Recent Harris Interactive surveys reveal that most customers still do not trust companies to handle their personal information responsibly. Reflecting consumer mistrust, several governmental regulations have emerged to legislate security and build consumer trust.
The laws are complex, demanding stiff fines and jail time for offending executives. This article, therefore, gives an overview of the regulations and describes the challenges and opportunities facing storage and IT managers.
Gramm-Leach-Bliley Act
Enacted by the U.S. Federal government in 1999, this act applies only to financial institutions. It covers security for customer private information.
Requires: Administrative, technical and physical safeguards to protect customer information; privacy notices and opt-out provisions; vigilance against future threats; responsibility for outsourced security solutions.
Implications: Increased storage volume and secure backup storage, increased network and storage security; data encryption at source; company-wide policies, risk assessments and reports.
California Senate Bill 1386
“1386” went into effect in July 2003 and applies to companies doing business in California and all companies holding personal information of California residents. A customer can bring civil suit for damages.
Requires: Disclosure of any security breach in which unencrypted personal information might have been acquired by an unauthorized person; procedures to identify and contact persons affected; due diligence in protecting customer information from unauthorized access. There is no definition of the level of encryption.
Implications: Data encryption at source and throughout data lifecycle; network and storage security layers; zoning.
Sarbanes-Oxley Act
Enacted by the US Federal Government in 2002 in response to corporate financial scandals, this act applies to all publicly held companies in the U.S. that have more than $75 million equity market capitalization and that report quarterly to the Securities and Exchange Commission (SEC). It covers financial reporting, auditing practices and associated document retention. Holding CEOs and CFOs directly responsible, this act has a major effect on U.S. corporations and already sent one executive to jail. This act does not directly regulate consumer privacy, but it has important Storage and IT implications. Requires: Save all documentation used for financial reports and audits; save transactions and meeting minutes; retain data for 5 years; locate and recover documents in a few days.
Implications: Increased storage volume; indexed document retrieval from primary and backup media; Write-Once-Read-Many (WORM) storage; disaster recovery including geographically isolated synchronized storage.
Page 2: SEC Rule 17a, Personal Information Protection and Electronic Documents Act