Here are some laws that come up frequently in technology conversation and are also most often among questions on security exams.


  • Broadly stated, the purpose of the Privacy Act is to balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from federal agencies’ collection, maintenance, use, and disclosure of personal information about them.  The historical context of the Act is important for understanding its remedial purposes.  In 1974, Congress was concerned with curbing the illegal surveillance and investigation of individuals by federal agencies that had been exposed during the Watergate scandal.  It was also concerned with potential abuses presented by the government’s increasing use of computers to store and retrieve personal data by means of a universal identifier – such as an individual’s social security number.  The Act focuses on four basic policy objectives:
  • To restrict disclosure of personally identifiable records maintained by agencies.
  • To grant individuals increased rights of access to agency records maintained on themselves.
  • To grant individuals the right to seek amendment of agency records maintained on themselves upon a showing that the records are not accurate, relevant, timely, or complete.
  • To establish a code of “fair information practices” that requires agencies to comply with statutory norms for collection, maintenance, and dissemination of records.

US DMCA Digital Millennium Copyright Act 1998, Pub. L. 105-304

  • The Digital Millennium Copyright Act(DMCA) is a United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO). It criminalizes production and dissemination of technology, devices, or services intended to circumvent measures (commonly known as digital rights management or DRM) that control access to copyrighted works. It also criminalizes the act of circumventing an access control, whether or not there is an actual infringement of copyright itself. In addition, the DMCA heightens the penalties for copyright infringement on the Internet. DMCA amended Title 17 of the United States Code to extend the reach of copyright while limiting the liability of the providers of online services for copyright infringement by their users.
  • The DMCA's principal innovation in the field of copyright is the exemption from direct and indirect liability of Internet service providers and other intermediaries. This exemption was adopted by the European Union in the Electronic Commerce Directive 2000. The Copyright Directive 2001 implemented the 1996 WIPO Copyright Treaty in the EU.

US Gramm‐Leach‐Bliley Act 1999

  • The Gramm–Leach–Bliley Act(GLBA), also known as the Financial Services Modernization Act of 1999and commonly pronounced ″glibba″, (Pub.L. 106–102, 113 Stat.1338, enacted November 12, 1999) is an act of the 106th United States Congress (1999–2001). It repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies, and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. With the bipartisan passage of the Gramm–Leach–Bliley Act, commercial banks, investment banks, securities firms, and insurance companies were allowed to consolidate. Furthermore, it failed to give to the SEC or any other financial regulatory agency the authority to regulate large investment bank holding companies.The legislation was signed into law by President Bill Clinton.
  • A year before the law was passed, Citicorp, a commercial bank holding company, merged with the insurance company Travelers Group in 1998 to form the conglomerate Citigroup, a corporation combining banking, securities, and insurance services under a house of brands that included CitibankSmith BarneyPrimerica, and Travelers. Because this merger was a violation of the Glass–Steagall Act and the Bank Holding Company Act of 1956, the Federal Reserve gave Citigroup a temporary waiver in September 1998. Less than a year later, GLBA was passed to legalize these types of mergers on a permanent basis. The law also repealed Glass–Steagall's conflict of interest prohibitions "against simultaneous service by any officer, director, or employee of a securities firm as an officer, director, or employee of any member bank". 

US Computer Security Act of 1987 replaced by FISMA 2002

  • The Computer Security Law of 1987Public LawNo. 100-235 (H.R. 145), (Jan. 8, 1988), was passed by theUnited States Congress. It was passed to improve the security and privacy of sensitive information in federal computer systems and to establish a minimum acceptable security practices for such systems. It requires the creation of computer security plans and the appropriate training of system users or owners where the systems house sensitive information.
  • It was repealed by the Federal Information Security Management Act of 2002SEC. 305. (a)

US HIPAA (Health Insurance Portability and Accountability Act of 1996

  • United States legislation that provides data privacy and security provisions for safeguarding medical information. The Standards for Privacy of Individually Identifiable Health Information(“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).1The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

    A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public's health and well-being. The Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

US Foreign Corrupt Practices Act 1977

  • Foreign Corrupt Practices Act (FCPA) is to make it illegal for companies and their supervisors to influence anyone with any personal payments or rewards. The FCPA applies to any person who has a certain degree of connection to the United States and engages in foreign corrupt practices. The Act also applies to any act by U.S. businesses, foreign corporations trading securities in the U.S., American nationals, citizens, and residents acting in furtherance of a foreign corrupt practice whether or not they are physically present in the U.S. This is considered the nationality principle of the act. Whenever businesses decide to follow the unethical road, there are consequences including high financial penalties. Any individuals that are involved in those activities may face prison time. This act was passed to make it unlawful for certain classes of persons and entities to make payments to foreign government officials to assist in obtaining or retaining business. In the case of foreign natural and legal persons, the Act covers their deeds if they are in the U.S. at the time of the corrupt conduct. This is considered the protective principle of the act. Further, the Act governs not only payments to foreign officials, candidates, and parties, but any other recipient if part of the bribe is ultimately attributable to a foreign official, candidate, or party. These payments are not restricted to monetary forms and may include anything of value.
  • When looking at the outcome of the law, it appears to have a positive effect. The growth of American MNC's in the last few years confirms that briberies are not basic facts of businesses in many countries, but it doesn't mean that bribery doesn't exist. Even though government and companies have taken important steps, much more needs to be done because bribery continues to be a problem in many countries. Companies engaging in M&A in emerging markets face a uniquely increased level of regulatory and corruption risk.