By Fran Sachs and Lorie Schrameck
CSR Professional Services Inc.
Global digitization has provided the conduit for mass distribution of data, resulting in expanded international markets and exchange. While fundamentality positive, this has led to massive unauthorized access to personally identifiable information (PII), which is any information that can identify an individual or distinguish him or her from someone else. It is this information that is used for identity theft.
The United States has been addressing privacy issues through law for decades, but federal laws related directly to the protection of PII weren't initiated until the 1990s. Even the Payment Card Industry Data Security Standard (PCI DSS), which seems ubiquitous now, was not enacted until 2004.
No single, comprehensive national law regulates the various elements of personal data in the United States. Existing laws and regulations are tailored to specific industries, types of information or a particular subject. Federal laws, state laws and industry regulations can overlap or preempt one another. Well known federal privacy laws exist for the financial sector, along with medical, educational and telecommunications sectors.
California was the first state to issue a breach consumer notification law, effective in 2003. Almost all states have since followed. Each year, dozens increase their regulations to include additional types of PII, time limits for notifications and other protection requirements.
Breach reporting and consumer notification laws were enacted with the intent that a breached business would notify affected individuals, and hence, those individuals would have sufficient time to place a security freeze on their credit for protection. This minimal level of data protection is no longer adequate.
Breach reporting and consumer notification is the reactive response after a breach. The pro-active solution is to prevent the breach in the first place. Without a principal federal law in place within the foreseeable future, 33 states have enacted data protection laws.
These state laws can range from redaction of Social Security and credit card numbers to comprehensive policies and procedures addressing the technical, administrative and physical security aspects of an information protection program. Some specifically include requirements for a designated privacy employee, employee monitoring/training, and the need to stipulate those same elements in third-party contracts.
The stricter regulations may seem overwhelming, particularly for small businesses, but these are the requirements all businesses need to follow to meet the new legislative mandates and protect their businesses. State attorneys general are now filing lawsuits aimed at out-of-state businesses in what is known as "long reach." The laws for breach reporting, consumer notification and data protection are based on the protection of a state's own residents. If a business has customers that reside out-of-state, it is the laws of the state in which the customer resides that take precedence.
Many businesses, however, believe they are sufficiently protected and prepared. They have placed virus protection on their computers and purchased cyber insurance, but at least 50 percent of breaches are caused by employees through accidental malware download; mistakes; lost laptops, smartphones or portable USBs; and theft.
A simple understanding of various data protection steps can be beneficial in starting a program. Keep in mind that one or more of these is a law in every state:
Fran Sachs, CIPM, CIPP/US is Vice President of Operations and Lorie Schrameck, CIPP/US, is Manager of Operations at CSR Professional Services, Inc., the leading provider of global data compliance solutions and expert services that address Payment Card Industry (PCI) standards and personally identifiable information (PII) requirements. Fran can be reached at firstname.lastname@example.org and Lorie can be reached at email@example.com. For more information or assistance in learning about the regulations applicable to you or your merchant customers' business, contact CSR at 866-294-6971 or online at www.csrps.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next