Businesses must fulfill their legal duty to protect the confidentiality and integrity of data. Most industrialized nations and US states have legal requirements for data security(Brotby, 2009, p. 14). Failure to comply range from severe financial penalties to prison sentences for executives. The four main US federal laws with data security requirements are FISMA, SOX, GLBA, and HIPAA.
- The Federal Information Security Modernization Act (FISMA) passed in 2003 mandated the creation and implementation of information security standards for federal government agencies and sub-contractors. It produced the development of FIPS 199, FIPS 200, and NIST SP 800-53, along with many other standards(NIST, 2018).
- Sarbanes-Oxley Act of 2002 (SOX) was instituted in the wake of the Enron scandal and requires all publicly traded companies to guarantee data integrity against financial fraud(Sarbanes, 2002).
- The ‘Safeguards Rule’ of the Gramm-Leach-Bliley Act (GLBA) requires financial organizations that hold personally identifiable financial information to protect the data. “the Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. This includes, for example, check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, and courier services(FTC, 2006).” The penalties are very severe. The financial institution can be fined up to $100,000 per violation, the officers and directors can be fined up to $10,000 per violation and can face criminal penalties of five years in prison, a fine, or both(Rhodes-Ousley & Strassberg, 2013, p. 64).
- The Health Insurance Portability and Accountability Act (HIPAA) requires that personally identifiable medical records be protected. The penalties can be severe financial fines(Rhodes-Ousley & Strassberg, 2013, p. 67).
When selling a half million dollar security solution to a director, CFO or CEO, it’s accurate to tell them that the new SIEM solution will increase their security, but they need to justify it to their bosses or shareholders. Discussing the legal requirements of data security and the associated penalties helps to justify large capital outlays. Budgets for security become much larger when the executives face personal financial ruin or federal prison time.
References
Brotby, W. K. (2009). Information security governance : a practical development and implementation approach. Hoboken, N.J.: John Wiley & Sons.
FTC. (2006). Financial Institutions and Customer Information: Complying with the Safeguards Rule. Retrieved 4/20/2018, from https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying
NIST. (2018, March 29, 2018 ). FISMA Background. Retrieved 4/19/2018, from https://csrc.nist.gov/Projects/Risk-Management/Detailed-Overview
Rhodes-Ousley, M., & Strassberg, K. (2013). Information Security : the complete reference. New York: McGraw-Hill/Osborne.
Sarbanes, P. (2002). Sarbanes-oxley act of 2002. Paper presented at the The Public Company Accounting Reform and Investor Protection Act. Washington DC: US Congress.