • State Breach Notification Laws – Over 45 U.S. states and other jurisdictions have data security breach notification laws that require data owners to notify individuals whose computerized personal information has been subject to unauthorized access • Massachusetts regulations – Must determine whether the cloud provider maintains appropriate security measures to protect the data to be stored
Best Practices and Regulations
Case Study: Global Investment Banking and Securities Investment banking division • • Encryption of Deal related attributes and other MNPI data (i.e. company name, company identifier, etc) Prevented development and technology people to identify entities involved in deals Compliance department • • Compliance has TWO copies of Deal data – one for the Conflicts Process and one for the Control Room Encryption KEYS are DIFFERENT in Banking and Compliance Encryption of compensation data Encryption of firewall rules • Managed in a standalone application Platforms: • Oracle, DB2, SQL Server, UNIX, Linux and Windows
Best Practices from NIST on PII Data - SP800-122 Examples of PII Data 1. Name 2. Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, patient identification number, and financial account or credit card number 3. Address information 4. Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address 5. Telephone numbers 6. Personal characteristics, including photographic image 7. Information identifying personally owned property 8. Information about an individual that is linked or linkable to one of the above Source: National Institute of Standards & Technology - NIST (http://csrc.nist.gov/)
SEC Adopted Regulation S-P to Address Privacy 1. Like GLB (Gramm-Leach-Bliley Act ), compliance with Regulation S-P (17 CFR Part 248) is mandatory since July 1, 2001 2. Regulation S-P provides the means of implementing GLB 3. Every broker, dealer, and investment company, and every investment adviser registered with the SEC must adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information 4. Insure the security and confidentiality of customer records and information 5. Protect against any anticipated threats or hazards to the security or integrity of customer records and information 6. Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer
HIPAA / HITECH Act – Title IV Legislation [1] Establishes a Federal Breach Notification requirement for health information that is not encrypted or otherwise made indecipherable. It requires that an individual be notified if there is an unauthorized disclosure or use of their health information. [2] Ensures that new entities that were not contemplated when the Federal privacy rules were written, as well as those entities that do work on behalf of providers and insurers, are subject to the same privacy and security rules as providers and health insurers. [3] Provide transparency to patients by allowing them to request an audit trail showing all disclosures of their health information made through an electronic record. [4] Shutting down the secondary market that has emerged around the sale and mining of patient health information by prohibiting the sale of an individual’s health information without their authorization. [5] Requires that providers attain authorization from a patient in order to use their health information for marketing and fundraising activities. [6] Strengthening enforcement of Federal privacy and security laws by increasing penalties for violations. •Health Insurance Portability and Accountability Act (HIPAA) of 1996 •Health Information Technology for Economic and Clinical Health Act (HITECH Act), of 2009
US HIPAA – 18 Direct Identifiers 1. Names 2. Geographic subdivisions smaller than a state, including 3. All elements of dates (e.g., date of birth, admission) 4. Telephone numbers 5. Fax numbers 6. E-mail addresses 7. Social Security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. Web universal locators (URLs) 15. IP address numbers 16. Biometric identifiers, including fingerprints and voice prints 17. Full-face photographic images and any comparable images 18. Other unique identifying numbers, characteristics or codes
US MA 201 Privacy Law The Massachusetts law is the first in the nation to require specific technology when protecting personal information. Both "data at rest" and "data in transit" over a public network, such as the Internet, that contain personal information must be encrypted. – Personal information is defined as a Massachusetts resident's name in combination with one of the following : Social Security number , Driver's license number or state-issued identification card number and Financial account number or credit/debit card number
Past, Present and Future Privacy Legislation in India
Information Technology Act of 2005 In 2008, the IT Act was amended • Damages for an entity that is – negligent in using “reasonable security practices and procedures” while handling “sensitive personal data or information” – resulting in wrongful loss or wrongful gain to any person. • Criminal punishment for a person if – he discloses sensitive personal information; – does so without the consent of the person or in breach of the relevant contract; and – with an intention of, or knowing that the disclosure would cause wrongful loss or gain. 11
India Privacy Law of 2011 Sensitive Personal Information (SPD) includes: • passwords, • financial information such as bank account or credit card or debit card or other payment instrument details; • physical, physiological and mental health condition; • sexual orientation; • medical records and history; • biometric information. 12
Implications of the Information Technology Act For Multinationals in India • Multinationals tend to maintain centralized databases of information about their businesses all over the world, including in particular, information about employees, service providers and customers. • Since the rules are in some parts more stringent than even the European rules, overseas group entities who receive the information will have to build in processes to comply with the rules. • Further, the Indian entity will need to meet the requirements for having a privacy policy, consent for collection, notification about purpose of use of the information and who will be collecting the information and consent from the providers for providing such information to another party. 13
Implications of the Information Technology Act For the Outsourcing Industry • The rules are framed under the Information Technology Act 2000 which applies to “the whole of India”. • On a plain reading, this means that any business dealing with information or SPD in India has to comply with the rules, even if such information relates to an individual based outside India. • The logical effect of this is that the vendor in India or his customer overseas will need to fulfill the requirements of the law with the concerned individual, such as the consent for collection, notification obligations, right of access, correction and withdrawal. • This has grave implications for the outsourcing industry and could lead to disruption of BPO operations in India. 14
The Information Technology Act 2000 (IT Act) Security measures • The Data Privacy Rules require that the body corporate and the Data Processor implement reasonable security practices and standards; – These must contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected and with the nature of business. • The International Standard IS/ISO/IEC 27001 on ‘Information Technology - Security Techniques - Information Security Management System – Requirements’ is recognised as an approved security practices standard • Under s 72A of the IT Act (introduced by IT Amendment Act 2008), a person who is providing services under a lawful contract, may be liable to imprisonment for a term of up to 3 years or a fine up to Rs. 5,00,000 (Rupees Five Lakhs) for disclosure of personal information of any individual: (a) with the intent to cause, or knowing that he is likely to cause, wrongful loss or wrongful gain; and (b) without the consent of such individual, or in breach of lawful contract. 15
Data Encryption And ISO 27001 - 27002 Section 10.1 Cryptographic controls • There should be a policy on the use of encryption, • plus cryptographic authentication and • integrity controls such as digital signatures and message authentication codes, and • cryptographic key management. Most organizations that adopt ISO/IEC 27001 also adopt ISO/IEC 27002 16
Proposed Law - The Right to Privacy Bill 2013 • Jail terms and fines for leak of sensitive personal data • Context of data handled by the Indian IT industry for foreign clients • Also cover information collected by the government and interception by intelligence agencies. 17

Recomendados

10 Things You Need To Know About Privacy
10 Things You Need To Know About Privacy10 Things You Need To Know About Privacy
10 Things You Need To Know About PrivacyNow Dentons
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the PhilippinesShirley Ingles-Cruz
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 

Recomendados

10 Things You Need To Know About Privacy
10 Things You Need To Know About Privacy10 Things You Need To Know About Privacy
10 Things You Need To Know About PrivacyNow Dentons
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the PhilippinesShirley Ingles-Cruz
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simpleAurora Computer Studies
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection ActYizi
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill Mathew Chacko
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
Clyrofor popia readiness webinar
Clyrofor popia readiness webinarClyrofor popia readiness webinar
Clyrofor popia readiness webinarLesedi Mnisi
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+PaperKurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+PaperMatthew Kurnava
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Russell_Kennedy
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
Popi act presentation
Popi act presentationPopi act presentation
Popi act presentationKholisile Mazaza
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Andrew Sharpe
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database ProtectionSinghania2015
 
Law resources presentation 2014
Law resources presentation 2014Law resources presentation 2014
Law resources presentation 2014dul0rp
 
dairy
dairy dairy
dairy Hardik Sorathiya
 
Requirements for Food Packaging & Legislation in Japan 2013
Requirements for Food Packaging & Legislation in Japan 2013Requirements for Food Packaging & Legislation in Japan 2013
Requirements for Food Packaging & Legislation in Japan 2013Asian Food Regulation Information Service
 
Food & related legislation.ppt%
Food & related legislation.ppt%Food & related legislation.ppt%
Food & related legislation.ppt%Sarovar Hotels & Resorts
 

Mais conteúdo relacionado

Mais procurados

What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection ActYizi
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill Mathew Chacko
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Clyrofor popia readiness webinar
Clyrofor popia readiness webinarClyrofor popia readiness webinar
Clyrofor popia readiness webinarLesedi Mnisi
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+PaperKurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+PaperMatthew Kurnava
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Russell_Kennedy
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Andrew Sharpe
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database ProtectionSinghania2015
 

Mais procurados (18)

What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About Privacy
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simple
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Clyrofor popia readiness webinar
Clyrofor popia readiness webinarClyrofor popia readiness webinar
Clyrofor popia readiness webinar
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
 
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+PaperKurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
 
Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information Security
 
Popi act presentation
Popi act presentationPopi act presentation
Popi act presentation
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database Protection
 

Destaque

Law resources presentation 2014
Law resources presentation 2014Law resources presentation 2014
Law resources presentation 2014dul0rp
 
Overview of indian dairy industry
Overview of indian dairy industryOverview of indian dairy industry
Overview of indian dairy industryChandni Sahgal
 
CADBURY`S DAIRY MILK .
CADBURY`S DAIRY MILK .CADBURY`S DAIRY MILK .
CADBURY`S DAIRY MILK .gaurav
 

Destaque (8)

Law resources presentation 2014
Law resources presentation 2014Law resources presentation 2014
Law resources presentation 2014
 
dairy
dairy dairy
dairy
 
Requirements for Food Packaging & Legislation in Japan 2013
Requirements for Food Packaging & Legislation in Japan 2013Requirements for Food Packaging & Legislation in Japan 2013
Requirements for Food Packaging & Legislation in Japan 2013
 
Food & related legislation.ppt%
Food & related legislation.ppt%Food & related legislation.ppt%
Food & related legislation.ppt%
 
Overview of indian dairy industry
Overview of indian dairy industryOverview of indian dairy industry
Overview of indian dairy industry
 
FSSAI Act - Presentation
FSSAI Act - PresentationFSSAI Act - Presentation
FSSAI Act - Presentation
 
CADBURY`S DAIRY MILK .
CADBURY`S DAIRY MILK .CADBURY`S DAIRY MILK .
CADBURY`S DAIRY MILK .
 
Food Processing Sector Report - March 2017
Food Processing Sector Report - March 2017Food Processing Sector Report - March 2017
Food Processing Sector Report - March 2017
 

Semelhante a Examples of international privacy legislation

Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 
Chapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptxChapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptxNargis Parveen
 
Startups - data protection
Startups - data protectionStartups - data protection
Startups - data protectionMathew Chacko
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityEmerson Bryan
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfDaviesParker
 
Data Security Law and Management.pdf
Data Security Law and Management.pdfData Security Law and Management.pdf
Data Security Law and Management.pdfMeshalALshammari12
 
Regulatory compliance 2018
Regulatory compliance 2018Regulatory compliance 2018
Regulatory compliance 2018ProColombia
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Vijay Dalmia
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Vijay Dalmia
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfBipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfInternet Law Center
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptAnil Yadav
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptAnil Yadav
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
 

Semelhante a Examples of international privacy legislation (20)

Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 
Chapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptxChapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptx
 
Startups - data protection
Startups - data protectionStartups - data protection
Startups - data protection
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdf
 
Data Security Law and Management.pdf
Data Security Law and Management.pdfData Security Law and Management.pdf
Data Security Law and Management.pdf
 
Regulatory compliance 2018
Regulatory compliance 2018Regulatory compliance 2018
Regulatory compliance 2018
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfBipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.ppt
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.ppt
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David Mink
 

Mais de Ulf Mattsson

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Ulf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Ulf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...Ulf Mattsson
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021Ulf Mattsson
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesUlf Mattsson
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Ulf Mattsson
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeUlf Mattsson
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchainUlf Mattsson
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protectionUlf Mattsson
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsUlf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningUlf Mattsson
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKUlf Mattsson
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonUlf Mattsson
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAUlf Mattsson
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bUlf Mattsson
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020Ulf Mattsson
 

Mais de Ulf Mattsson (20)

Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...Jun 29 new privacy technologies for unicode and international data standards ...
Jun 29 new privacy technologies for unicode and international data standards ...
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...Jun 15 privacy in the cloud at financial institutions at the object managemen...
Jun 15 privacy in the cloud at financial institutions at the object managemen...
 
Book
BookBook
Book
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
 
Qubit conference-new-york-2021
Qubit conference-new-york-2021Qubit conference-new-york-2021
Qubit conference-new-york-2021
 
Secure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use casesSecure analytics and machine learning in cloud use cases
Secure analytics and machine learning in cloud use cases
 
Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...Evolving international privacy regulations and cross border data transfer - g...
Evolving international privacy regulations and cross border data transfer - g...
 
Data encryption and tokenization for international unicode
Data encryption and tokenization for international unicodeData encryption and tokenization for international unicode
Data encryption and tokenization for international unicode
 
The future of data security and blockchain
The future of data security and blockchainThe future of data security and blockchain
The future of data security and blockchain
 
New technologies for data protection
New technologies for data protectionNew technologies for data protection
New technologies for data protection
 
GDPR and evolving international privacy regulations
GDPR and evolving international privacy regulationsGDPR and evolving international privacy regulations
GDPR and evolving international privacy regulations
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
 
Safeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learningSafeguarding customer and financial data in analytics and machine learning
Safeguarding customer and financial data in analytics and machine learning
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
What is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS LondonWhat is tokenization in blockchain - BCS London
What is tokenization in blockchain - BCS London
 
Protecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACAProtecting data privacy in analytics and machine learning - ISACA
Protecting data privacy in analytics and machine learning - ISACA
 
What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2bNov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
 
Unlock the potential of data security 2020
Unlock the potential of data security 2020Unlock the potential of data security 2020
Unlock the potential of data security 2020
 

Último

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 

Examples of international privacy legislation

  • 2. US Laws - Examples • HIPAA Restrictions on Health Data – Covered entity would risk a HIPAA violation by using such a provider for data storage. • Breach Provisions Under HITECH Act – To the extent a HIPAA covered entity discloses PHI to a cloud provider, it risks exposure to federal data security breach notification requirements under the HITECH Act. • Gramm-Leach-Bliley Act - GLBA – GLB's Privacy and Safeguards Rules restrict financial institutions from disclosing consumers' nonpublic personal information to non-affiliated third parties • State Information Security Laws – For example, California requires businesses that disclose personal information to nonaffiliated third parties to include contractual obligations that those entities maintain reasonable security procedures • State Breach Notification Laws – Over 45 U.S. states and other jurisdictions have data security breach notification laws that require data owners to notify individuals whose computerized personal information has been subject to unauthorized access • Massachusetts regulations – Must determine whether the cloud provider maintains appropriate security measures to protect the data to be stored
  • 4. Case Study: Global Investment Banking and Securities Investment banking division • • Encryption of Deal related attributes and other MNPI data (i.e. company name, company identifier, etc) Prevented development and technology people to identify entities involved in deals Compliance department • • Compliance has TWO copies of Deal data – one for the Conflicts Process and one for the Control Room Encryption KEYS are DIFFERENT in Banking and Compliance Encryption of compensation data Encryption of firewall rules • Managed in a standalone application Platforms: • Oracle, DB2, SQL Server, UNIX, Linux and Windows
  • 5. Best Practices from NIST on PII Data - SP800-122 Examples of PII Data 1. Name 2. Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, patient identification number, and financial account or credit card number 3. Address information 4. Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address 5. Telephone numbers 6. Personal characteristics, including photographic image 7. Information identifying personally owned property 8. Information about an individual that is linked or linkable to one of the above Source: National Institute of Standards & Technology - NIST (http://csrc.nist.gov/)
  • 6. SEC Adopted Regulation S-P to Address Privacy 1. Like GLB (Gramm-Leach-Bliley Act ), compliance with Regulation S-P (17 CFR Part 248) is mandatory since July 1, 2001 2. Regulation S-P provides the means of implementing GLB 3. Every broker, dealer, and investment company, and every investment adviser registered with the SEC must adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information 4. Insure the security and confidentiality of customer records and information 5. Protect against any anticipated threats or hazards to the security or integrity of customer records and information 6. Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer
  • 7. HIPAA / HITECH Act – Title IV Legislation [1] Establishes a Federal Breach Notification requirement for health information that is not encrypted or otherwise made indecipherable. It requires that an individual be notified if there is an unauthorized disclosure or use of their health information. [2] Ensures that new entities that were not contemplated when the Federal privacy rules were written, as well as those entities that do work on behalf of providers and insurers, are subject to the same privacy and security rules as providers and health insurers. [3] Provide transparency to patients by allowing them to request an audit trail showing all disclosures of their health information made through an electronic record. [4] Shutting down the secondary market that has emerged around the sale and mining of patient health information by prohibiting the sale of an individual’s health information without their authorization. [5] Requires that providers attain authorization from a patient in order to use their health information for marketing and fundraising activities. [6] Strengthening enforcement of Federal privacy and security laws by increasing penalties for violations. •Health Insurance Portability and Accountability Act (HIPAA) of 1996 •Health Information Technology for Economic and Clinical Health Act (HITECH Act), of 2009
  • 8. US HIPAA – 18 Direct Identifiers 1. Names 2. Geographic subdivisions smaller than a state, including 3. All elements of dates (e.g., date of birth, admission) 4. Telephone numbers 5. Fax numbers 6. E-mail addresses 7. Social Security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. Web universal locators (URLs) 15. IP address numbers 16. Biometric identifiers, including fingerprints and voice prints 17. Full-face photographic images and any comparable images 18. Other unique identifying numbers, characteristics or codes
  • 9. US MA 201 Privacy Law The Massachusetts law is the first in the nation to require specific technology when protecting personal information. Both "data at rest" and "data in transit" over a public network, such as the Internet, that contain personal information must be encrypted. – Personal information is defined as a Massachusetts resident's name in combination with one of the following : Social Security number , Driver's license number or state-issued identification card number and Financial account number or credit/debit card number
  • 10. Past, Present and Future Privacy Legislation in India
  • 11. Information Technology Act of 2005 In 2008, the IT Act was amended • Damages for an entity that is – negligent in using “reasonable security practices and procedures” while handling “sensitive personal data or information” – resulting in wrongful loss or wrongful gain to any person. • Criminal punishment for a person if – he discloses sensitive personal information; – does so without the consent of the person or in breach of the relevant contract; and – with an intention of, or knowing that the disclosure would cause wrongful loss or gain. 11
  • 12. India Privacy Law of 2011 Sensitive Personal Information (SPD) includes: • passwords, • financial information such as bank account or credit card or debit card or other payment instrument details; • physical, physiological and mental health condition; • sexual orientation; • medical records and history; • biometric information. 12
  • 13. Implications of the Information Technology Act For Multinationals in India • Multinationals tend to maintain centralized databases of information about their businesses all over the world, including in particular, information about employees, service providers and customers. • Since the rules are in some parts more stringent than even the European rules, overseas group entities who receive the information will have to build in processes to comply with the rules. • Further, the Indian entity will need to meet the requirements for having a privacy policy, consent for collection, notification about purpose of use of the information and who will be collecting the information and consent from the providers for providing such information to another party. 13
  • 14. Implications of the Information Technology Act For the Outsourcing Industry • The rules are framed under the Information Technology Act 2000 which applies to “the whole of India”. • On a plain reading, this means that any business dealing with information or SPD in India has to comply with the rules, even if such information relates to an individual based outside India. • The logical effect of this is that the vendor in India or his customer overseas will need to fulfill the requirements of the law with the concerned individual, such as the consent for collection, notification obligations, right of access, correction and withdrawal. • This has grave implications for the outsourcing industry and could lead to disruption of BPO operations in India. 14
  • 15. The Information Technology Act 2000 (IT Act) Security measures • The Data Privacy Rules require that the body corporate and the Data Processor implement reasonable security practices and standards; – These must contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected and with the nature of business. • The International Standard IS/ISO/IEC 27001 on ‘Information Technology - Security Techniques - Information Security Management System – Requirements’ is recognised as an approved security practices standard • Under s 72A of the IT Act (introduced by IT Amendment Act 2008), a person who is providing services under a lawful contract, may be liable to imprisonment for a term of up to 3 years or a fine up to Rs. 5,00,000 (Rupees Five Lakhs) for disclosure of personal information of any individual: (a) with the intent to cause, or knowing that he is likely to cause, wrongful loss or wrongful gain; and (b) without the consent of such individual, or in breach of lawful contract. 15
  • 16. Data Encryption And ISO 27001 - 27002 Section 10.1 Cryptographic controls • There should be a policy on the use of encryption, • plus cryptographic authentication and • integrity controls such as digital signatures and message authentication codes, and • cryptographic key management. Most organizations that adopt ISO/IEC 27001 also adopt ISO/IEC 27002 16
  • 17. Proposed Law - The Right to Privacy Bill 2013 • Jail terms and fines for leak of sensitive personal data • Context of data handled by the Indian IT industry for foreign clients • Also cover information collected by the government and interception by intelligence agencies. 17