Financial Services Modernization Act of 1996 (GLB)

-Administered and enforced by the U.S. Federal Trade Commission (FTC) and U.S. Banking Agencies
-Requires financial institutions to safeguard personal financial information of clients (Safeguards Rule)
-Requires written policies and procedures for protection of client information
-Requires the appointment of designated officer to implement and maintain program
-Risk of fines, incarceration and negative publicity if violation occurs

 

Health Insurance Portability and Accountability Act (HIPPA)
 

-Administered by the US, Dept of Health and Human Services
-Enforced by the U.S. Office of Civil Rights
-Prohibits unauthorized access to personal medical information (Privacy Rule)
-Requires written policies and procedures for protection of health information
-Requires a contract and annual review of all third-party processors of health information
-Requires the appointment of designated officer to implement and maintain program
-Risk of significant fines and negative publicity if violation occurs

Fair and Accurate Credit Transaction Act (FACTA)
 

-Administered and enforced by the U.S. Federal Trade Commission (FTC), U.S. -Banking Agencies, U.S. Dept of Treasure
-Requires the destruction of discarded personal information obtained from credit reports
-Risk of significant fines and negative publicity if violation occurs
-Allows for class actions and punitive damages

Sarbanes Oxley (SOX)
 

-Applies to all publicly traded companies
-Administered and enforced by the U.S. Securities and Exchange Commission (SEC)
-Holds top executive management responsible for information integrity and policy compliance
-Random or sloppy information destruction policies risk adverse interpretation and could lead to violation
-Negligent acts punishable up to $1,000,000 fine and 10 years in prison
-Willful acts are punishable by up to $10,000,000 fine and 20 years in prison

E.U. Data Protection Directives
 

-Administered and enforced by the Data Protection Commissioner
-Applies to all businesses transacting business in an E.U. country, regardless of where it is based
-Prohibits unauthorized access to customers’ personal information
-Requires a contract with any third party processing disposing of personal information
-U.S. firms risk being blocked from doing business in country if non-compliant anywhere



 

Consumers Care and React

The overwhelming majority of victims of a security breach blamed the offending institution for the data breach, according to a survey by the Ponemon Institute involving 1,100 American adults who received security-breach notifications alerting them to a compromise of their personal information. The survey determined that 92% blamed the company for the data breach, 40% are still considering their future involvement with the company, 19% left the company due to the issue, and 5% are seeking legal advice for possible lawsuits.