GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Tablets, smart phones or the cloud for mobile payments?


Industry Update

Global Payments, payments community respond to reported breach

Gift card providers pull out of N.J.

Trade Association News


Seven essential steps for creating a successful social media strategy

Marc Beauchamp
Performance Training Systems

Research Rundown

Mobile payment experts disagree on NFC dominance

Durbin's impact on major banks

Selling Prepaid

Prepaid in brief

Demands of a standardized fee disclosure box

How consumer segmentation leads to success


Has payment fraud become SOP?

Patti Murphy
ProScribes Inc.

ISOs and MLSs: How banking changes will affect you

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
Lessons for a lifetime

Jeff Fortney
Clearent LLC

Moving mobile payments to the next level

Nicholas Cucci
Network Merchants Inc.

In search of an ethical corporate culture

Dale S. Laszig
Castles Technology Co. Ltd.

The challenge of data breach reporting

Mark Brady

What matters most in a restaurant POS system?

Jerry Cibley
The POS Man

Company Profile

Chargeback Guardian Inc.

New Products

Mobile check deposit

Simply Deposit Mobile
RDM Corp.

Bundling mobile payments

All Inclusive Mobile Merchant (AIMM)
CardWare International, Resource Leasing Co.


Community and the payment pro


10 Years ago in
The Green Sheet


Resource Guide


A Bigger Thing

The Green Sheet Online Edition

April 23, 2012  •  Issue 12:04:02

previous next

The challenge of data breach reporting

By Mark Brady

Very few companies can see a data breach coming. And when a breach occurs, a critical consideration for most is the requirement to file timely reports to a widening variety of authorities. The reporting issue gets more complex as the data sets that must be protected increase. Not filing breach reports in a timely fashion can lead to substantial financial penalties and possibly criminal action.

You might be familiar with the requirement to report loss (or suspicion of loss) of credit card information to the card companies within 72 hours.

But there are many other types of sensitive data that must be protected and that are often stored with credit card data, including Social Security numbers, driver's license numbers, birth dates and bank account information.

Additionally, reporting requirements vary. Loss of patient medical information, for instance, must be reported to the U.S. Department of Health and Human Services (HSS) immediately. Massachusetts requires reporting to the Bureau of Consumer Affairs, New Jersey to the State Police.

Some states require reporting to their respective attorneys general if 1,000 or more citizens will be notified of a breach. Several states require reporting to credit bureaus. New York and North Carolina have specific reporting forms to be used in the event of a breach.

Recently, a satchel fell off the motorcycle of a merchant en route to the bank to make a deposit. Not only did it contain credit card receipts (with nontruncated account numbers), but it also held medical liability release forms with dates of birth, Social Security numbers and health histories, along with customer names, addresses and checks.

Without complete and timely reporting to the proper authorities, this incident could have resulted in costs of over $50,000 to the merchant.

The definition of PII is expanding

Also, the definition of personally identifiable information (PII) continues to expand. According to the National Institute for Standards and Technology, PII is "any information about an individual including (1) any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information." In 2011, the California Supreme Court ruled that ZIP codes requested at the POS are PII, except for fuel transactions. In addition, Massachusetts now requires all vendors of companies storing data of Massachusetts residents to be contractually required to protect PII.

This law exemplifies the growing complexity and difficulty in filing reports to the appropriate authorities. I predict the Massachusetts regulation will likely drive similar laws in other states, as well as new federal data breach laws.

Reporting requirements abound

In this day of global interaction, organizations need to plan for the inevitable breach of sensitive information. Business planning means preparedness that spans the scope of data handling and breach reporting in order to stay current with state and federal regulations. The list of regulatory bodies requiring reporting is long and growing. Each has its own specific data breach reporting requirements.

The Payment Card Industry Data Security Standard is well known to the payments community for providing rules about the handling of credit card information. In addition, the FBI, Secret Service, HSS, state attorneys general, and the Federal Trade Commission are several of the agencies and law enforcement organizations to be considered when data is lost.

Add to that each of 46 states with breach notification laws on the books. (Alabama, Kentucky, New Mexico and South Dakota have no breach notification laws to date.)

Federal legislation that covers children, seniors, patients and consumers all weigh in with additional reporting stipulations, including the:

More legislation is in the pipeline

In addition, three bills have passed through the Senate Judiciary Committee. Here is a brief summary of the bills:

Passage of any of these bills in the House is unlikely prior to the November election, given the fractious environment on Capitol Hill.

It pays to stay informed

In updating our databases on the most current data breach law, we depend on a wide variety of resources like the International Association of Privacy Professionals for the latest in regulations, as well as notices of new state offices and departments that require reporting.

The average merchant doesn't have the time to research reporting requirements when a breach occurs.

As you've heard before, it's not a matter of if, but when, a company will lose sensitive data. Determining whom to report to, what information requires reporting and in what time frame can be overwhelming. Fulfilling these reporting requirements when a company needs to focus on investigation and remediation of the data breach is not the top priority after a compromise.

Make the conscious business decision to educate yourself and choose a partner you trust who stays current with the latest data breach reporting legislation. Be prepared; keep your merchants prepared as well.

Mark Brady, Director of Compliance at CSR, holds professional certifications from the International Association of Privacy Professionals and the Project Management Institute. He can be reached at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios