A Short Note on Identify Theft, Compliance Regulations, and Breach Laws
There are a number of laws, both state and Federal, that have been created to address the problem of identity protection and identity theft. There are various laws enacted by Congress which are meant to protect the identity of consumers. One example of this is the Privacy Act of 1974, which “can be characterized as an omnibus ‘code of fair information practices’ that attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies” (USDOJ, 2004, p1). Unfortunately, these regulations only extend to Federal systems, or systems covered under Federal law.
Congress has lent a helping hand to businesses owners and individuals by passing legislative acts throughout the years. Two such examples are the Fair and Accurate Credit Transactions Act (FACTA) of 2003 and the Identity Theft Penalty Enhancement Act (IPTEA), which were enacted by congress in order to provide consumers and creditors with ways to protect, prevent, and provide ramifications for identity theft and identity fraud (Holfreter, 2006). These laws define protection for identity theft and identity fraud, but are somewhat limited in the context of information security.
Federal and State Consumer Protection Laws
There are a number of Federal and State laws and regulations that provide consumer protection against information security attacks and breaches. On a Federal level, the Health Insurance Portability and Accountability Act (HIPAA), provides a number of security rules and regulations that practitioners and businesses in the medical field must follow. The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). There are also a number of state specific regulations, such as the Illinois Personal Information Protection Act (IPIPA).
In the case of HIPAA, and of IPIPA, both regulations mandate that businesses adhere to specific guidelines and standards when handling personal information. HIPAA, for example, states: “The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses” (NIST, 2008, p. vii). While each of the specific regulations may focus on a subset of the population or information type, they all have the ability to impose significant financial burden on an organization (Poindexter, Earp, Baumer, 2006).
Adhering to the policy of these laws will require companies to take additional measures in increasing their own staff or security (depending on the specific portion of the law they are trying to meet) (Poindexter, et. all, 2006). Each regulation also provides specific guidance on how security breaches should be addressed. The IPIPA specifically calls out language which that requires incorporating “breach of the security of data incident response notification into the incident response plan”. In a similar fashion, NIST defines a number of incident response notification guidelines as a requirement of HIPAA (Nist, 2008). In addition, each of the regulations provides a number of security controls with added guidance on implementation.
Accountability is lacking at the executive level
Unfortunately, these laws and regulations fall incredibly short in the commercial space. There are presently no Federal penalties for companies that are breached as a result of a lapse in their security. As we wait to see how the story unfolds with Target and Nieman Marcus, we can only hope that these incidents will prompt congress to pass acts which increase the financial and legal accountability for executives of these corporations. At present, a company that is breached must suffer the consequences of damage to their business. There are no financial penalties, or legal repercussions for the executives who made the IT decisions which ultimately led to this catastrophe.