Even with the relatively pragmatic attitude of most U.S. consumers regarding privacy, there are still many significant laws and regulations affecting organizations. Table 4-1 shows some of the more prominent laws and regulation concerning privacy. In the U.S. and Canada, those laws tend to be limited to specific kinds of organizations (e.g., health care and financial services), but the European Union directive (the one that tripped up GM in its efforts to build an employee phone directory) is extremely far reaching.
Table 4-1. Some privacy laws and regulations
|
Law/regulation |
Description |
|---|---|
|
Canadian Personal Information Protections and Electronic Documents Act |
Applies to employees of firms regulated by the federal government. Recognizes an employee's right to privacy and imposes principles that employers must follow with respect to the personal data of their employees. |
|
Customer Identification Program (Patriot Act) |
Applies to financial services organizations in the U.S. Requires the collection and storage of customer data and its verification against government-owned lists of known or suspected terrorists. |
|
European Data Protection Directive |
Applies to organizations operating in the European Union. Imposes wide-ranging obligations regarding the collection, storage, and use of personal information relating to employees and customers. |
|
Health Information Portability and Accountability Act (HIPAA) |
Applies to any organization that manages health care data in the U.S. Establishes a patient's right to control access and use of personal health information (PHI). Requires that organizations control and safeguard PHI. Imposes technical standards for access control, audit, data integrity, and security. |
|
Gramm-Leach-Bliley Act |
Applies to financial services organizations in the U.S. Requires physical, administrative, and technical measures to protect customer data. Data can be reused or disclosed only with the specific opt-in of the customer. |
The laws listed in Table 4-1 can have a direct impact on your identity management plans. There are other laws and regulations that can indirectly affect the identity management efforts of your organization. For example, NASD Rules 3010 and 3110 and SEC Rule 17a-4 require securities brokers and dealers to retain records for certain periods of time. This clearly affects the design and implementation of a digital identity infrastructure in affected industries.
Another law with indirect effects is Sarbanes-Oxley . Sarbanes-Oxley applies to public companies and, among other things, requires annual reports on the effectiveness of internal controls and procedures. Identity management issues like directories and access control have a direct impact on internal controls and procedures. Consequently, public companies need to design and implement their digital identity infrastructure to not only comply with Sarbanes-Oxley requirements, but to minimize that cost where possible.
In addition to national laws, in the U.S. at least, many state and local governments have adopted various laws and regulations that you may be obligated to obey. These can be especially troublesome, because your organization may operate in multiple jurisdictions, each with widely different expectations.
Determining what laws and regulations affect your identity management strategy and what to do about them is impossible if you attempt to manage identity like most IT departments have traditionally managed security. The issues are business issues and require business input. As an example, consider Sarbanes-Oxley. The Audit Committee of your board of directors will determine the ground rules for how your company is going to comply with Sarbanes-Oxley. Not understanding their directives and ensuring that they're met would be a career-limiting act.
We'll spend the final part of this book discussing how you can develop an identity management architecture that ensures business drivers are used to shape your digital identity infrastructure.
Get Digital Identity now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
