Download Cybersecurity and Data Protection: Understanding the Risks and Regulations and more Summaries Accounting in PDF only on Docsity!
2.1. IT Crimes and Cyberattacks The IT explosion has opened up many new gateways for criminals, requiring organizations to take the necessary precautions to safeguard their intellectual assets against computer crime. According to the 2019 Internet Crime Report, the FBI's Internet Crime Complaint Center (IC3) received the following number of complaints with the corresponding reported losses: Most of the continuing complaints received by the FBI involved criminals hosting fraudulent government services websites in order to acquire personally identifiable information (PII) and to collect fraudulent fees from consumers. Other notable ones involved "non-payment" (i.e. goods/services shipped or provided, but payment never rendered); "non-delivery" (i.e. payment sent, but goods/services never received); identity theft; personal data breach; extortion; and others. Some of the most frequently reported Internet crimes are listed below: Business e-mail compromise (BEC). Sophisticated scam targeting business working with foreign suppliers and/or business who regularly perform wire transfer payments. Ransomware. A form of malware targeting both human and technical weaknesses in an effort to deny the availability of critical data and/or systems. Tech Support Fraud. Tech support fraud occurs when the subject claims to be associated with a computer software or security company, or even a cable or Internet company, offering technical support to the victim. Auto Fraud. Typical automobile fraud scam involves selling a consumer an automobile (listed on a legitimate Website) with a price significantly below its fair market value. The seller (fraudster) tries to rush the sale by stating that he/she must sell immediately due to relocation, family issues, need of cash or other personal reasons. The seller does not allow inspecting the automobile nor meet with the consumer face-to-face. The seller then asks the consumer to wire payment to a third-party agent, and to fax the payment receipt back to him or her as proof of payment. The seller keeps the money and never gets to deliver the automobile. Government Impersonation E-mail Scam. This type of Internet crime involves posing as government, law enforcement officials, or simply someone pretending to have certain level of authority in order to persuade unaware victims to provide their personal information. Intimidation/Extortion Scam. This type of crime utilizes demands for money, property, assets, etc. through undue exercise of authority (i.e., threats of physical harm, criminal prosecution, or public exposure) in order to extort and intimidate. Year Complaints Total Losses 2015 288,012 $1.1 billion 2016 298,728 $1.5 billion 2017 301,580 $1.4 billion 2018 351,937 $2.7 billion 2018 467,361 $3.5 billion
Real Estate Fraud. Similar to Auto Fraud. The seller (fraudster) tries to rush the sale of a house (with a price significantly below its market rental rates) by stating that he/she must sell immediately due to relocation, new employment, family issues, need of cash, or other personal reasons. Such significant price reduction is used to attract potential victims. The seller will then ask the consumer to provide personal identifying information and to wire payment to a third-party. Upon receiving payment, the seller is never found. Confidence Fraud/Romance Scam. This type of crime refers to schemes designed to look for companionship, friendship, or romance via online resources. In the Philippines AS the number of internet users in the country increases, the Philippine National Police (PNP) has also recorded a consistent upsurge in cases of cybercrime. Main Categories of Crimes Involving Computers There are three main categories of crimes involving computers. These crimes may be committed as individual acts or concurrently. The first of these is where the computer is the target of the crime. Generally, this type of crime involves the theft of information that is stored in the computer. This also covers unauthorized access or modification of records. The most common way to gain unauthorized access is for the criminal to become a “super-user” through a backdoor in the system. The backdoor in the system is there to permit access should a problem arise. Being a superuser is equivalent to being the system’s manager and it allows the criminal access to practically all areas and functions within the system. This type of crime is of the greatest concern to industry. Cybercrime Cases 2014 2015 2016 2017 2018 Online Libel 112 311 498 646 1041 Online Scam 154 334 511 367 1012 Photo and Video Voyeurism 43 52 196 355 415 Computer-Related Identity Theft
Threats 56 106 208 207 364 System Interference or Hacking
Unjust Vexation 10 33 46 81 192 Illegal Access 0 5 26 38 144 Robbery With Intimidation 11 30 40 57 97 ATM or Credit Card Fraud 1 30 31 56 91
and login information to 150 million users of its food and nutrition website, MyFitnessPal. eBay. In May 2014, eBay announced that hackers got into the company network using the credentials of three corporate employees and had complete inside access for 229 days, during which time they were able to collect personal information of all of its 145 million users. Equifax. In September 2017, one of the largest credit bureaus in the U.S. revealed personal information, including Social Security numbers, birth dates, addresses, and in some cases drivers’ license numbers were compromised. In 2020, four Chinese military hackers have been charged with breaking into the computer networks of the Equifax credit reporting agency and stealing the personal information of tens of millions of Americans, the Justice Department announced. Heartland Payment Systems. In January 2009, Heartland Payment Systems, the sixth-largest payments processor in the U.S., announced that its processing systems were breached in 2008, exposing more than 134 of customers’ credit card numbers and more than 650 financial services companies. Target. In 2013, the retail giant was attacked days before Thanksgiving when hackers gained access through a third-party HVAC vender to its point-of-sale (POS) payment card readers, which in return collected data of up to 110 million customers. Philippines Commission on Elections. In April 2016, after a message was posted on the COMELEC website by hackers from Anonymous, warning the government not to mess with the elections, the entire database was stolen and posted online. A total of 55 million records were stolen. Bangladesh Central Bank. The Bangladesh Bank robbery, also known colloquially as the Bangladesh Bank cyber heist, took place in February 2016, when thirty-five fraudulent instructions were issued by security hackers via the SWIFT network to illegally transfer close to US$ 1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh Bank, the central bank of Bangladesh. Five of the thirty-five fraudulent instructions were successful in transferring US$ 101 million, with US$ 20 million traced to Sri Lanka and US$ 81 million to the Philippines. United Coconut Planters Bank (UCPB). In September 2020, Nigerian hackers were able to steal P167 million from thee bank. Hackers were able to steal through malware, which gave them remote access functions and allowed them to send and receive cash online. 2.2. Sarbanes-Oxley Act of 2002 It has been more than a decade since the Enron–Arthur Andersen LLP financial scandal (2001), but it still continues to plague today’s financial market as the trust of the consumer, the investor, and the government to allow the industry to self-regulate have all been violated. The reminder of the Enron fiasco is today’s scandals in the mortgage and mortgage investment market and the domino effect it has had on government, private industry, and the public.
Therefore, the Sarbanes–Oxley Act (SOX) of 2002, which changed the world of financial audit dramatically, will be a vivid reminder of the importance of due professional care. SOX prohibits all registered public accounting firms from providing audit clients, contemporaneously with the audit, certain non-audit services including internal audit outsourcing, financial information-system design and implementation services, and expert services, among others. These scope-of-service restrictions go beyond existing Security and Exchange Commission (SEC) independence regulations. All other services, including tax services, are permissible only if preapproved by the issuer’s audit committee and all such preapprovals must be disclosed in the issuer’s periodic reports to the SEC. Issuers refer to a legal entity (e.g., corporations, etc.) that registers and sells securities in order to finance its operations. SOX discusses requirements for the Board of Directors (board), including composition and duties. The board must (1) register public accounting firms; (2) establish or adopt, by rule, auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports for issuers; (3) conduct inspections of accounting firms; (4) conduct investigations and disciplinary proceedings, and impose appropriate sanctions; (5) perform such other duties or functions as necessary or appropriate; (6) enforce compliance with the act, the rules of the board, professional standards, and the securities laws relating to the preparation and issuance of audit reports and the obligations and liabilities of accountants with respect thereto; and (7) set the budget and manage the operations of the board and the staff of the board. SOX is a major reform package mandating the most far-reaching changes. Congress has imposed on the business world since the Foreign Corrupt Practices Act of 1977 and the SEC Act of the 1930s. It seeks to thwart future scandals and restore investor confidence by, among other things, (1) creating the Public Company Accounting Oversight Board (PCAOB); (2) revising auditor independence rules and corporate governance standards; and (3) significantly increasing the criminal penalties for violations of securities laws. These are described below: PCAOB To audit a publicly traded company, a public accounting firm must register with the PCAOB. The PCAOB shall collect a registration fee and an annual fee from each registered public accounting firm in amounts that are sufficient to recover the costs of processing and reviewing applications and annual reports. The PCAOB shall also establish a reasonable annual accounting support fee to maintain its operations. Annual quality reviews must be conducted for public accounting firms that audit more than 100 issuers; all others must be conducted every 3 years. The SEC and the PCAOB may order a special inspection of any registered audit firm at any time. The PCAOB can impose sanctions if the firm fails to reasonably supervise any associated person with regard to auditing or quality control standards. It is unlawful for a registered public accounting firm to provide any non-audit service to an issuer during the same time with the audit. These non-audit services are listed below:
prepare and sign off a statement (accompanying the audit report) to certify to stakeholders that the company’s financial statements and all supplemental disclosures contained within the report are truthful, reliable, and fairly present, in all material respects, the operations and financial condition of the company. state that they are indeed responsible for implementing and maintaining the internal control support that they have implemented all necessary steps to ensure that the disclosure processes and controls within the company consistently generate financial information that can be relied on by stakeholders. present conclusions about the effectiveness of the internal control structure resulting from their evaluation (such evaluation to occur within 90 days prior to the issuance of the report). identify for the company’s external auditors: o any deficiencies (significant or not) in the design or operation of internal controls which could adversely affect the company’s ability to record, process, summarize, and report financial information; o any material weaknesses in internal controls; o any fraud (material or not) that involves any company personnel who have a significant role in the company’s internal controls; and o any significant changes implemented that could materially affect internal controls subsequent to the date of their evaluation. A violation of this section must be knowing and intentional to give rise to liability. It shall be unlawful for any officer or director of an issuer to take any action to fraudulently influence, coerce, manipulate, or mislead any auditor engaged in the performance of an audit for the purpose of rendering the financial statements materially misleading. Another critical and related section of SOX is Section 404: Management Assessment of Internal Controls, which requires that the company’s external auditors report on how reliable is the assessment of internal controls performed by management. For this, the annual financial report package that is prepared by the external auditors must include a report (i.e., internal control report) stating that management is responsible for implementing and maintaining an adequate internal control structure. Such report must also include the evaluation performed by management to support the effectiveness of the control structure. Any faults, deficiencies, or weaknesses identified as a result of the assessment must also be reported. The external auditors must further attest to the accuracy of the company management assertion that internal accounting controls are in place and operating effectively. Increasing Criminal Penalties for Violations of Securities Laws SOX penalizes executives for nonperformance. If an issuer is required to prepare a restatement due to material noncompliance with financial reporting requirements, the CEO and the CFO must reimburse the issuer for any bonus or other incentive- or equity-based compensation received during the 12 months following the issuance. SOX also prohibits the purchase or sale of stock by officers and directors and other insiders
during blackout periods. Any profits resulting from sales in violation of this will be recoverable by the issuer. Each financial report that is required to be prepared in accordance with GAAP shall reflect all material-correcting adjustments that have been identified by a registered accounting firm. Each annual and quarterly financial report shall disclose all material off- balance sheet transactions and other relationships with unconsolidated entities that may have a material current or future effect on the financial condition of the issuer. Also, directors, officers, and 10% or more owners must report designated transactions by the end of the second business day following the day on which the transaction was executed. SOX requires each annual report of an issuer to contain an internal control report. The SEC shall issue rules to require issuers to disclose whether at least one member of its audit committee is a financial expert. Also, the issuers must disclose information on material changes in the financial condition or operations of the issuer on a rapid and current basis. SOX identifies as a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the object’s integrity or availability for use in an official proceeding or to otherwise obstruct, influence, or impede any official proceeding, such a person being liable for up to 20 years in prison and a fine. The SEC is also authorized to freeze the payment of an extraordinary payment to any director, officer, partner, controlling person, agent, or employee of a company during an investigation of possible violations of securities laws. Finally, the SEC may prohibit a person from serving as an officer or director of a public company if the person has committed securities fraud. 2.3. US Security Legislation It appears that traditional security methods and techniques are simply not working. In fact, the literature argues that the current use of information security tools and technologies (e.g., encryption, firewalls, access management, etc.) alone is not sufficient to protect the information and address information security challenges. Similarly, current security legislation, although addressing issues of unwanted entry into a network, may allow for ways by which criminals can escape the most severe penalties for violating authorized access to a computer system. The computer networking industry is continually changing. Because of this, laws, policies, procedures, and guidelines must constantly change with it; otherwise, they will have a tendency to become outdated, ineffective, and obsolete. The private industry has in the past been reluctant to implement these U.S. federal government laws because of the fear of the negative impact it could bring to a company’s current and future earnings and image to the public. Following are descriptions of some of the U.S. Federal Government laws that regulate IT security. Computer Fraud and Abuse Act of 1984 The Computer Fraud and Abuse Act (CFAA) was first drafted in 1984 as a response to computer crime. The government’s response to network security and network-related crimes was to revise the act in 1994 under the Computer Abuse Amendments Act to
sensitive information in federal government computer systems. It would also develop standards and guidelines for unclassified federal computer systems and facilitate such protection.* The Computer Security Act of 1987 also assigned responsibility for developing governmentwide computer system security standards, guidelines, and security training programs to the National Bureau of Standards (now the NIST). It further established a Computer System Security and Privacy Advisory Board within the Department of Commerce, and required federal agencies to identify computer systems containing sensitive information and develop security plans for those systems. Finally, it provided periodic training in computer security for all federal employees and contractors who managed, used, or operated federal computer systems. The Computer Security Act of 1987 is particularly important because it is fundamental to the development of federal standards of safeguarding unclassified information and establishing a balance between national security and other non-classified issues in implementing security policies within the federal government. It is also important in addressing issues concerning government control of cryptography. Homeland Security Act of 2002 The terrorist attack events of September 11, 2001 prompted the passage of the Homeland Security Act of 2002, whose purpose was to prevent terrorist attacks within the United States and to reduce the vulnerability of the United States to terrorism. It plays a major role in the security of cyberspace because it enforces many limitations and restrictions to users of the Internet. For example, one goal of the Act is to establish an Internet-based system that will only allow authorized persons the access to certain information or services. Owing to this restriction, the chances for vulnerability and attacks may decrease. The impact of this Act will definitely contribute to the security of cyberspace because its primary function is to protect the people of the United States from any form of attack, including Internet attacks. The passage of the Homeland Security Act of 2002 and the inclusion of the Cyber Security Enhancement Act (CSEA) within that Act makes the need to be aware and practice cybersecurity everyone’s business. The CSEA (H.R. 3482) was incorporated into the Homeland Security Act of 2002. The CSEA demands life sentences for those hackers who recklessly endanger lives. The Act also included provisions that seek to allow Net surveillance to gather telephone numbers, Internet Protocol (IP) addresses, and universal resource locaters (URLs) or e- mail information without recourse to a court where an “immediate threat to a national security interest” is suspected. Finally, Internet Service Providers (ISPs) are required to hand over users’ records to law enforcement authorities, overturning current legislation that outlaws such behavior. The Homeland Security Act of 2002 added phrasing that seeks to outlaw the publication anywhere of details of tools such as Pretty Good Privacy, which encode e-mails so that they cannot be read by snoops. This provision allows police to conduct Internet or telephone eavesdropping randomly with no requirement to ask a court’s permission first. This law has a provision that calls for punishment of up to life in prison for electronic
hackers who are found guilty of causing death to others through their actions. Any hacker convicted of causing injuries to others could face prison terms up to 20 years under cybercrime provisions, which are in Section 225 of the CSEA provision of the Homeland Security Act. Payment Card Industry Data Security Standards of 2004 Payment Card Industry Data Security Standards (PCI DSS) refer to technical and operational requirements applicable to entities that store, process, or transmit cardholder data, with the intention of protecting such data in order to reduce credit card fraud. PCI DSS are maintained, managed, and promoted by the PCI Security Standards Council (Council) worldwide to protect cardholder data. The Council was founded in 2006 by major credit card companies, such as American Express, Discover, JCB International, MasterCard, and Visa, Inc. These companies share equally in governance, execution, and compliance of the Council’s work. All merchants that either accept or process payment through cards must comply with the PCI DSS. Some specifics goals and requirements of PCI DSS include the following: ◾ Building and maintaining a secure network—implement a strong firewall configuration; avoid using vendor-supplied defaults for system passwords which are easy to decipher Protecting stored cardholder data—employ encryption techniques on all transmissions of cardholder data Maintaining a vulnerability management program—develop stronger, secure systems; implement (and update as necessary) anti-virus software or programs Implementing strong access control measures—assign unique IDs; configure access to cardholder data to the minimal level possible consistent with business needs, related tasks, and responsibilities (i.e., principle of least privilege); restrict physical access to cardholder data Monitoring and testing networks—monitor all access to network resources where cardholder data are being transmitted; regularly test the security systems transmitting and processing cardholder data Maintaining an information security policy—specify required security features and acceptable use guidelines for users; define user expectations, responsibilities, and access rights and privileges Federal Information Security Management Act of 2002 The Federal Information Security Management Act (FISMA) was enacted as part of the E-Government Act of 2002 to “provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets and to provide for development and maintenance of minimum controls required to protect Federal information and information systems.” In other words, FISMA requires federal agencies to develop, document, and put in place information security programs with the purpose of protecting both, the information and the systems implemented to support the operations and assets of the agencies, including those provided or managed by another agency, contractor, or other source.
For an electronic signature to be recognized as valid under U.S. law (ESIGN and UETA), the following must take place: There must be a clear intent to sign by all involved parties. Parties to the transaction must consent to do business electronically. The application system used to capture the electronic signature must be configured and ready to retain (for validation purposes) all processing steps performed in generating the electronic signature, as well as the necessary electronic signature records for accurate and timely reproduction or restoration, if needed. 2.4. Privacy Legislation On the subject of privacy, in 2009, the California Department of Public Health (CDPH) found that a Children’s Hospital of Orange County sent patient records by mistake to an auto shop. The auto shop business received six faxes containing healthcare information, including information that identified the patient’s name, date of birth, and details about the visits. Hospital staff told the CDPH that a test fax should have been sent first, per hospital policy. This is an example of a privacy breach. Privacy, as defined by ISACA, involves the “freedom from unauthorized intrusion or disclosure of information about an individual.” Privacy focuses on protecting personal information about customers, employees, suppliers, or business partners. Organizations have an ethical and moral obligation to implement controls to protect the personal information that they collect. Privacy of information has also been accessed by criminals within the online world. Some of the legislation passed does protect the user against invasion of privacy. However, some of the laws observed contain far too many exceptions and exclusions to the point that their efficacy suffers. In addition, the government continues to utilize state- of-the-art techniques for the purpose of accessing information for the sake of “national security” justified currently under the Homeland Security Act. New bills and legislation continue to attempt to find a resolution to these problems, but new guidelines, policies, and procedures need to be established, and laws need to be enforced to their full extent if citizens are to enjoy their right to privacy as guaranteed under the constitution. Privacy Act of 1974 In addition to the basic right to privacy that an individual is entitled to under the U.S. Constitution, the government also enacted the Privacy Act of 1974. The purpose of this is to provide certain safeguards to an individual against an invasion of personal privacy. This act places certain requirements on federal agencies, such as permitting individuals to*: determine what personal records are collected and maintained by federal agencies prevent personal records that were obtained for a particular purpose from being used or made available for another purpose without consent
gain access to their personal information in federal agency records and to correct or amend them The Act also requires federal agencies to collect, maintain, and use any private information in a manner that assures that such action is for a necessary and lawful purpose, that the information is current and accurate, and that safeguards are provided to prevent misuse of the information. Although the Privacy Act of 1974 is an important part of safeguarding individual privacy rights, it is important for the IT auditor to recognize that there are many exemptions under which it may be lawful for certain information to be disclosed. This could, in some cases, allow federal and nonfederal agencies the means by which they can obtain and disclose information on any individuals simply because they may fall under one of the many exemptions that the Privacy Act allows. For example, the subsequent Freedom of Information Act provides the federal government a way to release historical information to the public in a controlled fashion. The Privacy Act of 1974 has also been updated over time through the amendment process. Electronic Communications Privacy Act of 1986 In the area of computer networking, the Electronic Communications Privacy Act of 1986 is one of the leading early pieces of legislation against violation of private information as applicable to online systems. The Act specifically prohibits interception and disclosure of wire, oral, or electronic communications, as well as the manufacture or possession of intercepting devices. Communications Decency Act of 1996 The Communication Decency Act (CDA) of 1996 bans the making of “indecent” or “patently offensive” material available to minors through computer networks. The Act imposes a fine of up to $250,000 and imprisonment for up to 2 years. The CDA does specifically exempt from liability any person who provides access or connection to or form a facility, system, or network that is not under the control of the person violating the Act. The CDA also states that an employer shall not be held liable for the actions of an employee unless the employee’s conduct is within the scope of his or her employment. More recent application of this law has been used to protect minor’s use of social networks and falling prey to predators/stalkers. Children’s Online Privacy Protection Act of 1998 This is another act passed by Congress following the CDA, effective April 2000. The Children’s Online Privacy Protection Act (COPPA) of 1998 applies to the online collection of personal information from children under 13. The new rules spell out what a Website operator must include in a privacy policy when and how to seek verifiable consent from a parent, and what responsibilities an operator has to protect children’s privacy and safety online. Operators or owners of a commercial Website or an online service directed to children under 13 years must comply with the COPPA when collecting personal information from such children.
requirements is primarily a matter of computer security protecting the confidentiality of medical patient information and standardizing the reporting and billing processes for all health- and medical-related information. Confidentiality refers to the protection of any type of sensitive information from unauthorized access. It is critical for an organization’s reputation and also to comply with privacy regulations. Risks associated with confidentiality include allowing unauthorized access or disclosure of sensitive and valuable organization data (e.g., corporate strategic plans, policyholder information, etc.). From an organization’s stand point, sensitive and/or critical information may include: Strategic plans Trade secrets Cost information Legal documents Process improvements To comply with HIPAA, the following must occur: Any connection to the Internet or other external networks or systems occurs through a gateway or firewall. Strong authentication is used to restrict the access to critical systems or business processes and highly sensitive data. Assessments of vulnerability, reliability, and the threat environment are made at least annually. The Health Information Technology for Economic and Clinical Health of 2009 The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was enacted as part of the American Recovery and Reinvestment Act of 2009. HITECH promotes the adoption and meaningful use of health IT in the United States. HITECH provides the U.S. Department of Health and Human Services with the authority to establish programs to improve healthcare quality, safety, and efficiency through the “meaningful use” and promotion of health IT, including electronic health records and private and secure electronic health information exchange. Meaningful use refers to minimum U.S. government standards for using electronic health records, and for exchanging patient clinical data between healthcare providers, healthcare providers and insurers, and healthcare providers and patients. Sections within HITECH include the following: Subtitle A—Promotion of Health IT Subtitle B—Testing of Health IT Subtitle C—Grants and Loans Funding Subtitle D—Privacy Subtitle A’s goals include the protection and safeguarding of each patient’s health information consistent with the law; improvement of healthcare quality; and reduction of
medical errors and healthcare costs resulting from inefficiency; among others. Subtitle B lists descriptions and requirements for: (1) testing and implementing Health Information Technology (HIT) standards; (2) testing of HIT infrastructure (e.g., technical test beds, etc.); and (3) assisting higher-education institutions to establish multidisciplinary Centers for Health Care Information Enterprise Integration. Subtitle C implements grants, loans, and demonstration programs as incentives for utilizing health IT. Lastly, Subtitle D deals with privacy and security concerns tied to electronic transmissions of health information. Both, HITECH and HIPAA, although separate and unrelated laws, supplement each other in some ways. For instance, HITECH demands that its technologies and IT-related standards do not compromise HIPAA privacy and security laws. HITECH also stipulates that physicians and hospitals attesting to meaningful use, must have previously performed a security risk assessment, as HIPAA requires. HITECH further establishes notification rules for data breach instances, which are also mirrored by HIPAA. Gramm–Leach–Bliley Act of 1999 The Gramm–Leach–Bliley Act of 1999 requires financial institutions to protect consumer financial privacy. Financial institutions are companies that offer consumers financial products or services like loans, financial or investment advice, or insurance. Under the Gramm–Leach–Bliley Act of 1999, financial institutions are required to explain their information-sharing practices to their customers and protect their sensitive data. In order to comply with the Act, financial institutions must assess, manage, and control risk; oversee service providers; and adjust security programs as needed based on changing risk. One specific provision requires financial institutions to identify internal and/or external threats which can potentially result in unauthorized disclosures, as well as misuse, destruction, or manipulation of customer’s sensitive information. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) of 2001 The purpose of the USA PATRIOT Act of 2001 is to deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and other purposes, some of which include: To strengthen U.S. measures to prevent, detect, and prosecute international money laundering and financing of terrorism To subject to special scrutiny foreign jurisdictions, foreign financial institutions, and classes of international transactions or types of accounts that are susceptible to criminal abuse To require all appropriate elements of the financial services industry to report potential money laundering To strengthen measures to prevent use of the U.S. financial system for personal gain by corrupt foreign officials and facilitate repatriation of stolen assets to the citizens of countries to whom such assets belong
Personal Information Protection and Electronic Documents Act of 2000 (PIPED Act, or PIPEDA)—Canada. One of the main purposes of PIPEDA is to support and promote electronic commerce by “protecting personal information that is collected, used or disclosed in certain circumstances.” The following 10 principles, established by PIPEDA, govern the collection, use, and disclosure of personal information: o Accountability o Identifying Purposes o Consent o Limiting Collection o Limiting Use, Disclosure, and Retention o Accuracy o Safeguards o Openness o Individual Access o Challenging Compliance Law on the Protection of Personal Data Held by Private Parties of 2010— Mexico. The law requires Mexican business organizations (as well as any company that operates or advertises in Mexico or uses Spanish-language call centers and other support services located in Mexico) to have either consent or legal obligation for/when collecting, processing, using, and disclosing personally identifiable information (PII). Organizations dealing with PII must inform individuals about such use and, most importantly, provide notification to all affected persons in the event of a security breach. The law also include eight general principles that Mexican business organizations must follow when handling personal data: o Legality o Consent o Notice o Quality o Purpose Limitation o Fidelity o Proportionality General Data Protection Regulation (GDPR). A regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR's primary aim is to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of data subjects inside the EEA.
Controllers and processors of personal data must put in place appropriate technical and organizational measures to implement the data protection principles. Business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data (for example, using pseudonymization or full anonymization where appropriate). Data controllers must design information systems with privacy in mind. For instance, using the highest- possible privacy settings by default, so that the datasets are not publicly available by default and cannot be used to identify a subject. No personal data may be processed unless this processing is done under one of the six lawful bases specified by the regulation (consent, contract, public task, vital interest, legitimate interest or legal requirement). When the processing is based on consent the data subject has the right to revoke it at any time. Data controllers must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the EEA. Data subjects have the right to request a portable copy of the data collected by a controller in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities consist of regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report data breaches to national supervisory authorities within 72 hours if they have an adverse effect on user privacy. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. Safe Harbor Act of 1998. Under the Act, transferring personal data to non- European Union nations (e.g., U.S. companies) not complying with the European “adequacy” standard for privacy protection (established by the European Union Data Protection Directive) is prohibited. The Act (specifically related to U.S. companies doing business in Europe) was intended to bridge the different privacy approaches of the United States and Europe, thus enabling U.S. companies to safely engage in trans-Atlantic transactions without facing interruptions or even prosecution by European authorities. Some key requirements or provisions of the Act include o Companies participating in the safe harbor will be deemed adequate, and data flows to those companies will continue. o Member state requirements for prior approval of data transfers either will be waived or approval will be automatically granted. o Claims brought by European citizens against U.S.companies will be heard in the United States, subject to limited exceptions. 2.6. Philippine Laws related to Cyber and Information Security In the Philippines, the following laws, policies and standards related to cyber and information security are in force.
