The Green Sheet Online Edition
August 22, 2016 • Issue 16:08:02
Going beyond data breach reporting in the United States
Global digitization has provided the conduit for mass distribution of data, resulting in expanded international markets and exchange. While fundamentality positive, this has led to massive unauthorized access to personally identifiable information (PII), which is any information that can identify an individual or distinguish him or her from someone else. It is this information that is used for identity theft.
Slowly addressing the loss of PII, identity theft
The United States has been addressing privacy issues through law for decades, but federal laws related directly to the protection of PII weren't initiated until the 1990s. Even the Payment Card Industry Data Security Standard (PCI DSS), which seems ubiquitous now, was not enacted until 2004.
No single, comprehensive national law regulates the various elements of personal data in the United States. Existing laws and regulations are tailored to specific industries, types of information or a particular subject. Federal laws, state laws and industry regulations can overlap or preempt one another. Well known federal privacy laws exist for the financial sector, along with medical, educational and telecommunications sectors.
California was the first state to issue a breach consumer notification law, effective in 2003. Almost all states have since followed. Each year, dozens increase their regulations to include additional types of PII, time limits for notifications and other protection requirements.
Why breach reporting laws are no longer enough
Breach reporting and consumer notification laws were enacted with the intent that a breached business would notify affected individuals, and hence, those individuals would have sufficient time to place a security freeze on their credit for protection. This minimal level of data protection is no longer adequate.
Breach reporting and consumer notification is the reactive response after a breach. The pro-active solution is to prevent the breach in the first place. Without a principal federal law in place within the foreseeable future, 33 states have enacted data protection laws.
These state laws can range from redaction of Social Security and credit card numbers to comprehensive policies and procedures addressing the technical, administrative and physical security aspects of an information protection program. Some specifically include requirements for a designated privacy employee, employee monitoring/training, and the need to stipulate those same elements in third-party contracts.
The stricter regulations may seem overwhelming, particularly for small businesses, but these are the requirements all businesses need to follow to meet the new legislative mandates and protect their businesses.
State attorneys general are now filing lawsuits aimed at out-of-state businesses in what is known as "long reach." The laws for breach reporting, consumer notification and data protection are based on the protection of a state's own residents. If a business has customers that reside out-of-state, it is the laws of the state in which the customer resides that take precedence.
Many businesses, however, believe they are sufficiently protected and prepared. They have placed virus protection on their computers and purchased cyber insurance, but at least 50 percent of breaches are caused by employees through accidental malware download; mistakes; lost laptops, smartphones or portable USBs; and theft.
Data protection 101
A simple understanding of various data protection steps can be beneficial in starting a program. Keep in mind that one or more of these is a law in every state:
- Social Security numbers: Social Security numbers should be redacted except for the last four digits. Never make the number public. If stored digitally, they should be encrypted. Never expect customers to use their numbers to access online accounts or websites.
- Credit card numbers: Meet PCI DSS standards. Do not store numbers, but if they must be stored, hash the full number. If necessary, only the last four digits can be stored in clear text. CVV2 code should never be stored in any form. Some states have retention limits for storage.
- Data disposal/destruction: Safe disposal of PII is mandatory in 28 states, and many of those specify that policies and procedures should be in place. This means any PII should be shredded, pulverized, incinerated, etc., including CDs, DVDs and portable USBs. Software should be used to ensure the hard drives are completely erased in old computers, laptops and smartphones.
- Data retention: The best rule of thumb is to limit retention to no longer than necessary to carry out a business purpose or as legally required. When considering where to store records, the extent of security for each record should be based on the nature, scope and risk of theft associated with each record. Some state statutes also dictate length of retention.
- Administrative safeguards: Ideally, there should be a policy and/or procedure for each aspect of the business that deals with personal data. Access to view or handle PII should be minimized and a determination made as to what positions should be authorized to do so. Third-party or vendor contracts should ensure that vendors will have protection for PII in place.
- Technical safeguards: Keeping IT systems safe and secure can be a complex task and requires time, resources and specialists' knowledge. No single product will provide a 100 percent guarantee of security for your business. The key to effective security is to have a layered approach, combining a number of tools and techniques. If one layer were to fail then others are in place to catch the threat.
- Physical safeguards: Physical security involves the use of multiple layers of interdependent systems, which include closed circuit television surveillance, security guards, protective barriers, locks, access control protocols and many other techniques.
- Designated employee: Many companies, some required by state law, now designate an employee to ensure the above-mentioned requirements are in place, to monitor employee activity and adherence to policies and procedures, as well as provide training. They are also known as data protection officers, data compliance officers or privacy officers. Ultimately, having an employee with a certification such as a Certified Information Privacy Professional is preferred.
Fran Sachs, CIPM, CIPP/US is Vice President of Operations and Lorie Schrameck, CIPP/US, is Manager of Operations at CSR Professional Services, Inc., the leading provider of global data compliance solutions and expert services that address Payment Card Industry (PCI) standards and personally identifiable information (PII) requirements. Fran can be reached at firstname.lastname@example.org and Lorie can be reached at email@example.com. For more information or assistance in learning about the regulations applicable to you or your merchant customers' business, contact CSR at 866-294-6971 or online at www.csrps.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.