The Green Sheet Online Edition
June 27, 2016 • Issue 16:06:02
Think PII, not just PCI
Readers in this magazine are more than familiar with the types of information addressed by the Payment Card Industry Data Security Standard (PCI DSS) and related standards, often referred to collectively as PCI. Attention, however, also must be paid to the broader category of personally identifiable information (PII).
What is PII?
PII is anything that can be used to identify an individual. The loss of this information leads to identity theft. In different parts of the world, this information can be called personal data and personal information, as well. Types of personal information include a person's name; physical and email addresses; phone number; birth date; national identification (like Social Security), driver's license and bank account numbers; and credit or debit card information.
Other PII includes health information, medical records, vehicle identification numbers, license plate numbers, login credentials and passwords, and school records. Biometrics ‒ fingerprints, retina scans, handprints and voice recognition files ‒ are also considered to be PII. Some countries consider information revealing political opinions, union membership status, sexual preferences also to be PII. The list continues to grow with new and revised legislation and court rulings.
In the world of PII, the PCI DSS is a small and increasingly less important component. Globally, over 99 percent of PII is something other than card data. News reports of recent data breaches indicate personal contact information and national ID numbers are the most common breached data of late.
Differing approaches to PII
Various countries utilize four major models as an approach to PII. The European Union and Canada use comprehensive laws that govern PII collection, use and dissemination in public and private sectors, with an official oversight enforcement agency that remedies past injustices, promotes electronic commerce and ensures consistency with pan-European laws.
Australia utilizes a co-regulatory model that is a variant of the comprehensive model in which industry develops enforcement standards that are overseen by a privacy agency. The United States uses a combination of a sectoral approach and self-regulated model. The sectoral approach utilizes enactment of laws and regulations that specifically address particular industry sectors such as financial transactions, credit records, law enforcement and medical records. There is no single harmonized federal law that addresses all issues. Some of these laws are regulated by the federal government, some by state governments and some by industry.
The industry-driven regulations lead to the self-regulated model that, for example, is utilized in both the United States and Japan. In this model, companies use or develop a code of practice by a group or class of companies as industry bodies. One example of this is the PCI DSS and related security standards. Drawbacks include how to determine adequacy and carry out enforcement.
Why should payment professionals care about PII?
Failure to understand and follow the rules and regulations covering all PII, not just limited to PCI, can lead to reputational damage, along with civil and criminal penalties. Lawsuits on behalf of victims of data breaches could lead to multimillion-dollar verdicts and settlements.
Another critical area to consider is the transfer of PII, inclusive of payment information, on a multinational basis. The United States is not considered by the world community to have "adequate" PII regulations. This has led to a significant and growing concern regarding the ability of PII to be transferred into the United States, as well as accepted from the United States.
This has a direct impact on all merchants who operate in an environment where they accept, store or transmit various categories of PII that originated from outside of the United States.
If a company runs afoul of the European Union's new General Data Protection Regulation provisions on international data transfer, violations may result in "administrative fines up to 20,000,000 EUR, or up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher," according to the GDPR.
These types of increasing penalties, as they relate to the appropriate management of PII, are present in every region of the globe – from Singapore to Korea to Canada to the British Commonwealth to Israel to Argentina and beyond.
What to do about PII
The only reasonable way to deal with the ever-expanding and changing requirements and regulations is to take an organized approach to the various types and classes of PII that your organization has or might have. Remember, if your organization has customers, vendors or employees of any type, you have PII.
Every organization should ask the following questions to determine its PII legal requirements:
- Who collects, uses and maintains personal information relating to customers, vendors and employees?
- What types of personal information are collected, used and maintained?
- When is the data collected?
- How is the data collected?
- Why is the data collected?
- Where is the data stored physically?
- How is the data removed or destroyed?
- What rights are granted to the data owners?
- What legal requirements pertain to the above questions for that data?
Each entity must determine the best methods for staying abreast of relevant PII rules and regulations. PII use is growing globally and has become a central issue in our modern age. There is no jurisdiction that does not impose significant regulations on the acquisition, handling, management and destruction of the various classes of PII.
Those who do not recognize this increasing threat to business operations will be severely compromised. Given the limited resources, expertise in these matters and budgets of many companies, it might be wise to consider engaging an expert third-party to outsource these complicated, complex requirements.
Visa Inc. has advised those involved with PII to consider a breach of PII likely and prepare accordingly. "Identify and establish relationships and/or agreements with key vendors," Visa stated. To download the company's PDF on this subject, visit www.visa-asia.com/ap/sg/merchants/include/Responding_to_a_Data_Breach.pdf.
Fran Sachs, CIPM, CIPP/US, is Vice President of Operations and Ross Federgreen, CIPM, CIPP/US, CIPP/G, CIPP/E and Fellow, European Privacy Association, is the founder of CSR Professional Services Inc., the leading provider of global data compliance solutions and expert services that address Payment Card Industry (PCI) standards and personally identifiable information (PII) requirements. Fran can be reached at firstname.lastname@example.org and Ross can be reached at email@example.com. For more information or assistance in learning about the regulations applicable to you or your merchant customers' business, contact CSR at 866-294-6971 or online at www.csrps.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.