1
00:00:00,290 --> 00:00:02,050
<v ->One of the largest privacy concerns</v>

2
00:00:02,050 --> 00:00:03,980
inside most organizations today

3
00:00:03,980 --> 00:00:07,540
is how you're going to collect, process and store PII,

4
00:00:07,540 --> 00:00:10,090
known as personally identifiable information.

5
00:00:10,090 --> 00:00:12,050
Now, whether this data is on your employees

6
00:00:12,050 --> 00:00:14,780
or your customers, if you're collecting and using this type

7
00:00:14,780 --> 00:00:17,160
of data, it is your corporate responsibility

8
00:00:17,160 --> 00:00:19,130
to provide adequate protections for it.

9
00:00:19,130 --> 00:00:21,550
Your policy should address, at a minimum,

10
00:00:21,550 --> 00:00:24,780
what PII can be shared, with whom it can be shared,

11
00:00:24,780 --> 00:00:27,290
how you're going to transmit and exchange this type of data,

12
00:00:27,290 --> 00:00:29,500
how you're going to maintain the confidentiality of it

13
00:00:29,500 --> 00:00:31,780
and how the owner of that information can opt out

14
00:00:31,780 --> 00:00:33,550
of collection, if they desire.

15
00:00:33,550 --> 00:00:35,830
Now, the first step in protecting PII

16
00:00:35,830 --> 00:00:39,470
is to understand what constitutes this class of information.

17
00:00:39,470 --> 00:00:41,750
If a piece of data can be used either by itself

18
00:00:41,750 --> 00:00:43,990
or in combination with some other piece of data

19
00:00:43,990 --> 00:00:48,370
to identify a singular person, then it's considered PII.

20
00:00:48,370 --> 00:00:50,500
Now, what are some examples of PII?

21
00:00:50,500 --> 00:00:52,680
Well, this is things like your full name,

22
00:00:52,680 --> 00:00:55,580
your driver's license number, you social security number,

23
00:00:55,580 --> 00:00:57,800
your date of birth, your place of birth,

24
00:00:57,800 --> 00:00:59,780
digital versions of your biometric features

25
00:00:59,780 --> 00:01:01,970
like your fingerprints or your retina scans,

26
00:01:01,970 --> 00:01:04,480
financial account numbers, your addresses,

27
00:01:04,480 --> 00:01:08,140
your email addresses and even your social media usernames.

28
00:01:08,140 --> 00:01:10,210
Now, different countries and different governments

29
00:01:10,210 --> 00:01:12,810
are going to hold companies to different levels of protection

30
00:01:12,810 --> 00:01:14,130
and you're going to be able to classify

31
00:01:14,130 --> 00:01:17,520
what constitutes PII based on those different regulations.

32
00:01:17,520 --> 00:01:20,270
Therefore, it's important to check with your legal team

33
00:01:20,270 --> 00:01:22,250
during the development of your security policies

34
00:01:22,250 --> 00:01:24,110
to ensure you're meeting any legislative

35
00:01:24,110 --> 00:01:26,230
or due care requirements that are associated

36
00:01:26,230 --> 00:01:27,960
with personal information.

37
00:01:27,960 --> 00:01:30,140
This includes ensuring that you're meeting any local,

38
00:01:30,140 --> 00:01:33,040
state, national or even international laws

39
00:01:33,040 --> 00:01:34,280
that are regarding the protection

40
00:01:34,280 --> 00:01:36,000
of this type of sensitive data

41
00:01:36,000 --> 00:01:38,210
and this data is going to be about your employees,

42
00:01:38,210 --> 00:01:40,160
your customers or any other person

43
00:01:40,160 --> 00:01:42,710
who interacts with your information systems.

44
00:01:42,710 --> 00:01:44,770
Now, do you need to be an expert in all

45
00:01:44,770 --> 00:01:47,190
of the various laws and regulations and standards

46
00:01:47,190 --> 00:01:49,120
that may apply to your organization?

47
00:01:49,120 --> 00:01:50,120
Well, of course not.

48
00:01:50,120 --> 00:01:52,020
You're in IT, you're not a lawyer.

49
00:01:52,020 --> 00:01:54,430
But, you should be able to at least associate the name

50
00:01:54,430 --> 00:01:56,980
of a particular law with its stated intent.

51
00:01:56,980 --> 00:01:59,320
And these laws were all designed to help protect

52
00:01:59,320 --> 00:02:00,750
against the disclosure of data

53
00:02:00,750 --> 00:02:02,950
including personal identifiable information

54
00:02:02,950 --> 00:02:05,320
and protected health information.

55
00:02:05,320 --> 00:02:08,920
The first one is Federal Privacy Act of 1974.

56
00:02:08,920 --> 00:02:11,360
This affects any U.S. government computer system

57
00:02:11,360 --> 00:02:13,610
that collects, stores, uses

58
00:02:13,610 --> 00:02:16,630
or disseminates personally identifiable information.

59
00:02:16,630 --> 00:02:19,300
If you work for the government or one of its contractors,

60
00:02:19,300 --> 00:02:22,220
then this law is going to apply to your organization.

61
00:02:22,220 --> 00:02:25,060
The second regulation you need to know is called HIPAA.

62
00:02:25,060 --> 00:02:27,050
HIPAA is the Health Insurance Portability

63
00:02:27,050 --> 00:02:30,000
and Accountability Act and it affects health care providers,

64
00:02:30,000 --> 00:02:31,970
facilities, insurance companies

65
00:02:31,970 --> 00:02:34,310
and other medical data clearinghouses.

66
00:02:34,310 --> 00:02:37,410
If your organization is processing or storing medical data,

67
00:02:37,410 --> 00:02:39,610
you're likely going to be affected by HIPAA.

68
00:02:39,610 --> 00:02:41,930
It's enforced by the Department of Health and Human Services

69
00:02:41,930 --> 00:02:43,640
in the United States and it provides you

70
00:02:43,640 --> 00:02:45,920
with the standards and procedures that have to be used,

71
00:02:45,920 --> 00:02:48,050
at a minimum, for storing, using

72
00:02:48,050 --> 00:02:51,260
and transmitting medical information and healthcare data.

73
00:02:51,260 --> 00:02:54,060
The third law you should know is Sarbanes-Oxley

74
00:02:54,060 --> 00:02:56,250
or SOX, as it's also known.

75
00:02:56,250 --> 00:02:59,130
This was originally enacted by Congress back in 2002

76
00:02:59,130 --> 00:03:01,070
as the Public Company Accounting Reform

77
00:03:01,070 --> 00:03:03,780
and Investor Protection Act of 2002,

78
00:03:03,780 --> 00:03:05,940
but you're almost always going to hear it referred to

79
00:03:05,940 --> 00:03:08,180
as SOX or Sarbanes-Oxley.

80
00:03:08,180 --> 00:03:11,142
If your organization is a publicly traded U.S. corporation,

81
00:03:11,142 --> 00:03:12,980
it's affected by this regulation

82
00:03:12,980 --> 00:03:15,090
and it has to follow certain accounting methods

83
00:03:15,090 --> 00:03:16,960
and financial reporting requirements.

84
00:03:16,960 --> 00:03:19,580
Now, the important thing to keep in mind with Sarbanes-Oxley

85
00:03:19,580 --> 00:03:21,250
is that if you fail to follow it,

86
00:03:21,250 --> 00:03:23,360
your senior leadership, like your CEO,

87
00:03:23,360 --> 00:03:25,270
can actually receive jail time for it.

88
00:03:25,270 --> 00:03:27,370
So, Sarbanes-Oxley is a big deal

89
00:03:27,370 --> 00:03:29,860
and all of those accounting methods and financial reporting,

90
00:03:29,860 --> 00:03:32,690
that's all data that's being stored on your IT systems,

91
00:03:32,690 --> 00:03:33,950
so you're going to get involved with this

92
00:03:33,950 --> 00:03:35,770
as an IT professional.

93
00:03:35,770 --> 00:03:37,340
The next regulation we're going to talk about

94
00:03:37,340 --> 00:03:42,320
is known as GLBA or the Gramm-Leach-Bliley Act of 1999.

95
00:03:42,320 --> 00:03:45,610
Now, this affects banks, mortgage companies, loan offices,

96
00:03:45,610 --> 00:03:47,590
insurance companies, investment companies

97
00:03:47,590 --> 00:03:49,180
and credit card providers.

98
00:03:49,180 --> 00:03:51,880
Basically, if you work for a financial institution,

99
00:03:51,880 --> 00:03:53,580
this is going to affect you.

100
00:03:53,580 --> 00:03:55,610
GLBA directly affects the security

101
00:03:55,610 --> 00:03:57,850
of personal identifiable information

102
00:03:57,850 --> 00:04:00,010
and it prohibits sharing of financial information

103
00:04:00,010 --> 00:04:02,640
with any third parties and it also provides guidelines

104
00:04:02,640 --> 00:04:04,772
for securing that financial information.

105
00:04:04,772 --> 00:04:06,800
Another law that affects you if you're working

106
00:04:06,800 --> 00:04:07,880
for the federal government

107
00:04:07,880 --> 00:04:10,680
is the Federal Information System Security Management Act

108
00:04:10,680 --> 00:04:13,700
of 2002, also known as FISMA.

109
00:04:13,700 --> 00:04:16,360
Now, FISMA requires each agency in the government

110
00:04:16,360 --> 00:04:18,310
to develop, document and implement

111
00:04:18,310 --> 00:04:21,230
an agency-wide information systems security program

112
00:04:21,230 --> 00:04:22,770
to help protect their data.

113
00:04:22,770 --> 00:04:25,700
Basically, FISMA is all about cyber security.

114
00:04:25,700 --> 00:04:27,840
The goal here is to create more secure networks

115
00:04:27,840 --> 00:04:30,090
across the entire U.S. government.

116
00:04:30,090 --> 00:04:32,150
Now, the final thing we're going to talk about here

117
00:04:32,150 --> 00:04:35,320
is a standard, not an actual law or regulation.

118
00:04:35,320 --> 00:04:36,470
But it's one that affects you

119
00:04:36,470 --> 00:04:38,190
if you take credit card payments.

120
00:04:38,190 --> 00:04:40,390
It's known as PCI DSS

121
00:04:40,390 --> 00:04:43,600
or the Payment Card Industry Data Security Standard.

122
00:04:43,600 --> 00:04:45,620
This is an agreement that any organization

123
00:04:45,620 --> 00:04:48,510
who collects, stores or processes credit card information

124
00:04:48,510 --> 00:04:50,700
for a customer has to follow.

125
00:04:50,700 --> 00:04:52,910
Again, this isn't a law or regulation,

126
00:04:52,910 --> 00:04:55,810
but it is a contractual obligation or agreement

127
00:04:55,810 --> 00:04:57,480
and it's a standard that must be followed

128
00:04:57,480 --> 00:04:59,140
if your organization wants to be able

129
00:04:59,140 --> 00:05:01,330
to handle credit card transactions.

130
00:05:01,330 --> 00:05:03,440
To prove compliance with this, you have to make sure

131
00:05:03,440 --> 00:05:05,360
your organization receives an external audit

132
00:05:05,360 --> 00:05:06,691
at least annually.

133
00:05:06,691 --> 00:05:09,440
Now, another federal law that you should know about

134
00:05:09,440 --> 00:05:11,040
is known as HAVA,

135
00:05:11,040 --> 00:05:14,463
which is the Help America Vote Act of 2002, or HAVA.

136
00:05:15,530 --> 00:05:16,460
Now, it was designed

137
00:05:16,460 --> 00:05:18,740
to help replace the old punch card systems back

138
00:05:18,740 --> 00:05:20,320
in the voting machines that we used

139
00:05:20,320 --> 00:05:22,810
and it provides regulations that govern the security,

140
00:05:22,810 --> 00:05:25,700
confidentiality and integrity of the personal information

141
00:05:25,700 --> 00:05:27,830
that's collected, stored or processed

142
00:05:27,830 --> 00:05:30,820
during the election cycle and the voting process.

143
00:05:30,820 --> 00:05:32,490
Now, the last law we're going to talk about

144
00:05:32,490 --> 00:05:35,560
is actually a California law, so it only affects businesses

145
00:05:35,560 --> 00:05:39,010
that operate in California as a California corporation.

146
00:05:39,010 --> 00:05:40,490
Now, why are we covering it then?

147
00:05:40,490 --> 00:05:42,790
Because this doesn't even apply to my company.

148
00:05:42,790 --> 00:05:45,300
Well, it's because a lot of IT companies out there

149
00:05:45,300 --> 00:05:48,310
do business in California or they're based out there

150
00:05:48,310 --> 00:05:51,470
and this makes them a California business under this law.

151
00:05:51,470 --> 00:05:55,580
This law is called the SB 1386, which is the number

152
00:05:55,580 --> 00:05:57,560
that was assigned to this regulation.

153
00:05:57,560 --> 00:05:59,067
Now, it was created in 2003

154
00:05:59,067 --> 00:06:01,330
and requires any California business

155
00:06:01,330 --> 00:06:03,800
that stores computerized personal information

156
00:06:03,800 --> 00:06:06,130
to immediately disclose any breach of security

157
00:06:06,130 --> 00:06:07,340
that it becomes aware of.

158
00:06:07,340 --> 00:06:09,210
So, let's consider the example of Facebook,

159
00:06:09,210 --> 00:06:10,970
which is a California business.

160
00:06:10,970 --> 00:06:12,470
Now, if Facebook got hacked,

161
00:06:12,470 --> 00:06:14,600
your personal information could be disclosed.

162
00:06:14,600 --> 00:06:17,060
And if that happens, Facebook has to notify you,

163
00:06:17,060 --> 00:06:19,673
the consumer, immediately about their data breach.