The Green Sheet Online Edition
April 22, 2013 • Issue 13:04:02
PII is not your mother's PCI
Personally identifiable information (PII) is ubiquitous. One form of PII is credit and debit card information that falls under the Payment Card Industry (PCI) Data Security Standard (DSS). However, in the world of PII, the PCI DSS is a small and increasingly less important component.
PII has been described as the first existential crisis of the digital age. This issue spans government, industry, academia, individual and country boundaries.
So why should payment professionals care about PII? Failure to understand the rules and regulations of PII will lead to both civil and criminal penalties. PCI is a component of PII. Globally, over 99 percent of PII is not card data. PII includes any information that can be used to identify an individual in a constructed or deconstructed manner.
What this means is that even material that is blinded in one manner or another but, with additional information, can be used to identify an individual or class of individuals is considered PII. It is important to note that from the perspective of most of the world, the protection and regulation of PII is a fundamental human right.
Right to PII protection
The establishment of PII protection as a fundamental right was initially formalized in the United Nations as a direct consequence of the atrocities of World War II. The Universal Declaration of Human Rights was adopted unanimously by the United Nations General Assembly on Dec. 10, 1948.
Article 12 states that, "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, or to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks."
The United States, on the other hand, takes a sectorial view of privacy. A sectorial view means that the government has left it to various industries and other sectors to police themselves. One result of this is, in fact, the PCI DSS and related security standards.
Data in a 'flat' world
It is important to understand that the factor driving responsibility for PII is control of the data and not method of transmission. There is no distinction as to PII responsibility if the method of payment is in the physical or electronic or mobile environment. An interesting caveat here is that the mobile environment has no specific, defined PCI Self-Assessment Questionnaire to date.
Another critical area to consider is the transfer of PII, inclusive of payment information, on a multinational basis. The United States is not considered by the world community to have adequate PII regulations. This has led to a significant and growing concern regarding the ability of PII to be transferred into the United States, as well as accepted from the United States.
This has a direct impact on all merchants who operate in an environment where they accept, store or transmit various categories of PII that originated from outside of the United States.
To operate in the global information economy, PII transfer is a must. To quote economist Thomas Friedman "the world is flat" (from his book bearing that title) - meaning, the world is now a level playing field in terms of global commerce.
Many companies have had to spend significant amounts of money to become compliant and certified under one of three mechanisms to avoid being black-balled by the European Union and other sovereign countries.
Differing approaches to PII
There are four major models that various countries utilize as an approach to PII. The United States is novel in its sectorial approach. This approach utilizes enactment of laws and regulations, both public and private, that specifically address particular industry sectors such as financial transactions, credit records, law enforcement and medical records.
The European Union and Canada utilize comprehensive laws that govern the collection, use and dissemination in public and private sectors with an official oversight enforcement agency that remedies past injustices, promotes electronic commerce and ensures consistency with pan-European laws.
Australia utilizes a co-regulatory model that is a variant of the comprehensive model in which industry develops enforcement standards that are overseen by a privacy agency. The final model is a self-regulated model which, for example, is utilized in both the United States and Japan.
In this model, companies use or develop a code of practice by a group or class of companies as industry bodies. Drawbacks of this include how to determine adequacy and carry out enforcement. The Online Privacy Alliance acts as a clearinghouse for entities employing this model, examples of which include TRUSTe, BBBOnline and WebTrust.
Rules and regs in place
A brief survey of major areas reveals much activity in the area of PII. For example, in the European Union (27 European countries) a new regulation called the General Data Protection Regulation (GDPR) is slated to harmonize and replace the current EU Directive, which has been in place since the mid-1990s. The GDPR mandates very strong civil financial penalties, as well as criminal penalties for certain failures.
In Australia, the current Privacy Act is under review, and strong recommendations by the Australian Law Review Commission (ALRC) have been made, including that breach reporting becomes a mandated obligation with significant penalty and potential criminal prosecution for failure to report.
These types of increasing penalties as they relate to the appropriate management of PII are present in every region of the globe from Singapore to Korea to Canada to the British Commonwealth to Israel to Argentina and beyond.
Within the United States, multiple laws address the issues of PII at all levels of government, as well as sectorial regulation. Unfortunately, there is no single harmonized federal law that addresses all issues.
Various laws that impact the acquisition, handling, storage and transmittal of PII on the federal level include the Gramm-Leach-Bliley Act of 1999 (GLBA), HIPAA/HITECH 2009, CAN-SPAM Act of 2003, Children's Online Privacy Protection Act of 1998, Fair and Accurate Credit Transactions Act of 2003 (FACTA), Fair Credit Reporting Act of 1970 (FCRA), Telemarketing Sales Rule (TSR), Telephone Consumer Protection Act of 1991, Driver's Privacy Protection Act of 1994, Electronic Communications Privacy Act of 1986, and the Federal Trade Commission Act of 1914, as well as many others on both the federal and state level.
A number of self-regulatory privacy standards in the United States are in effect. These include the PCI DSS, the Direct Marketing Association Privacy Promise, VeriSign and eTrust, Children's Advertising Review Unit guidelines, and the Network Advertising Initiative guidelines.
The sectors affected by these self-policing privacy standards are broad and essentially affect all entities that we, as an industry, deal with, for example, any organization that utilizes credit or debit cards.
What to do about PII
The only reasonable way to deal with the ever-expanding and changing requirements and regulations is to take an organized approach to the various types and classes of PII that your organization has or might have. Remember, if your organization has customers, vendors or employees of any type, you have PII.
Every organization should ask the following "PII lifecycle" questions to determine its PII legal requirements:
- Who collects, uses and maintains personal information relating to customers, vendors and employees?
- What are the types of personal information, and what are the legal requirements for that data?
- Where is the data stored physically?
- When is the data collected?
- How is the data collected?
- Why is the data collected?
- How is the data removed or destroyed?
- What are the rights granted to the data owners?
Each entity must determine the best methods for staying abreast of relevant PII rules and regulations. Given the limited resources, expertise in these matters and budgets of many companies, it might be wise to consider engaging an expert third-party to outsource these complicated and complex requirements.
PII use is growing globally and has become a central issue in our modern age. There is no jurisdiction that does not impose significant regulations on the acquisition, handling, management and destruction of the various classes of PII. Those who do not recognize this increasing threat to business operations will be severely compromised.
Visa Inc. has advised those involved with PII to consider a breach of PII likely and prepare accordingly: "Identify and establish relationships and/or agreements with key vendors," Visa stated. To download the company's PDF on this subject, visit http://usa.visa.com/download/users/cisp_responding_to_a_data_breach.pdf.
Ross Federgreen, CIPP/US, CIPP/G, CIPP/E, and Fellow, European Privacy Association, is the founder of CSR, the leading provider of global data compliance solutions and expert services that address Payment Card Industry (PCI) standards and personally identifiable information (PII) requirements. Ross can be reached at email@example.com. For more information or assistance in learning about the regulations applicable to you or your merchant customers' business, contact CSR at 866-462-7774 or online at www.csrcorporate.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.