Privacy issues are sweeping the information security landscape as individuals demand accountability from corporations, organizations and others that handle their data. As an information security professional, it's important that you have a basic understanding of data privacy laws and know the legal requirements your organization faces if it enters a line of business regulated by these laws.

You may have already dismissed these concerns as irrelevant because someone advised you that there's no legal requirement that you protect data. The Federal Trade Commission (the government agency charged with protecting the privacy of individuals in the United States) can only take action against you if you voluntarily post a privacy statement and then deliberately violate it. Therefore, many organizations have taken the advice of their attorneys and refuse to post a privacy statement.

This legal protection may work in some cases, but it's simply not true that there aren't privacy laws on the books in the U.S. Granted, these laws only apply if your organization fits into certain categories, but the categories are quite broad.

COPPA

The first category involves the privacy of children. The Children's Online Privacy Protection Act of 1998 (COPPA) provides specific guidelines for organizations that fit into one of the following three categories:

• Operate a Web site directed to children under age 13 that collects personal information.
• Operate a general audience Web site that knowingly collects personal information from children under 13.
• Operate a general audience Web site with a special section for children and collect personal information from children under age 13.

As you can see, quite a few Web sites fit at least one of these criteria. If your organization operates a site that falls under the jurisdiction of COPPA, you must post a privacy policy, notify parents about the information you're collecting, provide a mechanism for parental consent and a number of other actions. For more information on your COPPA responsibilities, see the FTC's COPPA Web site.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) also contains a substantial Privacy Rule that affects organizations that process medical records on individual citizens. HIPAA's "covered entities" include:

• Health care providers
• Health care clearinghouses
• Health care plans

The HIPAA Privacy Rule requires covered entities to inform patients about their privacy rights, train employees on the handling of private information, adopt and implement appropriate privacy practices and provide appropriate security for patient records. For more information on HIPAA, see the Department of Health and Human Services' HIPAA Web site.

GLBA

The most recent addition to privacy law in the United States is the Gramm-Leach-Bliley Act of 1999 (GLBA). Aimed at financial institutions, this law contains a number of specific actions that regulate how covered organizations may handle private financial information, the safeguards they must put in place to protect that information and prohibitions against their gaining such information under false pretenses.

If you're thinking to yourself, "That's fine, I don't work for a bank, hospital or children's Web site, so these laws don't apply to me," stop and think again. The FTC has interpreted GLBA with an incredibly wide definition of the term "financial institution." Some examples of industries covered by GLBA include:

• Banking
• Securities trading
• Insurance companies
• Lenders
• Tax preparers
• Credit counselors and financial advisors
• Real estate settlement services
• Debt collection services

Of course, this isn't a comprehensive list. For more information GLBA that can help you determine if you're covered, visit the FTC's GLBA site.

Data privacy is a complex and rapidly changing field. The legal landscape surrounding these issues is fluid and subject to new legislation and interpretation by government agencies and the courts. It's imperative that you keep current on the laws as they apply to your firm.