By Ross Federgreen
Each of us in the payments space knows that data protection and regulation are central to all we do. No one in the industry is unfamiliar with the Payment Card Industry (PCI) Data Security Standard (DSS) at this point. Whether you are in favor of this or not, whether you believe in it or not, the truth is that data protection is real, growing and enforced.
In the United States, 46 states and three territories currently have some data protection regulation inclusive of breach reporting. In addition, data regulation is not restricted to credit or debit cards. In fact, the data governed by the PCI DSS is a subset of the growing list of data elements that fall under the concept of personally identifiable information (PII).
From a global perspective, 90 countries have enacted data protection regulation. A number of these countries consider the rules within the United States to be weak; they require special, additional safeguards to allow the transmittal of information from within their borders to the United States.
This is true, for example, in the European Union, which consists of 27 countries. The EU is in the process of replacing the rules that became effective in the mid-1990s with a much stronger and specific rule set under the new and proposed European Union Data Regulation Scheme. This proposal, which is expected to pass in the next six to 18 months, carries stringent requirements and penalties for those failing to follow the rules.
The key broader concept is PII. What is PII? It is any data point that either by itself or in combination with other specific data elements can identify an individual. This extends to information that has been anatomized. Remember that big business today is centrally focused on "big data," and that is what we are really talking about.
Some common elements that make up this pool of PII include Social Security number, birth date, driver's license number, bank account and routing numbers and, of course, credit and debit card numbers. Additional PII elements can include health information, information pertaining to criminal activities, photographs, vehicle identification numbers, and a wide array of other elements.
Currently, 14 states have enacted laws that impose an obligation to provide security for various types of personally identifiable information. These laws fall into a number of broad areas, which include liability, sanction, responsibility and security measures as minimum standards. In addition to the laws currently on the books, at least another 20 states have bills submitted to address these issues.
The states that currently have laws specifically enacted to impose obligations to provide security include Washington, Oregon, California, Nevada, Utah, Texas, Arkansas, Illinois, Minnesota, Massachusetts, Connecticut, Rhode Island, New Jersey and Maryland.
Remember, these laws are not the PCI DSS. They are in addition to the card brand requirements and carry with them the weight of law, versus the administerial issues associated with PCI DSS violations. Thus, it is possible to receive both criminal sanctions and be subject to civil procedures and penalties for violation of these state laws.
For example, the New Jersey law is divided into three components. The public laws in question (New Jersey § 56:8-161, 165 and 168) address the issues of definitions relative to security of personal information, regulations concerning security of personal information and unlawful practices and violations.
In the case of Arkansas, the laws are divided into four components: Ark. Code Ann. §4-110-101, 102, 103 and 104(b), which address the concepts of findings and purpose, definitions, and protection of personal information. As one other example, in the state of Utah, the laws are divided into three components: Utah Code Ann. §13-44-102, 201 and 301, which address definitions, protection of personal information and enforcement.
Exploring the California statutes in more detail gives one a perspective on the depth and severity of these various state enactments. For example, per this excerpt from section §1798.80, all of the following are considered PII:
(a) An individual's name and address.
(b) Electronic mail address.
(d) Age or date of birth.
(d) Names of children.
(e) Electronic mail or other addresses of children.
(f) Number of children.
(g) The age or gender of children.
(m) Telephone number.
(o) Political party affiliation.
(p) Medical condition.
(q) Drugs, therapies, or medical products or equipment used.
(r) The kind of product the customer purchased, leased or rented.
(s) Real property purchased, leased or rented.
(t) The kind of service provided.
(u) Social Security number.
(v) Bank account number.
(w) Credit card number.
(x) Debit card number.
(y) Bank or investment account, debit card or credit card balance.
(z) Payment history.
(aa) Information pertaining to creditworthiness, assets, income or liabilities.
Under California, statute §1798.84 the penalties for civil action can be extreme and have been enforced. Per the following excerpt, these include:
So what does this mean? It simply means that all businesses involved in the collection, storage and transmittal of PII data, inclusive of that covered under the PCI DSS, must, in the broadest sense, be aware of the rules and regulations that affect this behavior and make serious efforts to comply.
At minimum, all organizations should adhere to the following six key defensive elements of the Massachusetts law 201 CRM 17.00: designation of a responsible data privacy individual or group, risk assessment, policies and procedures, employee training, restricted access and regular system monitoring. Here is an explanation of each:
Organizations must also oversee all third-party service providers, according to Massachusetts' and federal laws.
Where computer systems exist, here are additional areas that require attention and integration into assessment, policies and procedures: encryption, firewall protection, malware detection and anti-virus software maintenance.
All organizations should consider these requirements to be sound best practices, whether or not specific state laws apply. For additional information and a free, step-by-step guide, please see the CSR white paper titled, Best Practices for Managing Personally Identifiable Information.
Dr. Ross Federgreen, CIPP/US, CIPP/G, CIPP/E, and Fellow, European Privacy Association, is the founder of CSR, the leading provider of global data compliance solutions and expert services that address Payment Card Industry (PCI) standards and personally identifiable information (PII) requirements. Ross can be reached at email@example.com. For more information or assistance in learning about the regulations applicable to you or your merchant customers' business, contact CSR at 866-462-7774 or online at www.csrcorporate.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next