Unit 9: Privacy Laws, Penalties, and Privacy Issues
As information security evolves, laws designed to secure information are also evolving. Whether in the workplace or on social networking sites, individuals around the world want their privacy protected. Countries are enacting laws to protect the privacy of their citizens, and organizations with a successful data breach are finding a breach to be costly not only monetarily but to their reputation as well. This unit will discuss the importance of electronic data privacy protection, global privacy laws, some areas and issues of online privacy, and the penalties and adverse effects of a data breach on organizations.
Completing this unit should take you approximately 3 hours.
Upon successful completion of this unit, you will be able to:
- evaluate the need for electronic data privacy protection; and
- identify key global laws that protect privacy, such as the US Privacy Act of 1974, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the and European General Data Protection Regulation (GDPR).
9.1: Electronic Data Privacy Protection
A great deal of personal data is collected and stored electronically today. Personal data is considered private and the protection of this data may be mandated by law. Some, but not all countries have developed laws to protect privacy. As the security professional, you will be expected to know the laws that pertain to your organization and how to protect the data collected according to the local laws. This unit discusses how privacy data is collected via electronic devices and describes some laws that have been written to protect the privacy of individuals.
Maintaining and protecting privacy in information systems is an ethical as well as a legal issue. When individuals' private data is protected, the confidentiality tenet of the CIA triad is supported. Read this article about the balancing act between technology and privacy. Think about some of the ways that helpful technological advances may be invading your privacy. This article makes some good points about technology and the data trail that you may not have thought about previously.
Privacy is protected by law in many countries and by international law. Read section 5.3, which discusses privacy rights and the laws that protect privacy. Make note of what is considered to be privacy and what is protected by the US constitution, by the United Nations (UN), and by the European Union (EU).
9.2: Global Privacy Laws
The jurisdiction of privacy laws is usually specific to the country where they are written. Currently, there any no global privacy laws, but there is one European Union (EU) privacy law with a long reach; the European General Data Protection Regulation (GDPR). This privacy law as well as some other important privacy laws of the United States will be discussed in this section. Information security professionals must understand global privacy laws to determine if those laws must be enforced in your agency. For example, if your organization collects privacy data from EU citizens, that data is protected by the GDPR. Due to the way the GDPR is written, even if your company is located outside the EU the privacy data collected on EU citizens must be protected. Other laws do not have such a long reach but must be followed to avoid being penalized.
This video discusses the challenges of protecting privacy as digital technology and artificial intelligence (AI) rapidly evolve. You will learn more about the European General Data Protection Regulation (GDPR) in a subsequent section, but after you watch this video you should be able to explain how the GDPR has affected privacy regulations around the world. Are there laws that parallel the GDPR in the United States or in other countries?
Depending on where you work or do business, there could be many privacy laws to you should be aware of. This article discusses important privacy laws in the United States, and the European Union's General Data Protection Regulation (GDPR). Note the different aspects that the US Privacy Act of 1974, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Children’s Online Privacy Act (COPPA) of 2000, the California Consumer Privacy Act (CCPA), and the GDPR protect. How would you compare the GDPR to the CCPA?
Review this article on the US Privacy Act of 1974. Why has this privacy law been difficult to apply? Could that be related to the legislative history of the act? What are the objectives of the act, and what infamous scandal prompted the enactment of the act?
This article goes into more detail about the US Privacy Act of 1974. What protections does the act provide? Who is not protected under this act, as compared to the EU Data Protection Directive?
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in the US in 1996 to protect individuals' health information. This video explains the history of the bill. What kinds of information is protected under the act? What is PHI and HITECH, and how is HITECH related to HIPAA? What is the role of information technology (IT) in protecting health information?
This article gives a supplementary overview of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Pay attention to who is covered by HIPAA, and the information protected by HIPAA. What are the technical safeguards that must be in place when an organization collects privacy information covered by HIPAA?
The European Union General Data Protection Regulation (GDPR) is very complex, but this video breaks it down. Take note of the right to be forgotten and the exemptions to this rule.
The European General Data Protection Regulation (GDPR) has affected how organizations protect personal data around the world. If an organization in any country wants to do business with another organization or with individuals in the European Union, then that organization must follow the rules of the GDPR. When watching this video, learn how personal data is defined by the GDPR, the categories of personal data that has special or extra restrictions, and why these restrictions were added to the GDPR. What is considered processed data under the GDPR, and who is responsible for the security of the data under the GDPR? Who is protected under the GDPR and what are their rights?
Unit 9 Assessment
- Receive a grade
Take this assessment to see how well you understood this unit.
- This assessment does not count towards your grade. It is just for practice!
- You will see the correct answers when you submit your answers. Use this to help you study for the final exam!
- You can take this assessment as many times as you want, whenever you want.