Credit and Debit Cards

There are several industries for which either laws or contractual standards specify actions that must be taken in the event of a breach or loss of private information. State legislatures and Congress have also passed statutes criminalizing types of computer activity.

 

Don't use plagiarized sources. Get Your Custom Essay on
Credit and Debit Cards
Get a plagiarism free paperJust from $13/Page
Order Essay

Credit and Debit Cards

Banks, payment processors, retailers, and other organizations that accept payment via credit or debit cards licensed by Visa, MasterCard, Discover, American Express, or JCB International are subject to the Payment Card Industry Data Security Standards (PCI DSS). While compliance with PCI DSS is not required under either federal law or the laws of most states, Minnesota, Nevada, and Washington have adopted a version of the standards as a statute (Hemphill & Longstreet, 2016). Failure to comply with PCI DSS can result in contractually based fines of $5,000 to $10,000 per month; repeated noncompliance will result in revocation of the license to receive or process payments (Hemphill & Longstreet, 2016). The threat of loss of revenue is believed to be a sufficient motivator for compliance, without need for formal government regulation.

 

These self-regulating industry standards are designed to “enhance the security of cardholder data and is required when cardholder data or authentication data are stored, processed or transmitted” (Ukidve, Mantha, &Tadvalkar, 2017). Compliance with the standards are monitored and enforced by an international nongovernmental organization, the Payment Card Industry Security Standards Council (PCI SSC), which is based in Edgewater, Massachusetts (PCI SSC, n.d.).

 

The standards focus on three areas: confidentiality, integrity, and availability. Confidentiality protects each card’s data from being viewed or disclosed to unauthorized persons or organizations (Ukidve, Mantha, &Tadvalkar, 2017). Integrity protects card data from alteration (Ukidve, Mantha, &Tadvalkar, 2017). Availability restricts access to authorized users and network systems (Ukidve, Mantha, &Tadvalkar, 2017).

 

The PCI DSS requires organizations processing 6 million or more transactions annually to prepare an annual report of compliance (ROC) that is audited by an external agency (Ukidve, Mantha, &Tadvalkar, 2017). Organizations with fewer transactions are required to have quarterly network security scans conducted by outside vendors and to submit an annual self-assessment report (Ukidve, Mantha, &Tadvalkar, 2017).

 

Specific requirements for equipment, data security, and encryption are included in the PCI DSS (PCI SSC, n.d.). The most current iteration of standards is PCI DSS v3.2, issued in 2016 (PCI SSC, 2016). When attempting to hack data from a retail transaction, criminals have three areas to attack: the client computer, the server handling the transaction, or the communication pipeline (Hemphill & Longstreet, 2016). Each of these points of the transaction is subject to PCI DSS scrutiny.

 

In the event of a breach, Standard 12 of the PCI DSS requires the implementation of an “incident response plan” to mitigate damage and restore security of the system (PCI SSC, 2016). There is, however, no requirement to report the breach to consumers whose data may have been stolen, save for a provision in Standard 12.10.1a that the member should conduct an “analysis of legal requirements for reporting compromises” (PCI SSC, 2016). If there is no state statute requiring the notification of potentially affected consumers, there is no legal or contractual requirement to do so. Many institutions and organizations will, in fact, notify the public or potentially affected customers of the breach, however, as a measure of goodwill and an effort to mitigate damage.

 

Electric Utility Companies

The Energy Policy Act of 2005 empowered the Federal Energy Regulatory Commission (FERC) to oversee the movement of electric power throughout the United States (Travis, 2012). The North American Electric Reliability Corporation (NERC) is a nongovernmental body of the electric utility industry in Canada, the United States, and Northern Baja California in Mexico (NERC, 2017). Additionally, the Critical Infrastructure Information Act of 2002 declared that “sensitive information” related to electric utilities, inter alia, is to be protected from unauthorized disclosures. The act defined sensitive information as “any data or information that could be used to select or gain information about a potential electricity sector critical infrastructure target by those intending to damage facilities, disrupt operations, or harm individuals” (NERC, n.d.).

 

NERC creates, monitors, and enforces standards throughout the industry, seeking to maintain power grid systems. NERC’s Critical Infrastructure Protection (CIP) standards include provisions related to cybersecurity of utility plants and the supervisory control and data acquisition (SCADA) systems that they use for power distribution (Schumard& Schneider, 2014). The FERC has ruled that compliance with NERC’s CIP standards is required by US electric utility companies, thus giving these standards the force of law (Stanton, 2017).

 

CIP-005 mandates the maintenance and testing of “all transmission and generation protection systems to ensure that they are reliable and secure” (Carpentier, 2012, p. 30). CIP-007 focuses on cybersecurity, requiring member organizations to “define methods, processes, and procedures for securing critical cyber assets” (Carpentier, 2012, p. 31). Violations of CIP standards are punishable by fines of up to $1 million per day (Stanton, 2017). Violations of the standards related to cybersecurity are the most common (Stanton, 2017).

 

Publicly Traded Corporations

The Sarbanes-Oxley (SOX) Act was passed in 2002. It applies to publicly traded corporations and requires public disclosure of operational and financial risks (Sayre, 2016). Cybersecurity represents both an operational risk and a threat to the reliability of financial data reported to the US Securities and Exchange Commission (SEC) and the public.

 

Pursuant to its powers under SOX, the SEC has issued guidance with respect to publicly traded corporations’ duties of “disclosure obligations relating to cybersecurity risks and cyber incidents” (SEC, 2011). In CF Disclosure Guidance: Topic No. 2, the SEC (2011) noted:

 

Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.

 

It should be noted that the SEC’s guidance makes clear that a mere mention of a potential risk or actual incident in a corporation’s report is not sufficient. Details must be provided as to actual or potential consequences within what the SEC calls Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A) (SEC, 2011). If intellectual property or data is stolen in a breach, calculations as to actual or projected losses must also be explained (SEC, 2011). Likewise, if a cyber incident results in litigation, this must be disclosed, along with the facts underlying the suit and the relief sought (SEC, 2011).

 

Cyber incidents must also be considered in the preparation of financial disclosures, including financial statements and balance sheets. The SEC (2011) notes:

 

Cyber incidents may also result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory. Registrants may not immediately know the impact of a cyber incident and may be required to develop estimates to account for the various financial implications. Registrants should subsequently reassess the assumptions that underlie the estimates made in preparing the financial statements. A registrant must explain any risk or uncertainty of a reasonably possible change in its estimates in the near-term that would be material to the financial statements. Examples of estimates that may be affected by cyber incidents include estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation, and deferred revenue.

 

Violation of SOX can result in civil and criminal penalties for the corporation and its officers.

 

Health Care Industry

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) authorized the creation of regulations by the secretary of Health and Human Services (HHS) related to the privacy and security of patient data. The Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”) and the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) were issued by HHS to meet this mandate (HHS, n.d.). The Security Rule and Privacy Rule standards apply to “health plans, health care clearinghouses, and to any healthcare provider who transmits health information in electronic form” (HHS, n.d.). Subsequently, the Health Information Technology for Economic and Clinical Health (HITECH) Act expanded the application of the Security and Privacy Rules to “business associates” of previously covered entities (HHS, n.d.).

 

Requirements for securing patient health data under HIPAA and HITECH include ongoing risk analysis related to cyber threats; audits of user activity; encryption of data and data transfers; and network and system integrity (McMillan, 2011). In the event of a data breach, if more than 500 individual records were involved, the covered party must notify HHS and local media within 60 days; notification to patients must also be given “it is determined that the breach could cause significant harm to a person’s reputation or financial circumstances (McMillan, 2011, p. 122). Most states have statutes that expand the requirements for notification in the event of breach (McMillan, 2011).

 

Violations of HIPAA and HITECH standards can result in government fines, increased government oversight, loss of licensure/accreditation, and lawsuits by patients.

 

Criminal Codes

There are several provisions in federal law that specify criminal sanctions for various types of cyber activity. The Computer Fraud and Abuse Act (CFAA) at 18 U.S.C. §1030 was enacted in 1984 to criminalize “important federal interest computer crimes—those relating to national security secrets, certain financial institutions, and government-owned and-operated computers” (Dosh, 2014, p. 902). It has been amended and expanded several times in subsequent years to match the widespread use of computers, cell phones, and smart devices throughout society and business (Dosh, 2014). Currently, the CFAA protects “any computer used by a financial institution, by the United States government, or by any computer used in or affecting foreign and interstate commerce and communications” (Dosh, 2014, p. 903). This definition can be interpreted in a manner to encompass hundreds of millions of electronic devices in the United States.

 

Crimes prohibited by the CFAA include theft of national security secrets, unauthorized access of computer systems to obtain private information, unauthorized access of a computer system to defraud for a gain of $5,000 or more, unauthorized dissemination of trade secrets, unauthorized use of a computer system, hacking, trafficking in passwords, and computer-based extortion schemes (Usnick&Usnick, 2016). Criminal punishment for violations of the CFAA range from one to 20 years imprisonment and fines with no maximum cap (CFAA, 18 U.S.C. §1030). Violations of the CFAA also can result in civil lawsuits from victims: “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief” (CFAA, 18 U.S.C. §1030, Sec. g).

 

Each state also has statutes that criminalize certain cyber behaviors. Most crimes in the United States are prosecuted by state and local authorities. The National Conference of State Legislatures (NCSL) has a website that serves as a gateway to information on statutes within specific states and legal trends among the states. Links to information concerning regulation of the Internet and Internet crimes by states can be found on the NCSL’s “Telecommunications and Information Technology” webpage.

 

Homework Valley
Calculate your paper price
Pages (550 words)
Approximate price: -

Our Advantages

Plagiarism Free Papers

All our papers are original and written from scratch. We will email you a plagiarism report alongside your completed paper once done.

Free Revisions

All papers are submitted ahead of time. We do this to allow you time to point out any area you would need revision on, and help you for free.

Title-page

A title page preceeds all your paper content. Here, you put all your personal information and this we give out for free.

Bibliography

Without a reference/bibliography page, any academic paper is incomplete and doesnt qualify for grading. We also offer this for free.

Originality & Security

At Homework Valley, we take confidentiality seriously and all your personal information is stored safely and do not share it with third parties for any reasons whatsoever. Our work is original and we send plagiarism reports alongside every paper.

24/7 Customer Support

Our agents are online 24/7. Feel free to contact us through email or talk to our live agents.

Try it now!

Calculate the price of your order

We'll send you the first draft for approval by at
Total price:
$0.00

How it works?

Follow these simple steps to get your paper done

Place your order

Fill in the order form and provide all details of your assignment.

Proceed with the payment

Choose the payment system that suits you most.

Receive the final file

Once your paper is ready, we will email it to you.

Our Services

We work around the clock to see best customer experience.

Pricing

Flexible Pricing

Our prices are pocket friendly and you can do partial payments. When that is not enough, we have a free enquiry service.

Communication

Admission help & Client-Writer Contact

When you need to elaborate something further to your writer, we provide that button.

Deadlines

Paper Submission

We take deadlines seriously and our papers are submitted ahead of time. We are happy to assist you in case of any adjustments needed.

Reviews

Customer Feedback

Your feedback, good or bad is of great concern to us and we take it very seriously. We are, therefore, constantly adjusting our policies to ensure best customer/writer experience.

See all services