Skip to content

Page034

United States Breach Notification Laws

All 50 US states have enacted breach notification laws (see https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx). There have been attempts at passing a general federal breach notification law in the United States, but these efforts have been unsuccessful thus far. Although it would be impossible to make blanket statements that would apply to all the various state laws, there are some themes common to quite a few of the state laws that are quickly being adopted by organizations concerned with adhering to best practices.

The purpose of the breach notification laws is typically to notify the affected parties when their personal data has been compromised. One issue that frequently comes up in these laws is what constitutes a notification-worthy breach. Many laws have clauses that stipulate that the business only must notify the affected parties if there is evidence to reasonably assume that their personal data will be used maliciously.

Another issue that is found in some of the state laws is a safe harbor for data that was encrypted at the time of compromise. This safe harbor could be a strong impetus for organizations to encrypt data that otherwise might not have a regulatory or other legal requirement for the data to be encrypted. Breach notification laws are certainly here to stay, and a federal law seems as if it is quite likely to come on the horizon in the near future. Many organizations in both the US and abroad consider encryption of confidential data to be a due diligence issue even if a specific breach notification law is not in force within the organization’s particular jurisdiction.

Ethics

Ethics is doing what is morally right. The Hippocratic Oath, taken by doctors, is an example of a code of ethics.

Ethics are of paramount concern for information security professionals: we are often trusted with highly sensitive information, and our employers, clients, and customers must know that we will treat their information ethically.

Digital information also raises ethical issues. Imagine that your DNA were sequenced and stored in a database. That database could tell you whether you were predisposed to suffer certain genetic illnesses, such as Huntington’s disease. Then imagine insurance companies using that database to deny coverage today because you are likely to have the disease in the future.

The (ISC)² Code of Ethics

The (ISC)² Code of Ethics is the most testable code of ethics on the exam. That’s fair: you cannot become a CISSP® without agreeing to the code of ethics (among other steps); so it is reasonable to expect new CISSPs® to understand what they are agreeing to.

Note:
Download the (ISC)² Code of Ethics at https://www.isc2.org/Ethics and study it carefully. You must understand the entire code, not just the details covered in this book.

The (ISC)² Code of Ethics includes the preamble, canons, and guidance. The preamble is the introduction to the code. The canons are mandatory: you must follow them to become (and remain) a CISSP®. The guidance is “advisory” (not mandatory): it provides supporting information for the canons.

The code of ethics preamble and canons are quoted here: “Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this Code is a condition of certification.”

The canons are the following:

  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principals.
  • Advance and protect the profession.

The canons are applied in order, and when faced with an ethical dilemma, you must follow the canons in order. In other words, it is more important to protect society than to advance and protect the profession.

This order makes sense. The South African system of Apartheid (racial segregation) was legal, but unethical, for example. The canons address these issues in an unambiguous fashion.