Choose one of the legislations identified in Chapter 26 (attached). Choose the one that you believe will apply the most to you and your business (current or future) – choose a company

26

Compliance

Control 18 is intended to ensure that the organization avoids breaches of any criminal or civil law, as well as any statutory, regulatory or contractual obligations, and any security requirements. It deals with legal requirements, security policy compliance and technical checking, and with system audit. It is the last clause of the standard and it has two objectives with eight support- ing controls.

The outline of relevant legislation in this, the legal requirements section of this book, is not intended to be authoritative. Current legal advice must be taken from qualified specialist legal advisers if an organization wants or needs to rely on any matter discussed here. Equally, it should be noted that this section is dealing with current compliance issues for organizations based or operating in or supplying either the UK or US market. Laws are likely to be different in other countries, and therefore organizations seeking certification that are based elsewhere should take specialist local advice. Organizations based in a jurisdiction with operations elsewhere in the world will need to deal with the local legal requirements as well as those of the foreign countries in which they operate, and again specialist legal advice should be taken.

E-commerce (even if the organization is based in one jurisdiction) could potentially take place in a multitude of countries, and the law in this area is constantly changing and developing. Any organization that is trading across the web without limits on who may access its website should take specialist advice to ensure that contractual and trading terms are watertight and that issues of jurisdiction and which law (that of the country in which the server is based, or the organization is based, or the customer is based, or to which delivery is made) will apply to any transaction have been resolved, and to ensure that there is an appropriate acceptance and/or waiver of liability on the entrance to the website.

IT GOVERNANCE340

Identification of applicable legislation

Control 18.1.1 of ISO27002 says the organization should explicitly define and document the statutory, regulatory and contractual requirements for each of its information systems, and this documentation should be kept up to date to reflect any relevant changes in the legal environment. The specific controls and individual responsibilities to meet these requirements should be similarly documented and kept up to date. The ISMS should already contain a complete list of all the data assets and processes in the organiza- tion, together with ownership details (see Chapter 8).

A sensible way to tackle this requirement is to create a database of appli- cable legislation (which will need to be updated as and when laws change) that identifies relevant laws, the specific clauses which may be applicable, and which links those specific clauses to individual controls in the ISMS. For each regulatory or contractual requirement on the database, someone in the organization should have allocated responsibility for ensuring compliance.

Of course, in an integrated management system there would be an inte- grated approach to tracking legal and compliance developments in all the components of the system. Information security, health and safety, environ- ment, quality, human resources, commercial and other issues would all be systematically tracked and appropriate steps taken towards compliance inside the organization.

The legislation that any organization might need to identify could include, but is not necessarily limited to:

● EU regulation. EU directives have been, and will continue to be, significant drivers of UK regulation. The two most important EU instruments, from the perspective of this clause of the standard, are the EU General Data Protection Regulation (GDPR) and the EU Privacy Directive of 2003. These instruments give the context for the UK legislation identified and discussed below, and for any changes that may occur in future.

● UK legislation. Intellectual property rights (IPR), through the Copyright, Designs and Patents Act 1988 (CDPA), are one of the most obvious legal issues for most information processing systems, but there is a web of other relevant legislation. The Companies Act 2006, which consolidates and replaces all the previous UK Companies Acts, contains a number of important provisions regarding electronic records, electronic trading and electronic communications. The next most important of these laws is the Data Protection Act 2018 (DPA), and in addition to this there are the

COMPLIANCE 341

Human Rights Act 1998 (HRA), the Regulation of Investigatory Powers Act 2000 (RIPA), the Computer Misuse Act 1990 (as updated by the Police and Justice Act 2006), the Electronic Communications Act 2000 and the Privacy and Electronic Communications Regulations 2003 (as amended). The Freedom of Information Act (FOIA) was passed in 2000 and, while primarily applicable to public bodies, it has the potential to force into the public arena confidential commercial information about (for instance) public-sector contracts.

● In the United Kingdom, there is a complex array of anti-money laundering laws including the Terrorism Act 2000, the Proceeds of Crime Act 2002 and the Money Laundering Regulations 2003. Compliance with this legislation means that detailed client verification records need to be maintained and kept secure.

● More recent UK laws include the Bribery Act, an array of Crime and Security Acts, plus assorted legislation dealing with identity cards and electronic money.

● There is an increasing amount of corporate governance legislation in the United Kingdom, which will require the collection and storage of commercially sensitive data in order to satisfy reporting obligations. In order to comply, directors will also need to satisfy themselves that the IT system itself does not pose any operational risks to the company. These requirements, originally contained in general legislation such as the Companies (Audit, Investigations and Community Enterprise) Act 2004 were carried forward to the Companies Act 2006. There is also sector- specific regulation enforced by bodies such as the Financial Services Authority.

● US legislation. Relevant US legislation and regulation include the Gramm–Leach–Bliley Act (GLBA), dealing with consumer financial data; the Fair Credit Reporting Act (FCRA), designed to protect people from identify theft; the Health Insurance Portability and Accountability Act (HIPAA), which requires healthcare organizations (and their business associates) to protect – and keep up to date – their patients’ healthcare records; the SEC’s Regulation FD, which bars selective disclosure of material non-public information; the SEC’s rule 17 a-4, which requires broker dealers to retain trading records (therefore including e-mails, etc) for six years; section 404 of Sarbanes–Oxley (the overall importance of which is much greater than this single issue), which requires companies to safeguard (among other assets) their information, including e-mails,

IT GOVERNANCE342

attachments, etc; the California Online Privacy Protection Act of 2004 (OPPA), which requires websites serving Californians (irrespective of their geographic or jurisdictional location) to comply with strict privacy guidelines; the CAN-SPAM Act, the Millennium Digital Copyright Act, FISMA and a growing number of state information security and data breach laws (such as the Californian Senate Bill 1386), which require notification of breaches of personal data security.

Most recently, California’s Consumer Privacy Act brings some of the EU GDPR regulatory heft to the USA and has triggered a federal-level review of US privacy regulation. Of course, the huge growth in anti-money-laundering regulation, including the requirements of the international Joint Task Force and the US Patriot Act, broadens the requirement on organizations to verify client details, and therefore to keep those personal details secure and in line with applicable data security regulations.

UK legislation

In the United Kingdom, there are now over 70 laws that, to one extent or another, may need to be reflected in the ISMS. A current list is included in the Vigilant Software Compliance Manager. The most important legislation includes the following.

THE DATA PROTECTION ACT 2018

The UK’s Data Protection Act 2018 (DPA), which puts the EU GDPR into UK statute, requires any organization that processes personal data to comply with six data protection principles. These are that personal data must be:

1 processed lawfully, fairly and in a transparent manner;

2 collected for specified, explicit and legitimate purposes;

3 adequate, relevant and limited to what is necessary;

4 accurate and, where necessary, kept up to date;

5 retained only for as long as necessary;

6 processed in an appropriate manner to maintain security.

The DPA 2018 is concerned with every conceivable category of personal data that relates to an identifiable natural individual and includes informa- tion such as ide ntification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental,

COMPLIANCE 343

economic, cultural or social identity of that natural person. Under the terms of the DPA, ‘processing’ includes any operation performed on personal data, and the requirements apply to both electronic data and paper records (if they are contained in a ‘relevant filing system’). The precise definitions of what is and what is not covered are set out in the GDPR.

Any organization that is going to collect personal data (a data controller) must register with the Information Commissioner. Notification lasts one year and must then be renewed.

The DPA covers all activities that involve processing personal data, including CCTV records, websites and internet activity, recruitment and selection of staff, employment records, staff monitoring (including, for example, checking telephone records or internet use) and information about workers’ health.

The Information Commissioner’s website provides detailed guidance and a number of codes of practice (some general codes and others specific to the public or private sectors) on the steps necessary for an organization to comply with the DPA. In that guidance, the Information Commissioner describes the approach that an organization should follow in its effort to comply with the sixth data protection principle. This approach is in line with ISO27001. It would be fair to assume from this that implementation of an accredited ISMS would be regarded as an appropriate step to comply with the requirements of the sixth principle of the DPA.

The key point is that data controllers and data processors – those organ- izations that process data on behalf of a data controller – must comply with the DPA; failure to do so could result in substantial fines for organizations, and particular attention should be paid to the requirement to keep data secure. The Information Commissioner has the power to levy fines of up to 4 per cent of global turnover for the most serious breaches of the DPA.

In particular, the GDPR requires organizations to take all appropriate steps to protect personal data from likely compromises to its confidentiality, integrity and availability and to do so after taking account of vulnerabilities, impacts and the ‘state of the art’. The risk-driven approach of ISO 27001 supports the requirements of the DPA.

DPA 2018 requires organizations that suffer data breaches (where there is a risk to the rights and freedoms of data subjects) to report them to the Information Commissioner within 72 hours. It also confers on data subjects the right to bring complaints to supervisory authorities or to bring court actions in circumstances where they consider their rights as data subjects to have been transgressed.

IT GOVERNANCE344

THE PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS 2003

AND 2011

The Privacy and Electronic Communications Regulations 2003 came into force on 11 December 2003 and superseded the earlier Telecommunications (Data Protection and Privacy) Regulations 1999. The Information Commissioner is responsible for enforcing them, and there is a section on the Information Commissioner’s website dealing with these regulations.

The regulations cover use, by telecommunication network and service providers and by individuals, of any publicly available electronic communi- cations network for direct marketing purposes, and any unsolicited direct marketing activity by telephone, fax, electronic mail (which includes text, video and picture messaging, SMS and e-mail) and automated telephone calling systems. The key right conferred both on individuals and on corpo- rate entities is the right to register their objection to receiving unsolicited direct marketing material, and it provides a mechanism for doing this. A number of requirements, including in some circumstances the obligation to obtain the prior consent of the person to whom marketing messages are to be directed, are imposed on direct marketers, and these will intersect with obligations under the DPA; organizations have to ensure that they comply with both. The 2011 amendment introduced a requirement to obtain the explicit prior consent of the surfer before installing a cookie in the browser. The Information Commissioner’s website supplies, and keeps up to date, detailed guidance on these regulations. The detailed law around data protec- tion and privacy is changing as cases work their way through the courts. Any organization engaged in direct electronic marketing of any sort needs to take appropriate legal advice and ensure that its operations remain in line with the law.

THE FREEDOM OF INFORMATION ACT 2000

The Information Commissioner enforces both the Freedom of Information Act 2000 (FOIA) and the Data Protection Act. The FOIA provides a general right of access to all types of information held by public authorities and those providing services for them. The FOIA is ‘intended to promote a culture of openness and accountability amongst public sector bodies, and therefore facilitate better public understanding of how public bodies carry out their duties, why they make the decisions they do, and how they spend public money’. Only public authorities are covered by the Act and there is a long list, at Schedule 1 of the FOIA, of all the organizations covered. It basi- cally includes any public body.

COMPLIANCE 345

The FOIA came fully into force on 1 January 2005, and the first adoption of a publication scheme under the FOIA was by government departments and their agencies in 2002. The rights of individuals to access information held by these organizations, and the responsibilities of the organizations, can be explored further on https://ico.org.uk (archived at https://perma.cc/ 6BTV-VF5H).

Private companies should note that one of the clear consequences of the FOIA is that details of their previously confidential public-sector tenders and contracts could now be made public, irrespective of any previous con- fidentiality clauses. This is a key area on which private-sector companies may urgently need to take contract-specific professional advice; certainly, their commercial practices may need to be adjusted to reflect the risk of disclosure.

The Information Commissioner is also now responsible for the Environmental Information Regulations 2004 (which also came into force on 1 January 2005), which enable people to access environmental informa- tion held by or on behalf of public authorities and those bodies carrying out a public function. Technically, any environmental information request is an FOIA request, but, as environmental information was exempted in the FOIA, these regulations are necessary. As part of the requested information might also be personal information (eg if the applicant is a subject of the information request), these regulations intersect with the DPA.

Public authorities will take appropriate legal advice on the issues contained in the three pieces of legislation; it is expected that use and prac- tice, court cases and ministerial interventions will all contribute to a changing privacy landscape. Introduction of a personal identity card will dramatically shake up the whole area.

THE COMPUTER MISUSE ACT 1990

The Computer Misuse Act 1990 (CMA) was designed to set up provisions for securing computer material against unauthorized access or modification. It created three offences: the first is knowingly to use a computer to obtain unauthorized access to any program or data held in the computer; the second is to use this unauthorized access to commit one or more offences; the third is to carry out an unauthorized modification of any computer material. The CMA allows for penalties in the form of both fines and imprisonment.

The CMA basically outlaws, within the United Kingdom, hacking and the introduction of computer viruses. It initially had a significant impact on

IT GOVERNANCE346

the computer policies of universities, often seen as the source of much of this sort of activity. It does have other implications for computer users in the United Kingdom. Anyone using someone else’s user name without proper authorization is potentially committing an offence. Anyone copying data who is not specifically authorized is potentially committing an offence. It also has relevance for organizations whose employees may be using organi- zational facilities to hack other sites or otherwise commit offences identified under the Act. The organization should take full advantage of the RIPA (see below) to ensure that staff are complying with the law.

The United Kingdom’s All Party Internet Group (APIG) reviewed this Act in mid-2004 and recognized that it had been ineffective, largely through inadequate enforcement resourcing. It recommended a limited number of changes to the CMA and a number of other actions by other bodies to improve the legal environment for computer security. This led to the Police and Justice Act (2006) which updated and modified the CMA.

THE POLICE AND JUSTICE ACT 2006

Clauses 35–38 of the Police and Justice Act 2006 (which also deals with many other issues) amended the CMA as follows:

● The maximum sentence for ‘unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer’ (aimed primarily at denial-of-service attacks, but with a far wider effect) was doubled from five to ten years.

● They created an offence of ‘making, supplying or obtaining articles for use in an offence’ as defined in the CMA, as amended. While it is claimed that this provision, which is clearly intended to deal with hacking tools, may have the unintended consequence of impacting ethical hacking and penetration testing, the wording of clause 3A indicates that there will only be an offence if the supply of hacking tools is done in the intention or belief that they will be used in (or used to assist) the commission of an offence as defined in the CMA (as amended).

THE COPYRIGHT, DESIGNS AND PATENTS ACT 1988

The internet starting point for organizations that want detailed advice on intellectual property is the Intellectual Property Office. The principal legislation on copyright can be found in the Copyright, Designs and Patents Act 1988 (CDPA). It has been amended a number of times and there is no

COMPLIANCE 347

official consolidation of it. A list of the most important pieces of legislation that have amended the 1988 Act and some other information about the legislation can be obtained from the UK Intellectual Property Office (www. gov.uk/government/organisations/intellectual-property-office (archived at https://perma.cc/J6EG-3ZL2)). This is a complex and difficult area for any organization that deals in intellectual property, and appropriate professional advice should be taken from a firm that specializes in this area.

Organizations with valuable digital assets should also track the develop- ments in steganography, which is a method of hiding information in other data, such as voice communications, visual images and music, in order to provide forensic evidence of copyright ownership and trace the source of infringing material. This might also be called ‘digital watermarking’ and is likely to become an important part of copyright management on the inter- net. There are a number of companies offering competing digital water- marking technologies, both to create and to view digital watermarks.

In the United Kingdom there are a number of collective bodies that handle licensing for specific sectors of the creative industries. They include the Copyright Licensing Agency (CLA), a non-profit-making company that licenses organizations for photocopying and scanning from magazines, books and journals. The CLA was established in 1982 by the Authors’ Licensing and Collecting Society (ALCS) (www.alcs.co.uk (archived at https://perma.cc/GBZ6-SXRD)) and the Publishers Licensing Society (PLS) (www.pls.org.uk (archived at https://perma.cc/82V3-PFJ4)) to perform collective licensing on their behalf. It provides a fair and effective way of collecting fees due to authors and publishers for the reproduction of their work. CLA licences permit the photocopying, scanning and e-mailing of articles from trade and consumer magazines, journals, books, law reports and press cuttings without having to seek permission from the copyright owner each time. As a matter of course, any organization that is likely to need legal access to such publications should get an appropriate CLA licence.

THE ELECTRONIC COMMUNICATIONS ACT 2000

The Electronic Communications Act, along with the Electronic Signatures Regulations 2002 and the Electronic Commerce Regulations 2002, is designed to regulate the use, within the United Kingdom, of cryptography and to make provision for the use of electronic signatures. Essentially, there are fall-back powers (not yet exercised) to create a central, statutory but voluntary register of approved providers of cryptography services in the

IT GOVERNANCE348

United Kingdom, and there are a number of regulations affecting how these approvals are given. The Act also provides for appropriately authenticated electronic signatures to be used in electronic commerce and allows for them to be admitted as evidence in court.

THE HUMAN RIGHTS ACT 1998

The Human Rights Act 1998 (HRA) was enacted in October 2000. It incor- porates into UK law the principles of the European Convention for the Protection of Human Rights and Fundamental Freedoms (the Convention). Most of the rights within the Convention are qualified, in so far as they are subject to limitations if the employer can show necessity to protect the rights and freedom of others. In particular, an employee could argue in a court or tribunal that monitoring or tapping of the employee’s work telephone or e-mail or internet activity by the employer was a breach of the employee’s rights under the Convention.

THE REGULATION OF INVESTIGATORY POWERS ACT 2000

Section 1 of the Regulation of Investigatory Powers Act 2000 (RIPA) makes it unlawful intentionally to intercept communications over a public or private telecommunications network without lawful authority. Section 3 allows a defence if it can be reasonably believed that both parties consented to the interception. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 were issued under the powers of the RIPA and these allow employers to monitor employee commu- nications where the employee has not given express consent, provided that the monitoring is for one or more of the following purposes. It should be carried out to:

● record evidence of business transactions;

● ensure compliance with regulatory or self-regulatory guidelines;

● maintain the effective operation of the employer’s systems;

● monitor standards of training and service;

● prevent or detect criminal activity;

● prevent the unauthorized use of computer or telephone systems (ensuring that the employer’s policies are not breached).

Employers also have to take reasonable steps to inform employees that their communications might be intercepted. This means that employers must

COMPLIANCE 349

introduce acceptable use policies (see Chapter 17) that set out for the employees the employer’s right to monitor such communications.

CODE OF PRACTICE

The Information Commissioner published a code of practice called ‘The use of personal data in employer/employee relationships’. This code is more restrictive than the Telecommunications (Lawful Business Practice) (Inter- ception of Communications) Regulations 2000 issued under the power of the RIPA. The code argues that the interception of personal electronic com- munications will almost certainly be covered by data protection principles. It says that unless the circumstances justify the additional intrusion, an employer should limit monitoring to traffic data rather than the contents of the communication, undertake spot checks rather than continuous mon- itoring, as far as possible, automate the monitoring so as to reduce the extent to which extraneous information is made available to any person other than the parties to a communication, and target monitoring to areas of highest risk.

While there will probably be a series of court and tribunal cases over the next few years that deal with the conflicts between the HRA, the RIPA and the code of practice, employers certainly need to introduce an acceptable use policy if they wish to be able to take legal or disciplinary action in respect of inappropriate employee behaviour.

Network and Information Security Directive

The EU’s Network and Information Security Directive requires member states to legislate for Critical National Infrastructure organizations to focus on the availability of crucial network and information systems. It became law in the UK on 10 May 2018. It affects operators of essential services (OES) and digital service providers (DSPs) that are established or which offer services within the EU. The regulations apply to large organizations and, apart from imposing cyber security obligations, the regulations also require an incident response process as well as incident notification. More detailed information is available on https://www.itgovernance.co.uk/nis- directive (archived at https://perma.cc/HU7R-ZG9F). ISO 27001 is an ideal standard for organizations implementing NIS; given that all such organiza- tions are also subject to GDPR, ISO 27001 can be used to create an integrated and compliant information security and incident response management system that is both cost effective and compliant.

IT GOVERNANCE350

US legislation

There is not yet any federal data protection legislation similar to that found in the EU or in countries such as Canada, Australia and South Africa. Most individual states have enacted their own laws around information security (eg 201.CMR.17, the Massachusetts law protecting personal information). Most of the individual states within the United States now have a data breach law, which sets out requirements and penalties for organizations that experience a breach that compromises personal information. A list of state data breach laws is maintained at www.ncsl.org/default.aspx?tabid=13489 (archived at https://perma.cc/VME6-DU6H). Work in the United States is also ongoing around the development of a National Office of Cyberspace and around the cyber security aspects of homeland security.

HIPAA

HIPAA, a US federal law passed originally in 1996, applies to health plans, healthcare clearinghouses and healthcare providers, which are known in the Act as ‘covered entities’. The Act requires healthcare organizations to protect – and keep up to date – their patients’ healthcare records (which includes patient account handling, billing and medical records), in order to stream- line health industry inefficiencies, reduce paperwork, make the detection and prosecution of fraud easier, and to enable workers to change jobs more easily, even if they have pre-existing medical conditions. The information security requirements of the Act are contained in Health Insurance Reform: Security Standards; Final Rule (45 CFR Parts 160, 162 and 164; 20 February 2003). This requires covered entities to ‘ensure the confidentiality, integrity, and availability of all electronic protected health information they create, receive, maintain, or transmit’ S 164.306(a)(1); to ‘protect against any reasonably anticipated threats or hazards to security or integrity of such information’ ibid (2), and to ‘protect against any reasonably anticipated uses or disclosures of such information that are not permitted’ ibid (3). The compliance date, for all covered entities with the exception of small health plans (which had an extra year) was 20 April 2005.

The Administrative Simplification (AS) Provisions state the specific rules that institutions must implement in order to comply with HIPAA; these include rules for EDI, for electronic signatures and standards of privacy. They are intended to be technology-independent and each i

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.