TransReplicator, Inc.

We have created the industry's first complete automated solution for identifying and protecting your proprietary data

Step 1 - Identify

The proprietary data that must be protected

Determine which types of data should be protected based upon data privacy laws affecting your industry and then identify where that data resides in your databases

Step 2 - Protect

Automatic creation of complete copies or referentially intact subsets of production databases, free of proprietary data

Define/process extracts using our Navigator and Loader modules

Step 3 - Audit

Uncover proprietary data that resides in non-production databases

Find data in non-production databases that is considered proprietary and should not reside outside the production environment

Legal Obligations Detail
Corporate Legal Obligation in regard to information privacy 
List of Laws
Applicable Law   Legal Text
Sarbanes-Oxley Act    Section 103: Auditing, Quality Control, And Independence Standards And Rules.
The Board must adopt an audit standard to implement the internal control review required by section 404(b). This standard must require the auditor evaluate whether the internal control structure and procedures include records that accurately and fairly reflect the transactions of the issuer, provide reasonable assurance that the transactions are recorded in a manner that will permit the preparation of financial statements in accordance with GAAP, and a description of any material weaknesses in the internal controls.

Section 302: Corporate Responsibility for Financial Report.
The signing officers have disclosed ... all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer's ability to record, process, summarize, and report financial data and have identified for the issuer's auditors any material weaknesses in internal controls

Section 404: Management Assessment Of Internal Controls.
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

Section 1102: Tampering With a Record or Otherwise Impeding an Official Proceeding
Makes it a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the object's integrity or availability for use in an official proceeding or to otherwise obstruct, influence or impede any official proceeding is liable for up to 20 years in prison and a fine.

Title IX: White Collar Crime Penalty Enhancements
Creates a crime for tampering with a record or otherwise impeding any official proceeding

Go to top of page

1173(a) of the Social Security Act    SEC. 1173. [42 U.S.C. 1320d-2]
(a) STANDARDS TO ENABLE ELECTRONIC EXCHANGE.

(d) SECURITY STANDARDS FOR HEALTH INFORMATION.-
(1) SECURITY STANDARDS. The Secretary shall adopt security standards that
(A) take into account
    (i) the technical capabilities of record systems used to maintain health information;
    (ii) the costs of security measures;
    (iii) the need for training persons who have access to health information;
    (iv) the value of audit trails in computerized record systems; and
    (v) the needs and capabilities of small health care providers and rural health care providers (as such providers are defined by the Secretary); and
(B) ensure that a health care clearinghouse, if it is part of a larger organization, has policies and security procedures which isolate the activities of the health care clearinghouse with respect to processing information in a manner that prevents unauthorized access to such information by such larger organization.
(2) SAFEGUARDS. Each person described in section 1172
(a) who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards-
(A) to ensure the integrity and confidentiality of the information;
(B) to protect against any reasonably anticipated
    (i) threats or hazards to the security or integrity of the information; and
    (ii) unauthorized uses or disclosures of the information; and
(C) otherwise to ensure compliance with this part by the officers and employees of such person.
...
(f) TRANSFER OF INFORMATION AMONG HEALTH PLANS.
The Secretary shall adopt standards for transferring among health plans appropriate standard data elements needed for the coordination of benefits, the sequential processing of claims, and other data elements for individuals who have more than one health plan.

SEC. 1176. [42 U.S.C. 1320d-5]
(a) GENERAL PENALTY.

(1) IN GENERAL. Except as provided in subsection
(b), the Secretary shall impose on any person who violates a provision of this part a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
Go to top of page

European Data Privacy Law
Directive 95/46/EC
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
(2) Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals;
(10) Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community;
(12) Whereas the protection principles must apply to all processing of personal data by any person whose activities are governed by Community law; whereas there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses;
(15) Whereas the processing of such data is covered by this Directive only if it is automated or if the data processed are contained or are intended to be contained in a filing system structured according to specific criteria relating to individuals, so as to permit easy access to the personal data in question;
(19) Whereas establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; whereas the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect; whereas, when a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations imposed by the national law applicable to its activities;
(20) Whereas the fact that the processing of data is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this Directive; whereas in these cases, the processing should be governed by the law of the Member State in which the means used are located, and there should be guarantees to ensure that the rights and obligations provided for in this Directive are respected in practice;
(25) Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances;
(26) Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable; whereas codes of conduct within the meaning of Article 27 may be a useful instrument for providing guidance as to the ways in which data may be rendered anonymous and retained in a form in which identification of the data subject is no longer possible;
(27) Whereas the protection of individuals must apply as much to automatic processing of data as to manual processing; whereas the scope of this protection must not in effect depend on the techniques used, otherwise this would create a serious risk of circumvention; whereas, nonetheless, as regards manual processing, this Directive covers only filing systems, not unstructured files; whereas, in particular, the content of a filing system must be structured according to specific criteria relating to individuals allowing easy access to the personal data; whereas, in line with the definition in Article 2
(30)... Member States may determine the circumstances in which personal data may be used or disclosed to a third party in the context of the legitimate ordinary business activities of companies and other bodies; whereas Member States may similarly specify the conditions under which personal data may be disclosed to a third party for the purposes of marketing whether carried out commercially or by a charitable organization or by any other association or foundation, of a political nature for example, subject to the provisions allowing a data subject to object to the processing of data regarding him, at no cost and without having to state his reasons;
(38) Whereas, if the processing of data is to be fair, the data subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information, bearing in mind the circumstances of the collection;
(42) Whereas Member States may, in the interest of the data subject or so as to protect the rights and freedoms of others, restrict rights of access and information; whereas they may, for example, specify that access to medical data may be obtained only through a health professional;
(46) Whereas the protection of the rights and freedoms of data subjects with regard to the processing of personal data requires that appropriate technical and organizational measures be taken, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorized processing; whereas it is incumbent on the Member States to ensure that controllers comply with these measures; whereas these measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected;
(55) Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;
(57) Whereas, on the other hand, the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited;

Article 2
Definitions
For the purposes of this Directive:
(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
(b) 'processing of personal data' ('processing') shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
(c) 'personal data filing system' ('filing system') shall mean any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
(d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;

Article 8
The processing of special categories of data
1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

Article 16
Confidentiality of processing
Any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law.

Article 17
Security of processing
1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.
3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.
4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.

Article 20
Prior checking
1. Member States shall determine the processing operations likely to present specific risks to the rights and freedoms of data subjects and shall check that these processing operations are examined prior to the start thereof.
2. Such prior checks shall be carried out by the supervisory authority following receipt of a notification from the controller or by the data protection official, who, in cases of doubt, must consult the supervisory authority.

Article 22
Remedies
Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question.

Article 23
Liability
1. Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.
2. The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage
Go to top of page

European Data Privacy Law
Regulation No 45/2001
Article 22
Security of processing
1. Having regard to the state of the art and the cost of their implementation, the controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected.
Such measures shall be taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration, and to prevent all other unlawful forms of processing.
2. Where personal data are processed by automated means, measures shall be taken as appropriate in view of the risks in particular with the aim of:
(a) preventing any unauthorised person from gaining access to computer systems processing personal data;
(b) preventing any unauthorised reading, copying, alteration or removal of storage media;
(c) preventing any unauthorised memory inputs as well as any unauthorised disclosure, alteration or erasure of stored personal data;
(d) preventing unauthorised persons from using data-processing systems by means of data transmission facilities;
(e) ensuring that authorised users of a data-processing system can access no personal data other than those to which their access right refers;
(f) recording which personal data have been communicated, at what times and to whom;
(g) ensuring that it will subsequently be possible to check which personal data have been processed, at what times and by whom;
(h) ensuring that personal data being processed on behalf of third parties can be processed only in the manner prescribed by the contracting institution or body;
(i) ensuring that, during communication of personal data and during transport of storage media, the data cannot be read, copied or erased without authorisation;
(j) designing the organisational structure within an institution or body in such a way that it will meet the special requirements of data protection.

Article 23
Processing of personal data on behalf of controllers
1. Where a processing operation is carried out on its behalf, the controller shall choose a processor providing sufficient guarantees in respect of the technical and organisational security measures required by Article 22 and ensure compliance with those measures.
2. The carrying out of a processing operation by way of a processor shall be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
(a) the processor shall act only on instructions from the controller;
(b) the obligations set out in Articles 21 and 22 shall also be incumbent on the processor unless, by virtue of Article 16 or Article 17(3), second indent, of Directive 95/46/EC, the processor is already subject to obligations with regard to confidentiality and security laid down in the national law of one of the Member States.
3. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in Article 22 shall be in writing or in another equivalent form.

Article 24
Appointment and tasks of the Data Protection Officer
1. Each Community institution and Community body shall appoint at least one person as data protection officer. That person shall have the task of:
(a) ensuring that controllers and data subjects are informed of their rights and obligations pursuant to this Regulation;
(b) responding to requests from the European Data Protection Supervisor and, within the sphere of his or her competence, cooperating with the European Data Protection Supervisor at the latter's request or on his or her own initiative;
(c) ensuring in an independent manner the internal application of the provisions of this Regulation;
(d) keeping a register of the processing operations carried out by the controller, containing the items of information referred to in Article 25(2);
(e) notifying the European Data Protection Supervisor of the processing operations likely to present specific risks within the meaning of Article 27.
That person shall thus ensure that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations.

Article 25
Notification to the Data Protection Officer
...
2. The information to be given shall include:
(a) the name and address of the controller and an indication of the organisational parts of an institution or body entrusted with the processing of personal data for a particular purpose;
(b) the purpose or purposes of the processing;
(c) a description of the category or categories of data subjects and of the data or categories of data relating to them;
(d) the legal basis of the processing operation for which the data are intended;
(e) the recipients or categories of recipient to whom the data might be disclosed;
(f) a general indication of the time limits for blocking and erasure of the different categories of data;
(g) proposed transfers of data to third countries or international organisations;
(h) a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken pursuant to Article 22 to ensure security of processing.

Article 26
Register
A register of processing operations notified in accordance with Article 25 shall be kept by each Data Protection Officer.
The registers shall contain at least the information referred to in Article 25(2)(a) to (g). The registers may be inspected by any person directly or indirectly through the European Data Processing Supervisor.

Article 38
Directories of users
1. Personal data contained in printed or electronic directories of users and access to such directories shall be limited to what is strictly necessary for the specific purposes of the directory.
Go to top of page

Fair and Accurate Credit Transactions Act of 2003 SEC. 113. TRUNCATION OF CREDIT CARD AND DEBIT CARD ACCOUNT NUMBERS
(G) (1) IN GENERAL- Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.

SEC. 114. ESTABLISHMENT OF PROCEDURES FOR THE IDENTIFICATION OF POSSIBLE INSTANCES OF IDENTITY THEFT.
(A) establish and maintain guidelines for use by each financial institution and each creditor regarding identity theft with respect to account holders at, or customers of, such entities, and update such guidelines as often as necessary;

(B) prescribe regulations requiring each financial institution and each creditor to establish reasonable policies and procedures for implementing the guidelines established pursuant to subparagraph (A), to identify possible risks to account holders or customers or to the safety and soundness of the institution or customers;
Go to top of page

HIPAA Title 45 General Instructions:
2. This decision-making process should be applied to EACH database and to EACH research project that uses 'protected health information' PHI contained in a database. Specific HIPAA Privacy Rule requirements and documentation as well as necessary IRB action will depend on the characteristics of each database or each research use of a database.

Section 164.502(b) - Minimum Necessary Uses and Disclosures
The proposed rule required a covered entity to make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure

Section 164.502(e) - Business Associates
In the proposed rule, other than for purposes of consultation or referral for treatment, we would have allowed a covered entity to disclose protected health information to a business partner only pursuant to a written contract that would, among other specified provisions, limit the business partner's uses and disclosures of protected health information to those permitted by the contract, and would impose certain security, inspection and reporting requirements on the business partner. We proposed to define the term "business partner" to mean, with respect to a covered entity, a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity

Physical Safeguards to Guard Data Integrity, Confidentiality, and Availability
b. Media Controls
Media controls would be required in the form of formal, documented policies and procedures that govern the receipt and removal of hardware/software (for example, diskettes, tapes) into and out of a facility. They are important to ensure total control of media containing health information. These controls would include the following mandatory implementation features:
  • Controlled access to media.
  • Accountability (tracking mechanism).
  • Data backup.
  • Data storage.
  • Disposal.
c. Physical Access Controls
Physical access controls (limited access) would be required. These would be formal, documented policies and procedures for limiting physical access to an entity while ensuring that properly authorized access is allowed. These controls would be extremely important to the security of health information by preventing unauthorized physical access to information and ensuring that authorized personnel have proper access. These controls would include the following mandatory implementation features:
  • Disaster recovery.
  • Emergency mode operation.
  • Equipment control (into and out of site).
  • A facility security plan.
  • Procedures for verifying access authorizations prior to physical access.
  • Maintenance records.
  • Need-to-know procedures for personnel access.
  • Sign-in for visitors and escort, if appropriate.
  • Testing and revision.
Technical Security Services to Guard Data Integrity, Confidentiality, and Availability
a. Access Control
There would be a requirement for access control which would restrict access to resources and allow access only by privileged entities. It would be important to limit access to health information to those employees who have a business need to access it. Types of access control include, among others, mandatory access control, discretionary access control, time-of-day, classification, and subject-object separation. The following implementation feature would be used:
  • Procedure for emergency access.
In addition, at least one of the following three implementation features would be used:
  • Context-based access.
  • Role-based access.
  • User-based access.
The use of the encryption implementation feature would be optional

b. Audit Controls
Each organization would be required to put in place audit control mechanisms to record and examine system activity. They would be important so that the organization can identify suspect data access activities, assess its security program, and respond to potential weaknesses.
Go to top of page

Safe Harbor Privacy Principles PRIVACY PRINCIPLES
"Personal data" and "personal information" are data about an identified or identifiable individual that are within the scope of the Directive, received by a U.S. organization from the European Union, and recorded in any form.
For sensitive information (i.e. personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), they must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of opt in choice. In any case, an organization should treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive.

ONWARD TRANSFER:
To disclose information to a third party, organizations must apply the notice and choice Principles. Where an organization wishes to transfer information to a third party that is acting as an agent, as described in the endnote, it may do so if it first either ascertains that the third party subscribes to the Principles or is subject to the Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles. If the organization complies with these requirements, it shall not be held responsible (unless the organization agrees otherwise) when a third party to which it transfers such information processes it in a way contrary to any restrictions or representations, unless the organization knew or should have known the third party would process it in such a contrary way and the organization has not taken reasonable steps to prevent or stop such processing.

SECURITY:
Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

ENFORCEMENT:
Effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum, such mechanisms must include (a) readily available and affordable independent recourse mechanisms by which each individual's complaints and disputes are investigated and resolved by reference to the Principles and damages awarded where the applicable law or private sector initiatives so provide; (b) follow up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented; and (c) obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.

Human Resources:
In addition, employers should make reasonable efforts to accommodate employee privacy preferences. This could include, for example, restricting access to the data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand.

Dispute Resolution and Enforcement: A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances. Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive orders; Private sector dispute resolution bodies and self regulatory bodies should notify failures of safe harbor organizations to comply with their rulings to courts or to the governmental body with applicable jurisdiction, as appropriate, and to notify the Department of Commerce (or its designee).

Pharmaceutical and Medical Products:
Data used for pharmaceutical research and other purposes should be anonymized as appropriate.
Go to top of page

FTC 16 Privacy of Consumer Financial Information
Gramm-Leach-Bliley Act
Sec. 6802. Obligations with respect to disclosures of personal information
(a) Notice requirements
Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title.
(c) Limits on reuse of information
Except as otherwise provided in this subchapter, a nonaffiliated third party that receives from a financial institution nonpublic personal information under this section shall not, directly or through an affiliate of such receiving third party, disclose such information to any other person that is a nonaffiliated third party of both the financial institution and such receiving third party, unless such disclosure would be lawful if made directly to such other person by the financial institution.
(d) Limitations on the sharing of account number information for marketing purposes

A financial institution shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.
Exceptions:
* Disclosure to a consumer reporting agency.
* Disclosure to an agent or service provider to perform marketing of the financial institution's own products or services, provided that the agent or service provider is not authorized to directly initiate charges to the account.
* Disclosure to a participant in a private label credit card program or an affinity program where the participants are identified to the customer when the customer enters into the program.
* Disclosure of an encrypted account number to a nonaffiliated third party, provided that the financial institution does not give the third party the means to decode the number or code.

Sec. 6809. Definitions
(4) Nonpublic personal information
(A) The term ''nonpublic personal information'' means personally identifiable financial information -
(i) provided by a consumer to a financial institution;
(ii) resulting from any transaction with the consumer or any service performed for the consumer; or
(iii) otherwise obtained by the financial institution.

(5) Nonaffiliated third party
The term ''nonaffiliated third party'' means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of such institution.
Go to top of page

Californiaís Financial Information Privacy Act
SB1
4051. (a) The Legislature intends for financial institutions to provide their consumers notice and meaningful choice about how consumers' nonpublic personal information is shared or sold by their financial institutions.

4051.5. (2) To achieve that control for California consumers by requiring that financial institutions that want to share information with third parties and unrelated companies seek and acquire the affirmative consent of California consumers prior to sharing the information.

4053 (b) (1)  A financial institution does not disclose information to, or share information with, its affiliate merely because information is maintained in common information systems or databases, and employees of the financial institution and its affiliate have access to those common information systems or databases, or a consumer accesses a Web site jointly operated or maintained under a common name by or on behalf of the financial institution and its affiliate, provided that where a consumer has exercised his or her right to prohibit disclosure pursuant to this division, nonpublic personal information is not further disclosed or used by an affiliate except as permitted by this division.

4053 (4) A financial institution does not disclose information to, or share information with, its affiliate merely because information is maintained in common information systems or databases, and employees of the financial institution and its affiliate have access to those common information systems or databases, or a consumer accesses a Web site jointly operated or maintained under a common name by or on behalf of the financial institution and its affiliate, provided that where a consumer has exercised his or her right to prohibit disclosure pursuant to this division, nonpublic personal information is not further disclosed or used by an affiliate except as permitted by this division.

4053.5. Except as otherwise provided in this division, an entity that receives nonpublic personal information from a financial institution under this division shall not disclose this information to any other entity, unless the disclosure would be lawful if made directly to the other entity by the financial institution. An entity that receives nonpublic personal information pursuant to any exception set forth in Section 4056 shall not use or disclose the information except in the ordinary course of business to carry out the activity covered by the exception under which the information was received.

4054. (a) Nothing in this division shall require a financial institution to provide a written notice to a consumer pursuant to Section 4053 if the financial institution does not disclose nonpublic personal information to any nonaffiliated third party or to any affiliate

4057. (a) An entity that negligently discloses or shares nonpublic personal information in violation of this division shall be liable, irrespective of the amount of damages suffered by the consumer as a result of that violation, for a civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation. However, if the disclosure or sharing results in the release of nonpublic personal information of more than one individual, the total civil penalty awarded pursuant to this subdivision shall not exceed five hundred thousand dollars ($500,000).
(b) An entity that knowingly and willfully obtains, discloses, shares, or uses nonpublic personal information in violation of this division shall be liable for a civil penalty not to exceed two thousand five hundred dollars ($2,500) per individual violation, irrespective of the amount of damages suffered by the consumer as a result of that violation.
(d) In the event a violation of this division results in the identity theft of a consumer, as defined by Section 530.5 of the Penal Code, the civil penalties set forth in this section shall be doubled.
Go to top of page

FDA CFR Title 21, Part 11 Subpart B -- Electronic Records
Sec. 11.10 Controls for closed systems
11.10 d) Limiting system access to authorized individuals.

11.10 e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

11.10 g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
Go to top of page

National Credit Union Association (NCUA) 748 Part 748 Security Program, Report of Crime and Catastrophic Act and Bank Secrecy Act Compliance.
Ensure the security and confidentiality of member information; protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member
Go to top of page

Payment Card Industry (PCI) Data Security Standard Protect cardholder data
Requirement 3: Protect stored data
3.1Keep cardholder information storage to a minimum. Develop a data retention and disposal policy.
3.2 Do not store sensitive authentication data subsequent to authorization (not even if encrypted).
3.3 Mask account numbers when displayed.
3.4 Render sensitive cardholder data unreadable anywhere it is stored (including data on portable media, backup media, in logs, and data received from or stored by wireless networks).

Implement Strong Access Control Measures
Requirement 7: Restrict access to data by business need-to-know
7.1 Limit access to computing resources and cardholder information to only those individuals whose job requires such access.
7.2 Establish a mechanism for systems with multiple users that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed.

Requirement 9: Restrict physical access to cardholder data
9.1 Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.
9.7 Maintain strict control over the internal or external distribution of any kind of media that contains cardholder information
9.8 Ensure management approves all media that is moved from a secured area (especially when media is distributed to individuals).
9.9 Maintain strict control over the storage and accessibility of media that contains cardholder information.
9.10 Destroy media containing cardholder information when it is no longer needed for business or legal reasons.

Requirement 10: Track and monitor all access to network resources and cardholder data
10.2 Implement automated audit trails to reconstruct the following events, for all system components.
10.5 Secure audit trails so they cannot be altered.
10.7 Retain your audit trail history for a period that is consistent with its effective use, as well as legal regulations.

Note that these Payment Card Industry (PCI) Data Security Requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data. Additionally, these security requirements apply to all "system components" ... Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including internal and external (web) applications.
Go to top of page

Family Educational Rights and Privacy Act (FERPA) (Buckley Amendment) 99.1 To which educational agencies or institutions do these regulations apply
(1) The educational institution provides educational services or instruction, or both, to students; or
(2) The educational agency is authorized to direct and control public elementary or secondary, or postsecondary educational institutions.

99.3 What definitions apply to these regulations
"Personally identifiable information" includes, but is not limited to:
(Authority: 20 U.S.C 1232g)
(a) The student's name;
(b) The name of the student's parent or other family member;
(c) The address of the student or student's family;
(d) A personal identifier, such as the student's social security number or student number;
(e) A list of personal characteristics that would make the student's identity easily traceable; or
(f) Other information that would make the student's identity easily traceable. 

99.33 What limitations apply to the redisclosure of information?
(1) An educational agency or institution may disclose personally identifiable information from an education record only on the condition that the party to whom the information is disclosed will not disclose the information to any other party without the prior consent of the parent or eligible student.

(2) The officers, employees, and agents of a party that receives information under paragraph (a)(1) of this section may use the information, but only for the purposes for which the disclosure was made.

If this Office determines that a third party improperly rediscloses personally identifiable information from education records in violation of § 99.33(a) of this section, the educational agency or institution may not allow that third party access to personally identifiable information from education records for at least five years.

Go to top of page