• PCI DSS is an information security standard aimed to protect cardholder data, data integrity and network security from increased fraud and compromise risks.
• Cardholder Data consists of: Account Number, Expiration Date, Service Code or full magnetic stripe data
• PCI compliance applies to any and all parties that touch credit card data
• The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:
  
  

1. Build and Maintain a Secure Network
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor & Test Networks
6. Maintain an Information Security Policy
   
   

• The PCI DSS offers a single approach to safeguarding sensitive data for all card brands as well as common sense steps that mirror best security practices.
• The PCI - DSS was created in 2004 by the major card brands such as Visa, MasterCard, Discover, and AMEX. At their acquiring banks discretion, merchants that do not comply with PCI DSS may be subject to heavy fines, forensic audits, card brand damage, etc., if a breach were to occur. Quite simply – the risk is too great not to be compliant.

• The official name of the new data protection regulations is 201 CMR 17.00.
• The Massachusetts General Law Chapter 93H and its new regulations 201 CMR 17.00 require that any companies or persons who store or use personal information about a Massachusetts resident develop a written, regularly audited plan to protect personal information.
• Companies are required to “self audit” by means of: Performing a Risk Assessment, Identify and Implement Data Security Controls and Remediate any compliance shortfalls
• Both electronic and paper records will need to comply with the new law.
• The regulations went into effect on March 1, 2010.

• FACTA is a United States federal law passed by the Government in 2003 to help fight identity theft
• The law provides for consumers to request and obtain an annual credit report free of charge
• FACTA establishes new regulations concerning 'fraud alerts' and 'active duty alerts
• FACTA states that point of sale credit and debit card receipts may have no more than the last 5 digits of the account number shown or show the credit card expiration date
• FACTA created and enforces strict guidelines for the disposal of consumer information on hard copy
• This includes information used to establish eligibility for credit, insurance, or employment. The Disposal Rule was developed to cut down on identity theft by restricting the ability of thieves to “dumpster dive” for consumer information contained in discarded business records.
• The main difference between FACTA and other security laws such as HIPAA, and Gramm-Leach-Bliley is that it does not affect a single industry—it affects every business in America.

• GLBA is also known as the Financial Services Modernization Act (Federal Law) of 1999.
• GLBA states that financial institutions must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. This privacy notice must be given to the client prior to entering into an agreement to do business. The privacy notice must also explain to the customer the opportunity to ‘opt-out’. Opting out means that the client can say "no" to allowing their information to be shared with affiliated parties.
• To be GLBA compliant, organizations must develop, implement, and enforce a comprehensive information security program including administrative, technical, and physical safeguards as determined appropriate for the institution and data.
• In addition to developing their own safeguards, organizations are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

• FERPA is a federal law that protects the privacy of student education records.
• The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
• FERPA gives parents certain rights with respect to their child's education records. The rights are valid until the child turns 18.
• Parents are given the right to inspect and review the students education records kept by the school
• Parents or eligible students have the right to request that school records be amended that are deemed inaccurate or misleading
• Schools must have written permission from the parent or eligible student in order to release any information from a student’s record.

FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions:

• School officials with legitimate educational interest;
• Other schools to which a student is transferring;
• Specified officials for audit or evaluation purposes;
• Appropriate parties in connection with financial aid to a student;
• Organizations conducting certain studies for or on behalf of the school;
• Accrediting organizations;
• To comply with a judicial order or lawfully issued subpoena; 
• Appropriate officials in cases of health and safety emergencies; and
• State and local authorities, within a juvenile justice system, pursuant to specific State law.
  
  

Schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.

• Intended for organizations within the EU or US that store customer data, the Safe Harbor Principles are designed to prevent accidental information disclosure or loss.
• The process was developed by the US Department of Commerce consultation with EU. The following are examples of the Safe Harbor Principles
• SECURITY: Organizations creating, maintaining, using or disseminating personal information must take reasonable measures to assure its reliability for its intended use and reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.
• DATA INTEGRITY: Consistent with these principles, an organization may only process personal information relevant to the purposes for which it has been gathered. To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is accurate, complete, and current.
• ACCESS: Individuals must have [reasonable] access to personal information about them that an organization holds and be able to correct or amend that information where it is inaccurate.
• Effective privacy protection must include mechanisms for assuring compliance with the safe harbor principles, recourse for individuals to whom the data relate affected by non-compliance with the principles, and consequences for the organization when the principles are not followed.
• Complaints are mediated through an independent 3rd party

• PIPA governs the collection, use, disclosure, retention and protection of personal information by private sector organizations in Canada, including the personal information of employees.
• Enacted in Jan 1, 2004. PIPA requires all private sector organizations in British Columbia to comply with rules respecting:
  
  

1. What personal information can be collected from individuals (including customers, clients and employees);
2. When consent is required to collect personal information and how consent is obtained;
3. What notice must be provided before personal information is collected, and
4. How personal information may be used or disclosed.
5. Alberta has also enacted similar legislation.
   
   

• The general provisions of PIPA regarding personal information apply to personal employee information, including an employee’s right to request access to his or her personal information held by the employer and to learn how that information has been used and to whom it has been disclosed.
• Employees may also ask an organization to correct personal information they believe is inaccurate.

• PIPEDA is a law relating to data privacy. It governs how private-sector organizations collect, use and disclose personal information in the course of commercial business.
• PIPEDA was also intended to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens.
• "Personal Information", as specified in PIPEDA, is as follows: "information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization." The law gives individuals the right to:
  
  

1. know why an organization collects, uses or discloses their personal information;
2. expect an organization to collect, use or disclose their personal information reasonably and appropriately, and not use the information for any purpose other than that to which they have consented;
3. know who in the organization is responsible for protecting their personal information;
4. expect an organization to protect their personal information by taking appropriate security measures;
5. expect the personal information an organization holds about them to be accurate, complete and up-to-date;
6. obtain access to their personal information and ask for corrections if necessary; and
7. complain about how an organization handles their personal information if they feel their privacy rights have not been respected.
   
   

• The law requires organizations to
  
  

1. obtain consent when they collect, use or disclose their personal information;
2. supply an individual with a product or a service even if they refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction;
3. collect information by fair and lawful means; and
4. have personal information policies that are clear, understandable and readily available.