Laws that Provide

Laws that Provide Safeguards and Penalties for Improper Use of Data

Floyd Mullings

Date: May 31, 2010

Laws that Provide

Introduction
Information security and misuse of sensitive data has long been one of the greatest
information technology challenges of many organizations both public and private and the
interconnectivity nature of modern computing is only causing this challenge to escalate. Over
the years several laws have been established to provide some means of safeguard for sensitive
data as well as penalties for individuals and organizations that engage in the improper use such
data.
This paper begins with an overview of some legislations that relates to the use of data in
the information age followed by a discussion on the application of HIPAA and concludes with a
discussion on the approach organization should take with legislations.
Legislations that relate to the use of data in the information age: There are several laws
today that relates to how data is used. Why were these laws created? In the early 1980s law
enforcement agencies faced the dawn of the computer age with growing concern about the lack
of criminal laws available to fight the emerging computer crimes. Although the wire and mail
fraud provisions of the federal criminal code were capable of addressing some types of
computer-related criminal activity, neither of those statutes provided the full range of tools
needed to combat these new crimes. As a result the Computer Fraud and Abuse Act (CFAA), was
enacted by Congress in 1986 as a means of combating such crimes and other similar legislations
would soon follow.
The following is a brief overview of six of such legislations that exist today:
Computer Fraud and Abuse Act (CFA) of 1986 Signed into law in 1986, the CFA was a
significant step forward in criminalizing unauthorized access to computer systems and
networks. The Act applies to "federal interest computers" that include any system used by
the U.S. government as well as most financial institutions. It says that unauthorized
penetration or other damage to such systems is a felony, as is trafficking in password or

Laws that Provide

other access codes. Violators are subject to fines of up to $250,000 per incident and up to
10 years in prison. Updates to the CFA passed in 1994 extended coverage to
dissemination of viruses and worms.
The CFA was amended in 1988, 1994, 1996, in 2001 by the USA PATRIOT Act, and in
2008 by the Identity Theft Enforcement and Restitution Act (Computer Desktop
Encyclopedia, n.d)
The Computer Security Act (CSA) of 1987 provides for improving the security and
privacy of sensitive information in federal computer systems The Act defines
"sensitive information" to include any unclassified information that, if lost, misused, or
accessed or modified without authorization, could adversely affect the national interest,
conduct of federal programs, or the privacy to which individuals are entitled under the
Privacy Act. The CSA requires federal agencies to identify their computer systems that
contain sensitive information, establish training programs to increase security awareness
and knowledge of security practices, and establish a plan for the security and privacy of
each computer system with sensitive information (Privacilla, 2002).
The USA PATRIOT Act, is a statute enacted by the United States Government and signed
into law by President George W. Bush on October 26, 2001. The contrived acronym
stands for Uniting and Strengthening America by Providing Appropriate Tools Required
to Intercept and Obstruct Terrorism Act of 2001. The purpose of the USA PATRIOT Act is
to deter and punish terrorist acts in the United States and around the world, to enhance
law enforcement investigatory tools, and other purposes, some of which include: to
strengthen U.S. measures to prevent, detect and prosecute international money laundering
and financing of terrorism; to subject to special scrutiny foreign jurisdictions, foreign
financial institutions, and classes of international transactions or types of accounts that
are susceptible to criminal abuse; and to require all appropriate elements of the financial
services industry to report potential money laundering FinCAN, (n.d).
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule
provides federal protections for personal health information held by covered entities and
gives patients an array of rights with respect to that information. At the same time, the
Privacy Rule is balanced so that it permits the disclosure of personal health information
needed for patient care and other important purposes. The Security Rule specifies a series
of administrative, physical, and technical safeguards for covered entities to use to assure
the confidentiality, integrity, and availability of electronic protected health information
(U.S Department of Health and Human Services, n.d).
The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted in
response to the high-profile Enron and WorldCom financial scandals to protect
shareholders and the general public from accounting errors and fraudulent practices in the
enterprise. The act is administered by the Securities and Exchange Commission (SEC),
which sets deadlines for compliance and publishes rules on requirements. SarbanesOxley is not a set of business practices and does not specify how a business should store
records; rather, it defines which records are to be stored and for how long. The legislation

Laws that Provide

not only affects the financial side of corporations, it also affects the IT departments
whose job it is to store a corporation's electronic records. The Sarbanes-Oxley Act states
that all business records, including electronic records and electronic messages, must be
saved for "not less than five years." The consequences for non-compliance are fines,
imprisonment, or both. Consequently IT departments are increasingly faced with the
challenge of creating and maintaining a corporate records archive in a cost-effective
fashion that satisfies the requirements put forth by the legislation (SearchCIO, n.d)
The Federal Information Security Management Act of 2002 (FISMA) is a United States
federal law enacted in 2002 as Title III of the E-Government Act of 2002 The act
recognized the importance of information security to the economic and national security
interests of the United States. The FISMA requires each federal agency to develop,
document, and implement an agency-wide program to provide information security for
the information and information systems that support the operations and assets of the
agency, including those provided or managed by another agency, contractor, or other
source National Institute of Standards and Technology, (n.d).
The HIPAA Law: It is vital to protect the integrity and the confidentially of a patents
information and that is the purpose of HIPAA. It is therefore important for the medical industry
to know and comply with this law since it has severe civil and criminal penalties. Healthcare
industries today have adapted the electronic storage and transfer of data and this allows patents
records to be more vulnerable to hacking as well as unauthorized access from inside the
organization as well. Two aspects under HIPAA Administrative Simplification are privacy and
security. Privacy: Under HIPAA covered entities must implement standards to protect and guard
against the misused of individually identifiable health information. Security: HIPAA addresses
how electronic health information is stored, transmitted and accessed.
How effective is the HIPAA law in providing safeguards and penalties for improper use
of data. The law might posess all the components necessary to provide the adequate safeguard
and to prevent misuse of data but complying with the law from the organizations standpoint is a
different story. Does the organization possess the necessary resources to comply with the law?
The effectiveness of the HIPAA depends oh how well it is applied by the healthcare industries
who must comply. From the federal standpoint however one may ask it penalties are applied for

Laws that Provide

those organizations that do not comply. Form aspect of applying penalties the HIPAA is not so
effective. For the most part it might not be economically feasible for the government to apply the
penalties of the HIPAA law for a few minor cases. However if there should be a reported case
of a missing laptop with over 3000 patents personal health records that that would trigger a
federal alarm.
Organizations and IT Legislations: Most organizations today are faced with
compliance issue. This is often because the do not have to knowledge or the resources to apply
the regulations within the organization. Form time to time regulations are modified or updated as
well as new ones are introduced putting more pressure on organizations that has no choice but to
comply. Many organizations take the approach of continually modifying their security
infrastructure as they are impacted by these laws. Such organizations are likely to spend ten time
as much over time as opposed to those organizations that implement systems and processes that
are inherently compliant with the way they are designed from the beginning, so that if some new
compliance regulation comes along it is as simple as making some minor adjustments and create
a new report to demonstrate the compliance with the requirement.
Organizations should not base it information security solely on legislations. Accoeding to
Alain Sadeghi, as technology advances and the internet expand, companies and government
cannot rely on protecting themselves behind the short and inadequate arms of the law. The law
simply cannot keep up with advances in technology and the crime that follows exploiting these
advances. Therefore, instead of more regulations and litigations, companies and governments
need to take a proactive approach in detection and prevention (Nemati, 2007).
Conclusion
legislations relating to how information is used were established to aid is combating

Laws that Provide

cyber criminal activates. Some of the more prominent ones are the CFA act, the CSA, USA
PATRIOT Act, HIPAA, Sarbanes-Oxley Act and FISMA. Although these legislations may have
the necessary components to achieve their objectives organizational compliance and applying
penalties to non complying entities are not generally successful. Notwithstanding organizations
should endeavour to comply with these laws since they are means of obtaining privacy and
security. Organizations need to also take a proactive approach where security is concerned as
opposed to relying solely on the law.

Laws that Provide

References
Computer Desktop Encyclopedia. (n.d) Computer Fraud and Abuse Act. Answers.com Retrieved
May 10, 2010 form http://www.answers.com/topic/computer-fraud-and-abuse-act
FinCAN. (n.d). USA PATRIOT Act. Financial Crime Enforcement Network. Retrieved May 10,
2010 form http://www.fincen.gov/statutes_regs/patriot/
National Institute of Standards and Technology, (n.d) Federal Information Security Management
Act Implementation project. Retrieved May 10, 2010 form
http://csrc.nist.gov/groups/SMA/fisma/index.html
Nemati, H. (2007). The Expert Opinion. Journal of Information Technology Case and
Application Research, 9(1), 59-63. Retrieved May 11, 2010 from Proquest.
Privacilla.com. (2002) The Computer Security Act. Retrieved May 10, 2010 from
http://www.privacilla.org/government/computersecurityact.html
SearchCIO.com Definitions (n.d). Sarbanes-Oxley Act. Retrieved May 10, 2010 from
http://searchcio.techtarget.com/sDefinition/0,,sid182_gci920030,00.html
U.S Department of Health and Human Services. (n.d). Health Information Privacy. Retrieved
May 10, 2010 from http://www.hhs.gov/ocr/privacy/