Security and Privacy for Businesses

Many of the following links are to "foreign" web sites, which are not actually part of our site and not under our control. Clicking on any of these links will open the selected item in a new browser tab or window (if your browser allows). 

After visiting the linked item, you can return here at any time by closing the new browser tab or window that was ccreated when you clicked the link. (If your browser settings do not allow us to create a new tab/window, you will have to use the "back arrow" to return here)

Data Breach Notification & Response

Data Breach Notification Laws - The legal requirements for reporting and reacting to data breaches vary by state. This link will take you to the National Conference of State Legislatures, which has links to legislation relevant for each state.

DHS Privacy Incident Handling Guidance - The Department of Homeland Security provides some guidance to help you plan your responses to an incident. This document can assist you in establishing policies and procedures in order to handle a breach in accordance with legal requirements.

Data Disposal Laws - Laws relevant to disposal of any data containing "private" or "sensitive" information. This applies to any paper, electronic, photographic, or other media that contains private data. 

Medical Privacy

Health Information Technology for Economic and Clinical Health (HITECH) Act - Rules and regulations regarding the storage, transmission, and dissemination of medical information.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) - Rules and regulations pertaining to protection and handling of private health information, including disclosure requirements for breaches. Establishes standards for Privacy of Individually Identifiable Health Informatio

Health Privacy Project (Georgetown University Center for Democracy and Technology) - Considerations for privacy of health data.

HIPAA Basics: Medical Privacy  (Privacy Rights Clearinghouse) Consumer-oriented considerations for health related privacy issues.

Financial Privacy

Financial Privacy Resources (Privacy Rights Clearinghouse)

Paying by Credit Card or Check: What Can Merchants Ask? - Know your rights! There are rules regarding what personal data companies are allowed to collect.

Marketing (Unwanted Communications)

CAN-SPAM Act - a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.

Unsolicited Commercial Email Legislation - State Laws Relating to Unsolicited Commercial or Bulk E-mail (SPAM)

Coalition Against Unwanted Commercial E-Mail - CAUCE provides information and resources for defending the interests all users in the areas of privacy and abuse in all its forms on the Internet.

Direct Marketing Association Telephone, Mail & E-Mail Preference Services - opt out of unwanted marketing email

National Do-Not-Call Registry - Add your telephone numbers to the "do not call" list to avoid unwanted marketing cold-calls

Privacy Impact Assessment Information

Department of Homeland Security PIA - Privacy Impact Assessment (PIA) is a decision tool used by DHS to identify and mitigate privacy risks

Privacy Impact Assessment Template (Word) - (Dept. of the Interior)

Federal E-Government Act of 2002 - (Office of Management and Budget) Privacy protections when Americans interact with their government

Census Bureau PIA

Security Exchange Commissions PIA & template documents - Evaluate privacy risks and develop mitigation strategies, consistent with requirements of the Privacy Act of 1974, as amended and the E-Government Act of 2002, and other Federal privacy laws, regulations, standards, and guidance.

Information Sharing and Analysis Centers (ISACs)

Electricity Sector - serves as the primary security communications channel for the electricity sector and enhances the ability of the sector to prepare for and respond to cyber and physical threats, vulnerabilities and incidents.

Emergency Management and Response - support emergency responder health and safety and help fire departments prepare for and respond to fire, natural disasters, non-fire emergencies, and other threats and vulnerabilities.

Financial Services - forum for collaboration on critical security threats facing the global financial services sector

Multi-State - focal point for cyber threat prevention, protection, response and recovery for the nation's state, local, tribal, and territorial (SLTT) governments

Real Estate - Public-private partnership between U.S. real estate industry and the federal government to counter terrorism and protect buildings ant the people who occupy them.

Surface Transportation - Provides an electronic trusted ability for the membership to exchange and share information on cyber, physical, and all threats in order to defend critical infrastructure.

Telecommunications - monitors national and international incidents and events that may impact emergency communications. Incidents include not only acts of terrorism, but also natural events such as tornadoes, floods, hurricanes and earthquakes. In cases of emergency, NCC Watch leads emergency communications response and recovery efforts

Water - Inform drinking water and wastewater utility managers about potential risks to the nation's water infrastructure from contamination, terrorism and cyber threats and provide information to help utilities respond to and recover from all hazards.

National Council of ISACs - Members of the National Council of ISACs

Privacy and Security Basics

Privacy Manager's Resource Center (Better Business Bureau)

Protecting Personal Information: A Guide for Business (FTC)

Fair Information Practice Principles (FTC)

Privacy Statement Generator- (OECD) - online educational tool to provide guidance on conducting an internal review of existing personal data practices and on developing a privacy policy statement.

Privacy & Personal Information Basics (Proctor & Gamble)

Key Components of Information Security (