Personal identifying information is frequently gathered by businesses and governments and is stored in a variety of formats such as digital and paper. Protecting this data has become a mounting issue for businesses and government entities around the country. There are several laws that have been enacted in order to facilitate the protection of said data.
Computer Science
Legislative, Ethical, and Legal Regulatory Compliance
Personal identifying information is frequently gathered by businesses and governments and is stored in a variety of formats such as digital and paper. Protecting this data has become a mounting issue for businesses and government entities around the country. There are several laws that have been enacted in order to facilitate the protection of said data. These include: Data Disposal Laws, Security Breach Notification Laws and Identify Theft Statutes (Data disposable laws, 2012).
A data security breach takes place when there is a loss or theft of, or other unlawful access to, sensitive personally identifiable information that could consequence in the potential compromise of the confidentiality or integrity of data. "Data breaches are caused by computer hacking, malware, payment card fraud, employee insider breach, physical loss of non-electronic records and portable devices, and inadvertent exposure of confidential data on websites or in e-mail" (Stevens, 2012). Data breaches are costly, time consuming, and can injure a company's status. U.S. companies are reportedly reserved about buying cyber liability insurance even though data breaches have cost companies millions of dollars. Data breaches concerning sensitive personal information may also consequence in identity theft and financial crimes like credit card fraud, phone or utilities fraud, bank fraud, mortgage fraud, employment related fraud, government documents or benefits fraud, loan fraud, and health-care fraud.
The Fair Credit Reporting Act (FCRA) and the Federal Trade Commission's Rule concerning the Disposal of Consumer Report Information and Records (the Disposal Rule) necessitates small businesses that get hold of consumer information from consumer reporting companies like Equifax, Experian, or Transunion, to take rational measures to correctly dispose of that information. Health care providers and financial institutions may have supplementary obligations to destroy consumer information under the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) (Disposing of Data -- Do it Responsibly, 2010).
Approximately nineteen states have statutes that necessitate small businesses to get rid of records that include personal information. Similar to the Disposal Rule, the preponderance of these statutes necessitate small businesses to take logical steps when destroying records. Some of the state statutes only pertain to specific types of small businesses, such as health care providers, financial institutions, or tax preparers (Disposing of Data -- Do it Responsibly, 2010).
There are normally two types of data destruction laws: those that expressly detail how the data must be destroyed and those that command the use of a disposal system that meets a reasonableness standard. "Some states include both types, though most choose only one. States that fall into the first category typically use some variation of the following regulation: Businesses must take all reasonable steps to destroy records by shredding, erasing, or otherwise modifying the personal information to make it unreadable or undecipherable" (Data Destruction Laws, 2007). Statutes frequently identify how the records must be destroyed and what the final result of the process must yield. The second type of data destruction law provides that businesses shall support reasonable security procedures and practices appropriate to the nature of the information to protect from unlawful access, destruction, use, modification, or disclosure.
"Forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands have laws requiring notification of security breaches involving personal information" (Stevens, 2012). Federal laws, regulations, and a communication for federal departments and agencies necessitate certain sectors like healthcare, financial, federal public sector, and the Department of Veterans Affairs, to put into practice information security programs and provide notice of security breaches of personal information.
"In response to such notification laws, over 2,676 data breaches and computer intrusions involving 535 million records containing sensitive personal information have been disclosed by data brokers, businesses, retailers, educational institutions, government and military agencies, healthcare providers, financial institutions, nonprofit organizations, utility companies, and Internet businesses" (Stevens, 2012). As a consequence, a considerably large number of people have received notices that their personally identifiable information has been improperly revealed.
There are three reasons for breach notification laws to exist. One, is that it is general politeness that when one loses something of someone else's, they should tell him. The customary corporate attitude before there were laws was that people wouldn't notice, and if they didn't notice then they wouldn't be told. Another reason is that it provides statistics to security researchers as to how all-encompassing the problem really is. And finally, it forces companies to advance their security. The problem with companies protecting data is that it isn't in their financial best interest to do so. That is, the companies are responsible for protecting sensitive data, but bear none of the costs if the data is compromised. Individuals suffer the harm, but they have no control or even knowledge of the company's security practices. "The idea behind such laws, and how they were sold to legislators, is that they would increase the cost -- both in bad publicity and the actual notification -- of security breaches, motivating companies to spend more to prevent them. In economic terms, the law reduces the externalities and forces companies to deal with the true costs of these data breaches" (Schneier, 2009).
Identity theft entails the mishandling of any individually identifying information to commit a violation of federal or state law. With continued media reports of data security breaches, concerns about identity theft are widespread (Stevens, 2012). Identity theft is a more and more common crime in which a criminal obtains a victim's Personal Identifying Information (PII) to commit fraud or other crimes. The daily news is full of these stories, ranging from anecdotal tales of an individuals' stolen identity to lapses in security surrounding sensitive consumer data (Paul, 2006).
You’re 79% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.