GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

CNP fraud: Evolving strategies for an evolving market

Patti Murphy


Industry Update

Farewell to Kenneth T. Elderts, respected leader and friend

Chip and PIN debate roils retail, payments sectors

EMV advances beyond compliance

Office Depot sues Delaware for audit overreach


GS Advisory Board:
The state of mobile today - Part 3

Banks ripe for disruption

Jeff Thorness


What's in your payment mix?

Dale S. Laszig
DSL Direct LLC

Wake up and certify more EMV terminals

Steven Feldshuh

Bankers' issues are our issues

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
Bid farewell to traditional job security

John Tucker
1st Capital Loans LLC

The good, the bad, and the payday loan

Brett Husak
National Bank Services

Going beyond data breach reporting in the United States

Fran Sachs and Lorie Schrameck
CSR Professional Services Inc.

Company Profile

TransPay Processing

New Products

Real-time ID scans to limit fraud, boost conversions

Jumio Corp.

Free, cloud-based tablet POS

Zero POS


Embrace pauses during presentations


Letter from the editors

Readers Speak

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

August 22, 2016  •  Issue 16:08:02

previous next

Going beyond data breach reporting in the United States

By Fran Sachs and Lorie Schrameck

Global digitization has provided the conduit for mass distribution of data, resulting in expanded international markets and exchange. While fundamentality positive, this has led to massive unauthorized access to personally identifiable information (PII), which is any information that can identify an individual or distinguish him or her from someone else. It is this information that is used for identity theft.

Slowly addressing the loss of PII, identity theft

The United States has been addressing privacy issues through law for decades, but federal laws related directly to the protection of PII weren't initiated until the 1990s. Even the Payment Card Industry Data Security Standard (PCI DSS), which seems ubiquitous now, was not enacted until 2004.

No single, comprehensive national law regulates the various elements of personal data in the United States. Existing laws and regulations are tailored to specific industries, types of information or a particular subject. Federal laws, state laws and industry regulations can overlap or preempt one another. Well known federal privacy laws exist for the financial sector, along with medical, educational and telecommunications sectors.

California was the first state to issue a breach consumer notification law, effective in 2003. Almost all states have since followed. Each year, dozens increase their regulations to include additional types of PII, time limits for notifications and other protection requirements.

Why breach reporting laws are no longer enough

Breach reporting and consumer notification laws were enacted with the intent that a breached business would notify affected individuals, and hence, those individuals would have sufficient time to place a security freeze on their credit for protection. This minimal level of data protection is no longer adequate.

Breach reporting and consumer notification is the reactive response after a breach. The pro-active solution is to prevent the breach in the first place. Without a principal federal law in place within the foreseeable future, 33 states have enacted data protection laws.

These state laws can range from redaction of Social Security and credit card numbers to comprehensive policies and procedures addressing the technical, administrative and physical security aspects of an information protection program. Some specifically include requirements for a designated privacy employee, employee monitoring/training, and the need to stipulate those same elements in third-party contracts.

The stricter regulations may seem overwhelming, particularly for small businesses, but these are the requirements all businesses need to follow to meet the new legislative mandates and protect their businesses. State attorneys general are now filing lawsuits aimed at out-of-state businesses in what is known as "long reach." The laws for breach reporting, consumer notification and data protection are based on the protection of a state's own residents. If a business has customers that reside out-of-state, it is the laws of the state in which the customer resides that take precedence.

Many businesses, however, believe they are sufficiently protected and prepared. They have placed virus protection on their computers and purchased cyber insurance, but at least 50 percent of breaches are caused by employees through accidental malware download; mistakes; lost laptops, smartphones or portable USBs; and theft.

Data protection 101

A simple understanding of various data protection steps can be beneficial in starting a program. Keep in mind that one or more of these is a law in every state:

Fran Sachs, CIPM, CIPP/US is Vice President of Operations and Lorie Schrameck, CIPP/US, is Manager of Operations at CSR Professional Services, Inc., the leading provider of global data compliance solutions and expert services that address Payment Card Industry (PCI) standards and personally identifiable information (PII) requirements. Fran can be reached at and Lorie can be reached at For more information or assistance in learning about the regulations applicable to you or your merchant customers' business, contact CSR at 866-294-6971 or online at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

USAePay | Impact Paysystems | Electronic Merchant Systems | Inovio | Board Studios, Inc.