Datajockeys, LLC has successfully completed contracts with banks, health insurance companies and government agencies requiring regulatory compliance. Please don't assume this list represents all of the laws and regulations that may apply to your business. There are a number of others both in the United States and across the globe you may need to comply with.
Laws and Regulations
At the heart of most regulations is the intention of protecting the confidentiality, integrity, and availability of information that impacts a corporation's stakeholders. These laws can be distilled down to their essential goals:
- Establish and implement controls
- Maintain, protect, and assess compliance issues
- Identify and remediate vulnerabilities and deviations
- Provide reporting that can prove your organization's compliance
New Laws and Regulations Affecting IT Pros
The Sarbanes-Oxley Act of 2002 (SOX) was a response to corporate scandals. Its most prominent aspect, from an IT perspective, is Section 404, which requires that the annual reports of public companies include an end-of-fiscal-year assessment of the effectiveness of internal control over financial reporting. Section 404 also requires that the company's independent auditors attest to, and report on, this assessment.
The Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act (GLBA), protects the privacy and security of individually identifiable financial information collected, held, and processed by financial institutions. The privacy component requires financial institutions to provide their customers with an annual notice of their privacy practices and to allow customers to choose not to share such information. The safeguards component requires that financial institutions establish a comprehensive security program to protect the confidentiality and integrity of the private financial information in their records.
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) includes, among its various components, privacy and security rules. These rules focus on Protected Health Information (PHI) and electronic PHI (ePHI) gathered in the healthcare process and mandate the standardization of electronic transactions, code sets, and identifiers.
European Union Data Protection Directive
The European Commission’s Directive on Data Protection went into effect in October of 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU.
In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a "Safe Harbor" framework and this website to provide the information an organization should need to evaluate – and then join – the U.S.-EU Safe Harbor program.
Bank Secrecy Act
The Bank Secrecy Act (BSA), having been passed into law by the United States in 1970. The BSA is sometimes referred to as an Anti Money-Laundering law (AML) or as BSA/AML. Several anti-money-laundering acts, including provisions of the USA PATRIOT Act, were subsequently enacted to amend the BSA. (See 31 USC 5311–5330 and 31 CFR 103.) The BSA requires banks and other financial institutions to report certain transactions to government agencies and to withhold from clients that such reports were filed about them.
USA PATRIOT Act The USA PATRIOT Act
(Public Law 107–56) is federal legislation in the U.S. Passed soon after the September 11, 2001 terrorist attacks, the Act expands the authority of U.S. law enforcement for the stated purpose of fighting terrorist acts in the U.S. and abroad. This expanded legal authority is also used to detect and prosecute other alleged crimes. The portion of the Act that relates to IT is called the Financial Anti-Terrorism Act and deals with money laundering. This item works in conjunction with the BSA/AML just mentioned.
The Federal Information Security Management Act
The Federal Information Security Management Act of 2002 (FISMA) was enacted to bolster computer and network security within the U.S. federal government and affiliated parties (such as government contractors) by mandating yearly audits. FISMA has brought attention within the federal government to the previously neglected area of cyber security.
Payment Card Industry Data Security Standard
The Cardholder Information Security Program (CISP) was instituted by Visa USA and MasterCard International. Mandated since June 2001, the program is intended to protect cardholder data—wherever it resides—ensuring that members, merchants, and service providers maintain the highest information security standard.
International Convergence of Capital Measurement and Capital Standards—A
Revised Framework is also called Basel II or the New Accord and it represents recommendations by bank supervisors and central bankers from the 13 countries making up the Basel Committee on Banking Supervision for revising the international standards for measuring the adequacy of a bank's capital. This agreement was created in order to promote greater consistency in the way that banks and regulators approach risk management across national borders.