Skip to main content

Notes on Class Presentations regarding regulatory frameworks

CCPA

  • Ballot initiative 2017
  • Effective in 2020, and expanded in 2023
  • Protects personal data of Cali residents
    • (Mini GDPR)
  • Right to delete (sometimes)
  • Opt-out of data sale
  • Covers a lot of PII
  • Requires compliance of all for-profit business if they make more the $25mil a year, or buy/sell CA resident data of 100,000+, or make 50%+ of their revenue from selling resident PII
  • Cali AG office conducts enforcement and issues penalties.
  • Can be challenging for companies to comply with
    • Complex consent requirements, and processing requests.
    • Data inventory is challenging
    • Third-party vendor issues
  • Drawbacks
    • Only for businesses in Cali
    • Excludes govt, nonprofits, and some financial institutions
    • Might be hard to enforce
    • Not going far enough
    • Many loopholes

GLBA & Sox

  • GLBA: Primarily to prevent banks from inter-sellng data after mergers.
    • Financial privacy rule
    • Safeguards rule - be able to protect consumer info
    • Pretexting Provisions - take measures to prevent unauthorized access
  • SOX: Caused by Enron scandal, creates reporting requirements for execs to shareholders
  • Any financial services company must comply with both
  • GBLA: right to know your data is being sold, right to opt out, and know about the protection of your data.
  • SOX:
    • Certification requirements
    • Audit requirements
    • Record keeping and retention requirements
  • GLBA enforced by FTC
  • SEC enforces SOX
  • $10,000 - 100,000 per violation
  • Prison sentence of up to 5 years
  • Can cause delisting from stock exchanges
  • Downsides:
    • Separation of banking
    • Expensive

PCI DSS

  • Pament card industry data security standard
    • Secure payment systems & data
    • Includes Amex, Discover, JCB, MasterCard, Visa and UnionPay
  • Entites that store, process, or transmit cardholder data, authentication data, or could impact security of cardholder data environment.
  • Core components
    • Build & maintain secure network
    • Protect cardholder data
    • Vulnerability management program
    • Strong access control
    • Monitor and test networks
    • Maintain information security policy
    • Publish, train, maintain
  • Initiative gained traction from the 90’s to early 200’s due to increase in card fraud. Standards council created in 2004
  • First standards creation in 2006, most recently updated 2018 w/ version 3.2.1
  • Who must comply:
    • Any card transaction business (AKA anyone accepting card payments for their services)
    • financial institutions that issue cards (Banks, airlines, etc).
    • any companies with access to cardholder data (contractors like IT support, security services, etc)
    • service providers that facilitate transactions for clients, and payment processors (think Square, PayPal etc).
  • Don’t store cardholder data except when absolutely necessary
  • Strong firewalls and encryption when data in transit
  • Enforcement mechanism:
    • Fines
    • Legal costs
    • Monitoring
    • Reputational damage
    • Transaction fees
  • Massively enhances security of card payments, and standardizes them for the whole ecosystem, but is rather complex and expensive, while simultaneously lagging behind latest threat ecosystem