compliances , security

Regulations Touches Everyone

February 5, 2012

Implications

  • Regulations affect everyone
  • Non-regulated still implies best practices
  • No one-stop solutions
  • Real time alerting a vital component of compliance
  • Customers are looking for real-time help on the mainframe

Legislative Background

  • Fourth Amendment
  • FCA
  • Title III
  • FISA
  • ECPA
  • CALEA
  • Digital Privacy Act of 2000
  • Electronic Privacy Act of 2000
  • The Information Technology (IT) Management Reform Act of 1996 (i.e., ITMRA or Cohen Bill), which is effective August 8, 1996, places focus on the life cycle management of IT and the processes supported by that technology, rather than simply on the procedures and process used to acquire IT.
  • Information Technology Management Reform Act of 1995′
  • 1791 – The Fourth Amendment to the Constitution
  • 1928 – Olmstead v United States
  • 1934 – Federal Communications Act
  • 1937 – Nardone v United States
  • 1939 – Nardone v United States
  • 1967 – Berger v United States
  • 1967 – Katz v United States
  • 1968 – Omnibus Crime Control and Safe Streets Act
  • 1978 – Foreign Intelligence Surveillance Act
  • 1979 – Smith v Maryland
  • 1986 – Electronic Communications Privacy Act
  • 1994 – Communications Assistance for Law Enforcement Act
  • 2000 – US Telecom v FCC
  • 2000 – Hearings in House and Senate committees
  • 2000 – Digital Privacy Act, proposed
  • 2000 – Electronic Communications Privacy Act, proposed
  • 2000 –Illinoisreport released

References

Applicable Laws & Regulations

  • Electronic Funds Transfer Act
  • Equal CreditOpportunityAct
  • Expedited Funds Availability Act
  • Fair Credit Reporting Act
  • Fair Housing Act
  • Real Estate Settlement and Procedures Act
  • Right to Financial Privacy

Right to Financial Privacy

  • Part 716 Privacy of Consumer Financial Information
  • Part 741 Privacy of Consumer Financial Information Requirements for Insurance
  • Part 748 Security Program, Report of Crime and Catastrophic Act and Bank Secrecy Act Compliance
  • Part 749 Records Preservation Program And Record Retention Appendix

Applicable Laws & Regulations

Reserve Requirements for Depository Institutions

  • Truth in Lending Act
  • Truth in Savings Act
  • Equal Employment OpportunityAct
  • Consumer Leasing Act
  • Home Mortgage Disclosure Act
  • Others???

ISO 17799 / BS7799

Provides a broad objective-oriented information security framework.

  • Privacy and data integrity oriented
  • Objective-oriented means it lacks details and thus is interpreted broadly
  • Currently under revision — including risk management and incident management
  • Widely and informally accepted around the world
    • Outlines Comprehensive Incident Response and Internal Investigation Procedures
    • Detailed Provisions on Computer Evidence Preservation and Handling

The Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002 was designed to protect shareholders and the public from accounting errors and fraudulent practices. Administered by the U.S. Securities and Exchange Commission (SEC), it sets deadlines for compliance and publishes a wide range of rules and requirements. The consequences for failing to comply with certain provisions range from fines to imprisonment. Several sections of the act illustrate the need for better document processing and retention:

Section 302 mandates that executives be held personally responsible for financial reports, requiring them to sign the documents.

Section 404 requires both the management of publicly held companies and outside auditor firms to report on the effectiveness of the company’s internal controls.

Section 802 prohibits management from knowingly altering or destroying any documents related to a federal investigation or bankruptcy. In addition, the external auditors must retain audit paperwork for five years.

SEC Rule 17a-4

The SEC’s books and records rules, Rule 17a-3 and Rule 17a-4 under the Securities Exchange Act of 1934, specify minimum requirements with respect to the records that broker-dealers must make, and how long those records and other documents relating to a broker-dealer’s business must be kept.

Rule 17a-4 requires broker-dealers to store electronic records in a non-rewritable, non-erasable format and provides retention periods for those records. The rule became effective May 2, 2003.

HIPAA

The Health Information Portability and Accountability Act (HIPAA) protects “individually identifiable health information,” which is any data identified by name, social security number, address or birth date, whether it is electronic, paper or oral. Effective April 2005, it requires best practices for assuring that electronic patient data is confidential, available as needed and maintained with integrity intact.

HIPAA affects all companies with employer-sponsored health plans and all healthcare providers that transmit patient information electronically for claims, benefit eligibility and referral authorizations.

Check 21

The Check Clearing for the 21st Century Act facilitates check truncation by creating a new negotiable instrument, called a substitute check, which would permit banks to truncate original checks, to process check information electronically, and to deliver substitute checks to banks that want to continue receiving paper checks.

Check 21 was signed into law on October 28, 2003, and became effective on October 28, 2004. It affects all banking institutions.

Graham-Leach-Bliley Act

(Financial Services Modernization Act) of 1999

The Graham-Leach-Bliley Act created a new “financial holding company” under section 4 of the Bank Holding Company Act of 1956.

Others to consider:

AR 335–15, Management Information Control System

DA Pam 25–1–1, Information Technology Support and Services

DODD 5015.2, Department of Defense Records Management Program