Legal and Regulatory Considerations in IT Security - Research Paper Example

Legal and Regulatory Considerations in IT Security Introduction Extensive application of computers has necessitated formulation of laws meant to govern interactions within the information technology environment. Prior to computerization, such laws were not necessary. However, widespread use of computers in the acquisition, processing and storage of information triggered formulation of laws in different regions. In the United States, the federal government has a concrete set of laws and regulations governing the information technology environment. Similarly, individual states have the autonomy to legislate and pass local data laws. In the US, data laws used in one state are not necessarily similar to those used in an independent state. Correspondingly, data laws used in the US states are not exactly similar to those used in other nations like Britain or Canada. Technically, laws governing access and use of computerized information differ from one autonomous region to another. Succeeding sections of this paper contains a comparative analysis of data laws in Washington State, the EU, and Canada. Data Laws in Washington State Data privacy and encryption regulations in Washington State are covered under chapter 19, section 255 of the state’s laws. In Washington, private parties are protected by law against access and misappropriation of personal information by unauthorized parties. Washington laws define data and information as any software or hardware files, including but not limited to personal contact information, credit and debit card information, plus any encrypted business or personal documents (Lindsey & Smith, 2012). In Washington, breach of security and unauthorized access to confidential data and information constitutes acts of crime. In addition, unauthorized disclosure of personal or business information is prohibited by laws. Data owners must be informed by data controllers of any intention to disclose information prior to the disclosure (Lindsey & Smith, 2012). Persons guilty of data crimes include anyone involved in the assisting, facilitating or abetting of unauthorized access and misappropriation of someone else information. Persons and companies found to violate these data laws are subject to remedial provisions and liabilities. One data law in Washington involves controlled misuse of unauthorized information. Unauthorized access to information, followed by subsequent viewing, circulation or sale of the information attracts economically reasonable compensations as damages. In Washington State, another law which seeks to minimize data misappropriation asserts that any unauthorized access and misappropriation of information, which leads to intentional or accidental piracy is punishable by law (Lindsey & Smith, 2012). Lastly, the state of Washington discourages hacking and unauthorized copying of information. In the state, any form of hacking which leads to installation of computer viruses on electronic files, theft of files and intentional or accidental deletion of files are proportionally punishable by law. Data Laws in the European Union As mentioned earlier, data laws in one region are not necessarily the same as laws on a distinct region. Unlike Washington State, the European Union has tougher data protection laws. Under Article 8 of EU’s Protection of Human Rights and Freedoms, every individual in EU member states is entitled to data privacy. Information technology laws and regulations prohibit second and third parties from infringing the privacy rights of individuals’ and organizations’ data. In the EU, data laws do not allow wanton collection, processing and sharing of private data. First, any private or public company that deals with collection and processing of private information mush register with the governments of individual EU states (Lindsey & Smith, 2012). In addition, sharing of information across state borders is prohibited, unless with permission of data owners. For example, a bank holding personal information of a client in one state cannot at any time transfer such information to a subsidiary in another EU state without approval of the data subject. Aside from the strict privacy laws, data controllers in EU states must adhere to strict data regulations. Pursuant to directive 1995/45/EC, any data controller, which in this case include but not limited to social security organizations, health information record keepers and financial institutions, cannot collect data in excess of the data’s intended purpose (Lindsey & Smith, 2012). For example, banking institutions are not permitted to ask for additional information which does not serve the purpose of facilitating provision of banking services. A bank may not ask its client to indicate the number of children of family members, unless such information is required for insurance purposes by the bank. After data has been collected by the controller, owners of such data have a right to engage in timely access and correction of information held by the controller (Lindsey & Smith, 2012). In case of intentional or accidental misappropriation of the data, subjects are entitled to judicial remedies. Finally, the EU data laws protect consumers and data subjects from online breach of data security. Occasionally, companies in the telecommunication sector or the online banking industry host tons of online information in their websites. Such websites sometimes gets hacked, and consumer information is stolen and misappropriated. In this case, EU laws mandate that at any moment, controllers of consumer information must inform local and national authorities of such security breaches as hackings. Therefore, controllers of consumer data are required to possess appropriate logistical tools and knowledge that will enable timely detection and prevention of online security breaches. In addition, EU member states requires that companies holding consumer information must, prior to collection of such information, inform the data subjects of potential risks of security breach coupled with counter measures to each risk (Lindsey & Smith, 2012). At this juncture, it emerges that all the data laws in the European Union intends to safeguard the loss and misappropriation of private information by third parties. Data Laws in Canada In Canada, laws and regulations governing data are adaptively suited for the information technology environments of the nation. In Canada, information protection laws may differ slightly from one province to another. However, regulatory protection of personal information in Canada is covered under the Personal Information Protection and Electronic Documents Act, PIPEDA. At the national level, institutions of federal government are allowed to collect and use limited amount of personal information. However, these institutions are not restricted to share collected information whenever legally necessary. At the provincial level, an independent commissioner in each provincial government collects and manages personal information. Within the private sector, organizations must adhere to provisions of the aforementioned PIPEDA act (Lindsey & Smith, 2012). Unlike the privacy directive adopted by the EU, private companies in Canada are not subject to consultations with data subjects prior to use or transfer of their private data within the legal scope of the data’s purpose. At certain instances, the federal or provincial government may use personal information for purposes not intended during the data collection time. In the EU, it emerges that information contained within the records of both public and private companies cannot be used outside the scope of the original purpose (Lindsey & Smith, 2012). Any time a need for data emerges, both public and private controllers of data should acquire informed consent from data subjects prior to use of already collected data. However, data laws in Canada do not necessitate acquisition of consent prior to secondary use of personal information. In Canada, secondary use of information must be permissible within the PIPEDA act. Within the PIPEDA act, the office of the Privacy Officer determines whether a controller of data can proceed with the use of data for secondary purposes. In this case, the role of consent acquisition is transferred from the data subjects to the privacy officer (Lindsey & Smith, 2012). Therefore, the privacy officer limits the depth and breadth of information access and use by data controllers. Conclusion In conclusion, it emerges that laws regarding regulation of data and information differ considerably in different regions. Of all the three regions under consideration, the European Union practices the strictest data laws while Canada has the least strict regulations on personal data and information. Washington State gives proportionate regards to acquisition and use of data. However, unlike Canada, Washington does not strip data subjects of the right to provide consent whenever data controllers need to use information for secondary purposes. Overall, data laws in the three regions are intended to protect loss and misappropriation of data by unauthorized persons. The only thing that changes from Canada to EU is the manner in which single acts of the data laws grants rights to data subjects and data controllers. Reference Lindsey, M & Smith, L (2012) Data Protection and Privacy Acts: Jurisdictional Comparisons. Pittsburg: Sweet & Maxwell Publishing. Read More