The Simple Cyber Security Solution
REGULATIONS
Gramm-Leach Bliley Act (GLBA)
Perhaps most famous for repealing part of the Glass-Steagall Act of 1933, the GLBA, also known as the Financial Services Modernization Act of 1999, has a cyber-data component and applies to “financial institutions,” i.e. “any institution engaged in the business of providing financial services to customers who maintain a credit, deposit, trust, or other financial account or relationship with the institution.”
Under the GLBA, financial institutions are required to “establish appropriate standards” to safeguard a customer’s personal financial information, in order: “(1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.” [10] Under the GLBA, financial institutions, in actions brought by the Department of Justice only (there is no private right of action under GLBA), can be fined up to $100,000 for each violation, and directors and officers of financial institutions could be held personally liable for civil penalties of up to $10,000 for each violation.
Payment Card Industry Data Security Standard
The PCI DSS is not necessarily a “law” but a list of cyber security standards applied to any U.S. company that processes credit cards, such as a retailer or a financial institution. The list focuses on, among other general requirements, the need to “develop and maintain secure systems and applications,” and the need to “track and monitor all access to network resources and cardholder data.”
These standards provide an “actionable framework for developing a robust payment card data security process—including prevention, detection and appropriate reaction to security incidents.” [12]PCI DSS 3.0, adopted in November 2013, enlarges the scope of data security requirements upon retailers and financial institutions. [13] It will be interesting to see whether “3.0,” when implemented by retailers, will have any material effect on an industry sector that continues to experience major cyber security breaches along the lines of Target or Neiman Marcus.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA requires, in general, the protection and confidentiality of all electronically protected healthcare information that is created, received, maintained or transmitted. Under HIPAA, a healthcare facility must protect against any reasonably anticipated threat or hazard to the security or integrity of such healthcare information. Under HIPAA, fines can range from $50,000 to $250,000 as well as civil litigation exposure.
​
Health Information Technology for Economic and Clinical Health Act (the HITECH Act) - The HITECH Act expands the scope of the institutions covered under HIPAA to now include any organization or individual who handles protected healthcare information, which could now include banks, businesses, schools and other organizations.
