The Official (ISC)2 CISSP CBK Reference. Aaron Kraus
requirement.
Data localization law took on greater importance following the Snowden disclosures of the range of collection activities performed by the National Security Agency (NSA). Data localization laws were seen as providing some protection against the intelligence activities of foreign powers.
The economic argument for data localization is not necessarily convincing. A substantial body of research suggests that the costs of barriers to data flows in terms of lost trade and investment opportunities, higher IT costs, reduced competitiveness, and lower economic productivity and GDP growth are significant. The estimates suggest that localization reduces the GDP by 0.7 to 1.7 percent in Brazil, China, the European Union, India, Indonesia, Korea, and Vietnam.
Nevertheless, many countries (in addition to the United States, as already mentioned) have adopted such laws.
Russia
In 2015, Russia became one of the first regimes to require all data collected inside Russia on Russian citizens to be stored inside Russia. The regulations implementing the law may not require localization if the information service is not directed at Russia (i.e., use of Russian language, use of Russian top-level domains, etc.); this has still had significant impact on information providers. Some providers, including Google, Apple, and Twitter, have acquired computing capabilities in Russia to comply with the law. Others, most notably LinkedIn, have resisted the law, and their services have been blocked or curtailed inside Russia.
China
In China, the enforcement of the Cybersecurity Law will place new restrictions on the movement of information. China has asserted sovereignty over the internet operating within its borders and has installed network protections, including limiting access points and strict firewall rules to censor data made available inside China. Article 37 of the Cybersecurity Law requires network operators in critical sectors to store all data that is gathered or produced by the network operator in the country on systems in the country. In particular, the law requires data on Chinese citizens gathered within China to be kept inside China and not transferred abroad without the permission of the Chinese government.
Privacy
Privacy and information security go hand in hand. As discussed earlier in this chapter, privacy is effectively the security principle of confidentiality applied to personal data. There are several important regulations around the globe that establish privacy and data protection requirements. As a security professional, it's important that you understand each privacy regulation that governs your jurisdiction. As a CISSP, you may be familiar with the following regulations, among others, depending on your jurisdiction:
U.S. Federal Privacy Act of 1974
U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996
U.S. Children's Online Privacy Protection Act (COPPA) of 1998
U.S. Gramm-Leach-Bliley Act (GLBA) of 1999
U.S. Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009
Data Protection Directive (EU)
Data Protection Act 1998 (UK)
Safe Harbor
EU-US Privacy Shield
General Data Protection Regulation (GDPR) (EU)
NOTE The Asia-Pacific Economic Cooperation (APEC) Privacy Framework is intended to provide member nations and economies with a flexible and consistent approach to information privacy protection without unnecessarily stifling information flow. Although it's not a law or regulation, the APEC Privacy Framework aims to improve information sharing with a common set of privacy principles and is worth reading if you do business in an APEC member economy.
U.S. Federal Privacy Act of 1974, 5 U.S.C. § 552a
The Federal Privacy Act is a U.S. law that was enacted in 1974. The Privacy Act establishes and governs practices related to the collection, maintenance, use, and dissemination of PII by U.S. government agencies. The purpose of the Privacy Act is to balance the government's need to maintain information about citizens and permanent residents with the rights of those individuals to keep their personal information private. Among its provisions, the Privacy Act states that “no agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” Although the Privacy Act of 1974 substantially predates the internet, the provisions within the act continue to remain relevant and manifest in the form of online privacy consent forms and other mechanisms used to serve as “written consent of the individual.”
NOTE Criminal violations of the Federal Privacy Act are deemed misdemeanors and may be subject to penalties of up to $5,000 per violation.
U.S. Health Insurance Portability and Accountability Act of 1996
HIPAA was signed into law in 1996, while the HIPAA Privacy Rule and Security Rule each went into effect in 2003. Organizations that must comply with HIPAA requirements are known as covered entities and fit into three categories:
Health plans: This includes health insurance companies, government programs like Medicare, and military and veteran's health programs that pay for healthcare.
Healthcare providers: This includes hospitals, doctors, nursing homes, pharmacies, and other medical providers that transmit health information.
Healthcare clearinghouses: This includes public and private organizations, like billing services, that process or facilitate the processing of nonstandard health information and convert it into standard data types. A healthcare clearinghouse is usually the intermediary between a healthcare provider and a health plan or payer of health services.
The HIPAA Privacy Rule establishes minimum standards for protecting a patient's privacy and regulates the use and disclosure of individuals' health information, referred to as protected health information. Under HIPAA, an individual's PHI is permitted to be used strictly for the purposes of performing and billing for healthcare services and must be protected against improper disclosure or use.
The HIPAA Security Rule establishes minimum standards for protecting PHI that is stored or transferred in electronic form. The Security Rule operationalizes the Privacy Rule by establishing the technical, physical, and administrative controls that covered entities must put in place to protect the confidentiality, integrity, and availability of electronically stored PHI (or e-PHI).
Civil penalties for HIPAA violation may include fines that range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for similar violations. Criminal penalties include fines up to $250,000 and potential imprisonment up to 10 years.
U.S. Children's Online Privacy Protection Act of 1998
The Children's Online Privacy Protection Act of 1998 is a U.S. federal law that establishes strict guidelines for online businesses to protect the privacy of children under the age of 13. COPPA applies to any organization around the world that handles the data of children residing in the United States and also applies to children that reside outside of the United States, if the company is U.S.-based. The law sets requirements for seeking parental consent and establishes restrictions on marketing to children under the age of 13.
NOTE According to the Federal Trade Commission (FTC), civil penalties of up to $43,280 may be levied for each violation of COPPA.
U.S. Gramm-Leach-Bliley Act of 1999
The