Regulatory Overview Executive Brief (788k pdf file)

Document Sample
Regulatory Overview Executive Brief (788k pdf file) Powered By Docstoc
					                                        AN EXECUTIVE BRIEF ON

                                       Information Security
                                              from the
                 Center for REALTOR® Technology




                                           September, 2005




I N F O R M AT I O N S E C U R I T Y

Regulatory Overview
                                                 REGULATION        LEGISLATION       EXPECTATIONS




                                           I N F O R M AT I O N S E C U R I T Y

                         Regulatory Overview


legislative trends                                              expectations
                                                                              From a management perspective, the most
                        The trend towards more legislative      important aspect of working with legislative or regulato-
                        control for protection of consumer      ry guidance is acquiring an understanding of exactly
                        and personal information is grow-       what is expected of the organization to achieve compli-
                        ing and has been for the last five      ance or security. For instance, what elements of the regu-
                        years in response to increased          lation are required, how much security is enough, what
                        incidents of corporate abuse, com-      controls are considered mandatory, etc.? The key to suc-
                        puter crime and the resultant pub-      cessful implementation is knowing what is minimally
                        lic outcry for better protections for   acceptable to meet the compliance or regulatory mandate.
                        their information. Generally they
                        all possess a similar theme – better
                                                                                             QUICK REFERENCE
controls, auditing and accountability. The laws are some-
times complex and often vague to allow for broad applica-         More than one executive has probably wished there
tion to varying organizations and the easy adoption of new        was an easy way to understand and comply with all
technology developments. Some set out stiff fines and jail        the applicable laws and regulations. Currently, there is
time for offenders including, and most notably, executives.
                                                                  no simple, integrated checklist for all the rules, or one-
                                                                  size-fits-all strategy for implementation. However,
regulatory guidance                                               the following is a very brief overview
             Regulatory guidance follows quickly behind           of regulations pertinent to real estate
legislation and provides the standards by which organi-           executives today:
zations should build their security programs. In many
instances organizations are subject to multiple regulations       • THE COMPUTER FRAUD AND ABUSE ACT - 1984
and must decide how best to employ their controls to              • DO NOT CALL REGISTRY - 1991
accommodate all of the various requirements. Generally,
                                                                  • THE CAN SPAM ACT OF 2003
regulatory guidance provides what elements of security
must be addressed.                                                • CALIFORNIA SENATE BILL 1386 - 2003
                                                                  • SARBANES-OXLEY ACT (SOX) - 2002
                                                                  • GRAMM-LEACH-BLILEY FINANCIAL SERVICES
                                                                    MODERNIZATION ACT (GLBA) - 1999
                                                                  • JUNK FAX PREVENTION ACT OF 2005
                                                                  • STATE SECURITY FREEZE LAWS
                                                                  • THE ELECTRONIC COMMUNICATIONS PRIVACY ACT
                                            Key Information Security Legislation
1980        1985                          1990                 1995             2000                         2005   2010



         1984                                1991                            1999           2002    ‘03       ‘05
          •                                   •                               •              •     •           •




                                                                          Sa



                                                                          Th Cal ct (S
        Th




                                                                          Gra oder
                                            Do




                                                                           Jun
                                                                            rba



                                                                             e C ifo
          eC




                                                                              mm niz
                                                                               M
                                              No




                                                                               kF
                                                                                an rni
                                                                                ne
            om




                                                tC




                                                                                  ax
                                                                                   -Le ation




                                                                                   s-O



                                                                                    Sp a S
              pu




                                                  all




                                                                                     Pre
                                                                                      am en
                                                                                      ach A




                                                                                      xle
                ter




                                                      R




                                                                                        ven
                                                     eg




                                                                                         yA
                                                                                          -Bl ct (G




                                                                                          Ac ate
                    Fra




                                                       ist




                                                                                            tio
                                                                                             t o Bil
                                                                                             ile LB
                       ud




                                                          ry




                                                                                                nA
                                                                                                f2 l1
                                                                                                y F A)
                          an




                                                                                                  OX



                                                                                                   00 38
                                                                                                   ina




                                                                                                    ct
                            dA




                                                                                                      )



                                                                                                       3 6



                                                                                                       of
                                                                                                        nci
                              bu




                                                                                                          20
                                                                                                           al
                                se




                                                                                                              05
                                                                                                              Se
                                   Ac




                                                                                                                 rvi
                                      t




                                                                                                                    ces
       • The Computer Fraud and Abuse Act
       Originally made law in 1984, and amended several times since, The Computer Fraud and Abuse Act (CFAA) makes
       it illegal for anyone to distribute computer code or place it in the stream of commerce if they intend to cause
       either damage or economic loss. While the development and possession of harmful computer code is not a crimi-
       nal act, using or releasing the code can be. The CFAA provides penalties for releasing a computer virus into com-
       puters used in commerce.
       CFFA (the act): http://cio.doe.gov/Documents/CFA.HTM
       CFFA explained: http://www.gigalaw.com/articles/2001-all/burke-2001-01-all.html

       • Do Not Call Registry
       Established by Congress in 2003 as an extension of the Telephone Consumer Protection Act (TCPA) of 1991, the
       "do not call"registry is a listing of phone numbers that telemarketers are prohibited from calling. The list is main-
       tained by the National Do Not Call Registry of the Federal Trade Commission (FTC), and consumers can contact the
       agency to have their numbers registered. Organizations are prohibited from making calls to sell goods or services
       to any numbers listed, and are subject to substantial fines if they fail to comply.
       NAR Field Guide to Do Not Call: http://www.realtor.org/libweb.nsf/pages/fg707
       FTC Do Not Call Information: http://www.ftc.gov/bcp/conline/edcams/donotcall/index.html

       •The Can Spam Act of 2003
       Common name for the federal law more formally known as "Controlling the Assault of Non-Solicited Pornography
       and Marketing Act of 2003." The law took effect on January 1, 2004. The act allows damages of up to $2 million,
       and proscribes specific requirements for businesses wanting to disseminate electronic mail campaigns.
       CAN SPAM information: http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.htm
       NAR Field Guide to CAN SPAM: http://www.realtor.org/libweb.nsf/pages/fg908#topice

       •California Senate Bill 1386
       "1386" went into effect in July 2003 and applies to companies doing business in California and all companies hold-
       ing personal information of California residents. The intent is that anyone whose personal information may have
       been disclosed to unauthorized persons can quickly begin taking countermeasures against identity theft, misuse
       of information, etc. Victims can bring civil suit for damages.
       SB 1386 FAQs: http://searchcio.techtarget.com/originalContent/0,289142,sid19_gci941077,00.html




                                                  INFORMATION SECURITY | REGULATORY OVERVIEW 3
                                           Key Information Security Legislation
1980      1985                           1990                 1995             2000                         2005    2010



       1984                                 1991                            1999           2002    ‘03       ‘05
         •                                   •                               •              •      •          •




                                                                         Sa



                                                                         Th Cal ct (S
       Th




                                                                         Gra oder
                                           Do




                                                                          Jun
                                                                           rba



                                                                            e C ifo
         eC




                                                                             mm niz
                                                                              M
                                             No




                                                                              kF
                                                                               an rni
                                                                               ne
           om




                                               tC




                                                                                 ax
                                                                                  -Le ation




                                                                                  s-O



                                                                                   Sp a S
             pu




                                                 all




                                                                                    Pre
                                                                                     am en
                                                                                     ach A




                                                                                     xle
               ter




                                                     R




                                                                                       ven
                                                    eg




                                                                                        yA
                                                                                         -Bl ct (G




                                                                                         Ac ate
                   Fra




                                                      ist




                                                                                           tio
                                                                                            t o Bil
                                                                                            ile LB
                      ud




                                                         ry




                                                                                               nA
                                                                                               f2 l1
                                                                                               y F A)
                         an




                                                                                                 OX



                                                                                                  00 38
                                                                                                  ina




                                                                                                   ct
                           dA




                                                                                                     )



                                                                                                      3 6



                                                                                                      of
                                                                                                       nci
                             bu




                                                                                                         20
                                                                                                          al
                               se




                                                                                                             05
                                                                                                             Se
                                  Ac




                                                                                                                rvi
                                     t




                                                                                                                   ces
         • Sarbanes-Oxley Act (SOX)
         Enacted in 2002 in response to corporate scandals, this act applies to all publicly held companies that have
         more than $75M capitalization and report to the SEC. It covers financial reporting to the SEC, auditing prac-
         tices and associated document retention. This. The consequences for non-compliance are fines and impris-
         onment and the act has already sent one executive to jail.
         SOX summary: http://www.aicpa.org/info/sarbanes_oxley_summary.htm

         • Gramm-Leach-Bliley Financial Services Modernization Act (GLBA)
         Enacted in 1999, this landmark privacy act applies to a wide range of financial, credit, insurance and money-
         handling institutions. It prohibits disclosing customer information to non-affiliated third-party organizations
         and protects the integrity of the information. The Act consists of three sections which: regulates the collec-
         tion and disclosure of private financial information; stipulates that financial institutions must implement
         security programs to protect such information; and prohibit the practice of pretexting (accessing private
         information using false pretenses). The Act also requires financial institutions to give customers written pri-
         vacy notices that explain their information-sharing practices.

         GLBA information for the FTC: http://www.ftc.gov/privacy/glbact/


         • Junk Fax Prevention Act of 2005
         On July 9, 2005, the President signed into law S. 714, the "Junk Fax Prevention Act of 2005." Also an exten-
         sion of the Telephone Consumer Protection Act of 1991, the Junk Fax Law allows companies to send com-
         mercial faxes without prior permission as long as: the sender has an established business relationship with
         the recipient, and, the fax number was provided by the recipient or made publicly available in a published
         directory, advertisement or website. Further, an opt-out message must be on the first page of the fax, and
         must offer the recipient a cost-free mechanism for opting out.




                                                 INFORMATION SECURITY | REGULATORY OVERVIEW 2
 State Law                                                   • State security freeze laws
                                                             There are now a total of ten states with laws allowing
 It is also important to understand that despite the
                                                             consumers to restrict access to their credit
 adoption of these Federal laws, many states have law
                                                             reports.Some laws apply to all consumers and others
 that also address these areas and in some cases are
                                                             only for identity theft victims. The laws from state to
 more restrictive. Organizations must comply with both
                                                             state vary widely in structure and wording, but not in
 the Federal law and with any applicable state laws
                                                             intent. Generally the laws criminalize the unauthorized
 where they do business.
                                                             access to or use of computers and databases, using a
                                                             computer as an instrument of fraud, and known and
                                                             foreseeable acts of computer sabotage.

Freeze laws background: http://www.consumersunion.org/pub/core_financial_services/002460.html


• The Electronic Communications Privacy Act
The Electronic Communications Privacy Act (ECPA) protects against the unlawful interceptions of any wire commu-
nications--whether it's telephone or cell phone conversations, voicemail, email, and other data sent over the wires.


Summary
Real estate executives need to be aware of the regulations applicable to their organizations unique to their operat-
ing locations. While there are multiple regulatory requirements today many have complementary standards
enabling efficient response with an integrated approach.

Key to achieving this efficiency is understanding the expectations of the rule as well as the goals of the business.
Real estate executives need to be actively involved in the development and management of their organization’s risk
management and IT compliance strategies.




REALTOR® Secure

REALTOR® Secure is a National Association of Realtors®         CynergisTek, Inc (www.cynergistek.com) collaborated with
program to heighten IT security awareness, education           CRT on this piece.
and certification.                                             CynergisTek is a leading IT security firm dedicated to
                                                               helping organizations enhance their information security
REALTOR® Secure promotes the use of security industry
                                                               posture, comply with regulatory requirements and
best practices to safeguard consumer privacy, REALTOR®
                                                               maximize operational performance. CynergisTek offers
information and real estate listings.
                                                               multidisciplinary expertise, insight and knowledge
REALTOR® Secure is managed and administered by                 transference to its clients.
NAR's Center for REALTOR® Technology
(www.realtor.org/CRT).
                                                               REALTOR® Secure information:
CRT provides technology guidance and information
                                                               WEB      www.realtor.org/Secure
for the over 1.2 million members of NAR and makes
available informed industry insight, research and              EMAIL inform@crt.realtors.org
open source apps.                                              PHONE 312-329-8646