Data Protection Laws, Regulations, and Policies - Essay Example

Running Head: DATA PROTECTION LAWS, REGULATIONS, AND POLICIES Protective Measures of Introduction In the UnitedStates of America, a sectoral system is used in the application of the legislations, regulations, laws, and policies on data protection. According to this approach, a combination of federal and state legislations, regulations, as well as self-regulation is applied. In fact, the U.S government emphasizes the need for the private sector players to lead in the implementation of state, federal, and self-regulations of data protection.

The many issues brought about by computer and internet technologies have necessitated the formulation, implementation, and reformation/amendments of various federal and state legislations, policies, and standards of data protection in the United States (Simons, 2009). Among these policies are Sarbanes-Oxley Act [SOX], Data Protection Act, Federal Information Security Management Act [FISMA], California Security Breach (SB) Information Act, Massachusetts 201 CMR 17.00, and Public Access policy among others.

This paper thus explores and evaluates some of the legislations, policies, regulations, and standards pertaining to data protection in the U.S. In addition, the paper explores some of the strategies by which database designers and specialists may ensure compliance with state and federal policies and legislations regarding data protection. Federal Information Security Management Act (FISMA) FISMA is one of the legislations by which the United States protects the nation’s information systems/infrastructure.

To achieve this objective, the Act was set on certain visions including the need to initiate and promote the development of core security policies, guidelines, and standards that would promote the formulation and the implementation of information security strategies and policies (U.S Department of Internal Security, 2002). In this regard therefore, the Act sets standards for the categorization of not only data but also entire information systems, depending on their missions and impacts on U.S citizens.

In addition, the Act sets guidelines and standards for the minimum security requirements for information/data systems. Moreover, the Act provides procedures for the assessment of security controls for data systems and their effectiveness in the various departments and sectors concerned. The other important function of this Act is to provide guidance and regulations on the necessary security authorizations for various information and information systems and the monitoring of the same security controls and authorizations (U.

S Department of Internal Security, 2002). The Personal Data Privacy and Security Act of 2009 The Personal Data Privacy and Security Act is the other Act that addresses data protection in the United States of America. This Act requires that organizations and government agencies adhere to certain rules and regulations that protect personal and sensitive data of citizens. To this effect, these agencies and organizations are required to establish and apply risk assessments and vulnerability test measures for controlling data access and protecting sensitive data.

Therefore, organizations and government agencies are required to institute mechanisms by which unauthorized data access are logged and detected, whether data systems are at rest or in transit (Wu et al., 2009). In fact, in cases of data breaches, this Act requires that government agencies such as the Secret Service, the FBI, or the CIA, and the individuals affected are informed. Importantly, the Act provides for strict penalties for data breaches, identity theft, and other related fraud. However, the Act provides for exemptions, for instance, in cases where a breach may not be reported to an individual or the concerned agencies if it would hinder or jeopardize a criminal investigation (U.

S Department of Internal Security, 2002). Among the state laws that protect data include the Massachusetts General Law’s new regulation 201 CMR17.00 that calls for companies and individuals that use, access, or store personal information of Massachusetts’ citizens have well-audited and written strategies and plans to protect all personal data under their care. This law, which became effective on March 1, 2010, applies equally to both paper and electronic records. Just like the Personal Data Privacy and Security Act of 2009, the Massachusetts’s 201 CMR 17.

00 law focuses on identity theft and fraud. Among the core functions of this law is thus to punish organizations that leak or capture personal data, for example, by way of fines (The Commonwealth of Massachusetts, 2011). Conclusion In connection with the above functions of the FISMA and other similar Acts, standards, regulations, and policies, organizations should ensure compliance with these regulations by establishing and implementing certain data protection strategies. First, organizations’ database designers and specialists should develop and implement data security programs that are not only cost-effective but are also risk-based in the sense that they would not incur risks and costs due to non-compliance with federal and state regulations and laws.

The levels of information system security and control should take into account all legal considerations by being attentive to the conditions of state and federal data protection agencies, thus offering the much needed support to federal and state governments in protecting data. Additionally, the application of data security controls across an organisation should be consistent, comparable, and reproducible/repeatable, and cost-effective (Sanders, 2006). Database designers and specialists should also be trustworthy, especially in situations where they are authorized to access certain vital data.

This strategy or trait would ensure that only permitted and informed security authorization and decision-making are achieved. Importantly, organizations/agencies must initiate changes that would ensure employee/resident personal data are secured, to avoid data breaches and possible punishment (Hill, 2009). References Hill, J. S. (2009). Is It Worth It? Management Issues Related to Database Quality. Cataloging & Classification Quarterly, 46 (1), 26. Sanders, A. K. (2006). Limits to Database Protection: Fair Use and Scientific Research Exemptions.

Research Policy, 35 (6), 874. Simons, N. (2009). Surviving a Records Audit: 6 Steps to Prepare Your Organization. Information Management Journal, 43 (4), 38. The Commonwealth of Massachusetts (2011). General Laws: Security Breaches. Retrieved on March 2, 2012 from http://www.malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H U.S Department of Internal Security (2002). Federal Information Security Management Act (FISMA). Retrieved on March 2, 2012 from http://www.marcorsyscom.usmc.mil/sites/pmia%20documents/documents/Federal%20Information%20Security%20Management%20Act%20 (FISMA).

html Wu, J. et al. (2009). Necessary and Sufficient Conditions for Transaction-Consistent Global Checkpoints in a Distributed Database System. Information Sciences, 179 (20), 3659.