Information Security Regulatory Compliance and Privacy: State and EU Data Laws

By Peter H. Gregory

Interested in a job in information security? Great! You will need to become familiar with regulatory compliance and privacy standards for the United States and European Union. And yes, these will both impact your job.

State data breach laws

Starting with California’s well‐known SB1386 in 2002, the majority of U.S. states, as well as many other countries, have enacted laws that require the disclosure of security breaches involving certain records of their citizens. The crux of California’s breach notification law is that notification is required if the data in question was not encrypted; if data in encrypted form is acquired by an unauthorized party, no notification is required.

The ever‐changing patchwork

From 2002 to the present day, U.S. states have been enacting and updating their laws regarding the protection of citizens’ data. These U.S. state laws alone present a challenge to many organizations that routinely process personal data on U.S. citizens: Just keeping up with all the changes in these laws is problematic.

Reaching across borders

Many U.S. state privacy laws claim jurisdiction of companies that have private records on its citizens, regardless of the location of those companies. Information security professionals often wonder whether those laws are enforceable across state lines. For instance, suppose that a company in Colorado has a compromise of private information for citizens in California. Will California’s breach notification law truly be able to enforce that law on a company located in Colorado — or anywhere else?

EU data privacy laws

In 1995, the European Union passed the European Privacy Directive, sometimes referred to by its number, 95/46/EC. This directive established an operational model for the collection, storage, processing, and distribution of personal information of European citizens.

The directive defines the rights of European citizens with regards to the use of their personal information. European citizens have the right to know what information is being kept about them and how it is used, and the ability to correct that information or request its removal. The directive also imposes requirements on organizations to use reasonable means to protect this information and to facilitate citizens’ rights as described.

The European Privacy Directive prohibits European companies from transmitting private citizen data to countries outside Europe that have weaker privacy laws, such as the United States. However, the United States and the European Union bridged this gap through the use of Safe Harbor Principles, where individual U.S. companies can voluntarily agree to protect data on European citizens in accordance with the European Privacy Directive.

This agreement can be accomplished through individual legal contracts between European and U.S. companies. U.S. companies can also voluntarily register their businesses on the U.S. Department of Commerce Safe Harbor website, which legally obligates those U.S. companies to protect data on European citizens to the same level as the European Privacy Directive.