Information Security Laws, Regulations, and Standards

The ISO Policies, Standards, Procedures, and Programs were created to comply with the following LAWS, Regulations, Standards, and Contracts governing Information Security:

Laws Specifically Directed to the University:

TITLE 5. EDUCATION
DIVISION 5. BOARD OF TRUSTEES OF THE CALIFORNIA STATE UNIVERSITIES
CHAPTER 1. CALIFORNIA STATE UNIVERSITY
SUBCHAPTER 5. ADMINISTRATION
ARTICLE 14. PRIVACY AND PERSONAL INFORMATION MANAGEMENT

§ 42396.1. Definitions.
§ 42396.2. Principles of Personal Information Management.
http://ccr.oal.ca.gov/

  • FERPA - http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html 
  • Social Security Numbers in Local Government Records and Higher Education – Civil Code sections 1798.88 -1798.89, Commercial Code section 9526.5, Education Code section 66018.55, and Government Code section 27300 et seq. These laws require certain state and local government agencies to truncate SSN's in documents released to the public so as to display no more than the last four digits. (1) The Franchise Tax Board must truncate SSN's in documents released to the public. (2) The Secretary of State must create versions of Uniform Commercial Code filings that contain only truncated SSN's. (3) County recorders must create versions of documents recorded back to 1980 that contain only truncated SSN's, and if authorized by boards of supervisors may levy a fee to cover the cost of truncation. Also no one may record a document containing more than the last four digits of an SSN. (4) The law states the Legislature’s intent that local agencies, other than county recorders, fully redact SSN's from public records before making the records publicly available, and excludes SSN's from the information that a local agency must disclose under the Public Records Act. (5) It requires the Office of Privacy Protection to create a task force to review the use of SSN's by California colleges and universities and to recommend practices to minimize such use, with a report due to the Legislature by July 1,
  • State Agency Privacy Policies - Government Code section 11019.9. This law requires state agencies to enact and to maintain a privacy policy and to designate an employee to be responsible for the policy. The policy must describe the agency's practices for handling personal information, as further required in the Information Practices Act.
  • Marketing to State University Alumni - Education Code sections 89090-89090.5 & 92630. This law authorizes the alumni associations of the California State University, the University of California, and Hastings College of Law to provide the names, addresses, and e-mail addresses of alumni to certain businesses ("affinity partners") for marketing purposes, provided the associations give alumni an opportunity to opt-out of having their information shared and provided the alumni have not, while students at those institutions, opted-out of information sharing.
  • Library Records, Confidentiality - Government Code sections 6254, 6267 and 6276.28. Registration and circulation records, of libraries supported by public funds, are confidential and are explicitly exempted from the Public Records Act.
  • Research Use of Personal Information - Civil Code section 1798.24 and Welfare and Institutions Code section 10850. This law authorizes a state agency to disclose personal information for certain research purposes to the University of California or a nonprofit educational institution, but requires the agency to get the approval of the Committee for the Protection of Human Subjects for the California Health and Human Services Agency before disclosing the information. It also establishes criteria for the review and approval of the request.
  • Information Practices Act of 1977- California Civil Code section 1798
    This law applies to state government. It expands upon the constitutional guarantee of privacy by providing limits on the collection, management and dissemination of personal information by state agencies.
  • “Wayne Shredding Bill” (State Civil Code 1798.80-82) –requires that sensitive information be unreadable before disposing of either electronic or paper documents.  http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.80-1798.84

Social Security Specifics

Personal Information

  • Security of Personal Information - Civil Code section 1798.81.5. This law requires specified businesses to use safeguards to ensure the security of Californians’ personal information (defined as name plus SSN, driver’s license/state ID, financial account number) and to contractually require third parties to do the same. It does not apply to businesses that are subject to certain other information security laws.
  • Information-Sharing Disclosure, “Shine the Light” - Civil Code sections 1798.83-1798.84. This law lets consumers learn how their personal information is shared by companies for marketing purposes and encourages businesses to let their customers opt-out of such information sharing. In response to a customer request, a business must provide either: 1) a list of the categories of personal information disclosed to other companies for their marketing purposes during the preceding calendar year, with the names and addresses of those companies, OR 2) a privacy statement giving the customer a cost-free opportunity to opt-out of such information sharing. Financial services companies subject to the California Financial Information Privacy Act are exempted from this law. See the Office of Privacy Protection’s Recommended Practices in relation to this law.
  • Financial Information Privacy Act, California - Financial Code sections 4050 - 4060. This law prohibits financial institutions from sharing or selling personally identifiable nonpublic information without obtaining a consumer's consent, as provided. It provides for a plain-language notice of the privacy rights it confers. The law requires that (1) a consumer must "opt in" before a financial institution may share personal information with an unaffiliated third party, (2) consumers be given an opportunity to "opt out" of sharing with a financial institution's financial marketing partners, and (3) consumers be given the opportunity to "opt out" of sharing with a financial institution's affiliates, with some exceptions. When an affiliate is wholly owned, in the same line of business, subject to the same functional regulator and operates under the same brand name, an institution may share its customers' personal information with the affiliate without providing an opt-out right.

Breach Notification Laws

  • California General Security Standard for Businesses CA AB 1950 [Released: Release 1]
    http://info.sen.ca.gov/pub/03-04/bill/asm/ab_1901-1950/ab_1950_bill_20040929_chaptered.pdf
  • SB 20 - California OPP Recommended Practices on Notification of Security Breach [Released: Release 1] http://info.sen.ca.gov/pub/09-10/bill/sen/sb_0001-0050/sb_20_bill_20081201_introduced.html
  • Security Breach Notice - Civil Code sections 1798.29, 1798.82, and 1798.84. This law requires a business or a State agency that maintains unencrypted computerized data that includes personal information, as defined, to notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The type of information that triggers the notice requirement is an individual's name plus one or more of the following: Social Security number, driver's license or California Identification Card number, financial account numbers, medical information or health insurance information. The law's intention is to give affected individuals the opportunity to take steps to protect themselves from identity theft. See the Office of Privacy Protection’s Recommended Practices in relation to this law.

Data Destruction

Healthcare Privacy

  • AB 211 - Civil, criminal, and monteary penalties for browsing, selling, or unlawfully accepting Healthcare and Psychiatric records.  This is a modification to Civil Code 56. January 2009. 
    http://info.sen.ca.gov/pub/07-08/bill/asm/ab_0201-0250/ab_211_bill_20080930_chaptered.pdf 
  • HITECH - Provides penalties for healthcare information breaches for HIPAA covered entities. Physicians will be eligible for $40,000 to $65,000 for showing that they are meaningfully using health information technology such as through reporting of quality measures.  We need to find out if we are eligible for this.  If so, then appropriate security measures would need to be in place to protect us from AB 211. 2009
  • California Constitution, Article 1, section 1. The state Constitution gives each citizen an "inalienable right" to pursue and obtain "privacy."
  • Computer Misuse and Abuse: Criminal Sanctions - Penal Code section 502. In general, this section makes it a crime to knowingly access and, without permission, use, misuse, abuse, damage, contaminate, disrupt or destroy a computer, computer system, computer network, computer service, computer data or computer program.  Depending on the particular violation, this section can support a variety of fines and imprisonment in criminal actions as well as remedies recoverable in civil actions.

 PCI DSS

  • PCI DSS https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
  • Credit Card or Check Payment - Civil Code sections 1725 and 1747.08. Any person accepting a check in payment for most goods or services at retail is prohibited from recording a purchaser's credit card number or requiring that a credit card be shown as a condition of accepting the check (Section 1725). Any person accepting a credit card in payment for most goods or services is prohibited from writing the cardholder's personal information on forms associated with the transaction (Section 1747.08).
  • Credit/Debit Card Number Truncation - California Civil Code section 1747.09. No more than the last five digits of a credit card or debit card number may be printed on the customer copy of electronically printed receipts.
  • Credit Card "Skimmers" - Penal Code section 502.6. The knowing and willful possession or use, with the intent to defraud, of a device designed to scan or re-encode information from or to the magnetic strip of a payment card (a "skimmer") is punishable as a misdemeanor. The devices owned by the defendant and possessed or used in violation may be destroyed and various other computer equipment used to store illegally obtained data may be seized.

 Eavesdropping, Spying, Unauthorized Pictures

  • Eavesdropping or Skimming RFID – Civil Code section 1798.79 and following. This law makes it a misdemeanor to intentionally remotely read or attempt to read another person’s identification document that uses radio frequency identification (RFID), without the person’s knowledge or consent. It also makes it a misdemeanor to reveal the operational system keys used in a contactless identification document. Both crimes are punishable by a jail term of up to one year and/or a fine of up to $1,500.
  • Electronic Eavesdropping - Penal Code sections 630-638. Among other things, this law prohibits, with exceptions, electronic eavesdropping on or recording of private communications by telephone, radio telephone, cellular radio telephone, cable or any other device or in any other manner. Violation can result in penalties of up to $10,000 and imprisonment in county jail or state prison for up to one year (sections 631-632.7). It prohibits cable TV and satellite TV operators from monitoring or recording conversations in a subscriber's residence, or from sharing individually identifiable information on subscriber viewing habits or other personal information without written consent (section 637.5).
  • Electronic Eavesdropping by State Law Enforcement Officials – Penal Code sections 629.50-629.98. With the approval of a Superior Court judge, specified law enforcement officials can intercept specifically described wire, electronic pager, or electronic cellular telephone communications. The law prescribes a procedure that requires officials to present to a Superior Court judge requests for authority to record, catalogue, maintain and report about recordings of all communications intercepted (except legally privileged communications). The law also requires authorities to notify the parties to such intercepted communications about the facts of the wiretapping activities, no later than 90 days after the termination of the activities or after the denial of an application seeking wiretapping authority. This law will expire on January 1, 2012.
  • Telecommunications Customer Privacy - Public Utilities Code sections 2891-2894.10. This law bars telecommunications companies from disclosing the calling patterns, personal financial information or other specified personal information of residential subscribers without first getting written consent of the subscriber. There are some exceptions, including disclosure for the purpose of debt collection, for responding to a 911 call, and as required by legal process. It also requires, among other things, that telephone companies must give annual notice to subscribers that calling an 800 or 900 number may result in the disclosure of the subscriber's telephone number to the called party.

General Laws

  • California Constitution, Article 1, section 1. The state Constitution gives each citizen an "inalienable right" to pursue and obtain "privacy."
  • Computer Misuse and Abuse: Criminal Sanctions - Penal Code section 484-502.9. In general, this section makes it a crime to knowingly access and, without permission, use, misuse, abuse, damage, contaminate, disrupt or destroy a computer, computer system, computer network, computer service, computer data or computer program.  Depending on the particular violation, this section can support a variety of fines and imprisonment in criminal actions as well as remedies recoverable in civil actions.
  • "The Identity Theft and Assumption Deterrence Act of 1998” (18 U.S.C. 1028) makes identity theft a federal crime.  http://www.ftc.gov/os/statutes/itada/itadact.htm
  • Locking Mail Boxes in Residential Hotels – Civil Code section 1941.1 and Health & Safety Code section 17958.3. Effective July 1, 2008, all residential hotels must provide each residential unit with a locking mail receptacle, acceptable for mail delivery by the U.S. Postal Service. Failure to comply is a basis for considering a residential unit un-tenantable. The law also authorizes cities and counties to make and enforce ordinances that provide greater protections and penalties.
  • Public Records Act - Government Code sections 6250-6268. This law applies to state and local government. It gives members of the public a right to obtain certain described kinds of documents that are not protected from disclosure by the Constitution and other laws. This law also provides some specific privacy protections.
  • Public Record Exemption for Sex Offense Victims - Government Code section 6254 and Penal Code section 293. These laws prohibit the disclosure of the names and addresses of victims of specific sex-related crimes in documents provided in response to requests for records, including responses provided under the California Public Records Act.
  • Employment of Offenders - Penal Code section 4017.1 and Penal Code section 5071 and Welfare and Institutions Code section 219.5. Prison and county jail inmates may not have jobs that give them access to personal information. The same prohibitions apply to offenders performing community service in lieu of a fine or custody.