GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

D.C. taxis at payments crossroads

News

Industry Update

Pango mobile parking app catching on in Scranton

BlueSnap empowers Game of Thrones Ascent

First EMV-compliant ATMs in U.S. go live

Features

GS Advisory Board:
Insiders' views on new developments, challenges, opportunities in payments - Part 2

Selling Prepaid

Prepaid in brief

Prepaid improves global payroll

10 simple steps to a better IVR

Justin Lemrow
Contact Solutions LLC

Views

What's in a name?

Patti Murphy
ProScribes Inc.

Amid disruption, distribution remains key

Ken Musante
Eureka Payments LLC

Education

Street SmartsSM:
Are terminals an endangered species?

Dale S. Laszig
Castles Technology Co. Ltd.

Data protection laws are global and enforced

Ross Federgreen
CSR

Tricks of reading credit card statements

Jeffrey I. Shavitz
Charge Card Systems Inc.

Conquer your to-dos in three simple steps

Jeff Fortney
Clearent LLC

The FDIC responds to Brobot

Nicholas Cucci
Network Merchants Inc.

Company Profile

Clearent LLC

New Products

EMV-ready mobile device

Walker
AnywhereCommerce

Inspiration

Intuit the secret to success

Departments

Readers Speak

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

June 24, 2013  •  Issue 13:06:02

previous next

Data protection laws are global and enforced

By Ross Federgreen

Each of us in the payments space knows that data protection and regulation are central to all we do. No one in the industry is unfamiliar with the Payment Card Industry (PCI) Data Security Standard (DSS) at this point. Whether you are in favor of this or not, whether you believe in it or not, the truth is that data protection is real, growing and enforced.

In the United States, 46 states and three territories currently have some data protection regulation inclusive of breach reporting. In addition, data regulation is not restricted to credit or debit cards. In fact, the data governed by the PCI DSS is a subset of the growing list of data elements that fall under the concept of personally identifiable information (PII).

From a global perspective, 90 countries have enacted data protection regulation. A number of these countries consider the rules within the United States to be weak; they require special, additional safeguards to allow the transmittal of information from within their borders to the United States.

This is true, for example, in the European Union, which consists of 27 countries. The EU is in the process of replacing the rules that became effective in the mid-1990s with a much stronger and specific rule set under the new and proposed European Union Data Regulation Scheme. This proposal, which is expected to pass in the next six to 18 months, carries stringent requirements and penalties for those failing to follow the rules.

PII at issue

The key broader concept is PII. What is PII? It is any data point that either by itself or in combination with other specific data elements can identify an individual. This extends to information that has been anatomized. Remember that big business today is centrally focused on "big data," and that is what we are really talking about.

Some common elements that make up this pool of PII include Social Security number, birth date, driver's license number, bank account and routing numbers and, of course, credit and debit card numbers. Additional PII elements can include health information, information pertaining to criminal activities, photographs, vehicle identification numbers, and a wide array of other elements.

Current and pending laws

Currently, 14 states have enacted laws that impose an obligation to provide security for various types of personally identifiable information. These laws fall into a number of broad areas, which include liability, sanction, responsibility and security measures as minimum standards. In addition to the laws currently on the books, at least another 20 states have bills submitted to address these issues.

The states that currently have laws specifically enacted to impose obligations to provide security include Washington, Oregon, California, Nevada, Utah, Texas, Arkansas, Illinois, Minnesota, Massachusetts, Connecticut, Rhode Island, New Jersey and Maryland.

Civil and criminal sanctions

Remember, these laws are not the PCI DSS. They are in addition to the card brand requirements and carry with them the weight of law, versus the administerial issues associated with PCI DSS violations. Thus, it is possible to receive both criminal sanctions and be subject to civil procedures and penalties for violation of these state laws.

For example, the New Jersey law is divided into three components. The public laws in question (New Jersey § 56:8-161, 165 and 168) address the issues of definitions relative to security of personal information, regulations concerning security of personal information and unlawful practices and violations.

In the case of Arkansas, the laws are divided into four components: Ark. Code Ann. §4-110-101, 102, 103 and 104(b), which address the concepts of findings and purpose, definitions, and protection of personal information. As one other example, in the state of Utah, the laws are divided into three components: Utah Code Ann. §13-44-102, 201 and 301, which address definitions, protection of personal information and enforcement.

The scope of PII

Exploring the California statutes in more detail gives one a perspective on the depth and severity of these various state enactments. For example, per this excerpt from section §1798.80, all of the following are considered PII:

Under California, statute §1798.84 the penalties for civil action can be extreme and have been enforced. Per the following excerpt, these include:

Six defensive actions

So what does this mean? It simply means that all businesses involved in the collection, storage and transmittal of PII data, inclusive of that covered under the PCI DSS, must, in the broadest sense, be aware of the rules and regulations that affect this behavior and make serious efforts to comply.

At minimum, all organizations should adhere to the following six key defensive elements of the Massachusetts law 201 CRM 17.00: designation of a responsible data privacy individual or group, risk assessment, policies and procedures, employee training, restricted access and regular system monitoring. Here is an explanation of each:

  1. Designation of a responsible individual or group: Select a party (or parties) to be responsible for overseeing the planning, development and ongoing monitoring of all the activities required by law.

  2. Risk assessment: Identify and assess "reasonably foreseeable" internal and external risks to security, confidentiality and/or integrity of electronic, paper or other records of personal information. Also, identify the "life cycle" of data. Determine who can access data, as well as where, how and why it is stored over the duration of collection, use, storage and disposal.

  3. Policies and procedures: Develop and implement security policies covering storage, access and transportation of paper and electronic records. Include disciplinary measures for violations.

  4. Employee training: Develop an ongoing program to train new and current employees regarding PII.

  5. Restricted access: Restrict and control access to sensitive data, wherever it is, with secure user authentication and access protocols, including encryption with oversight of third-party providers and means for detecting and preventing security system failures.

  6. Regular monitoring: Conduct routine review of the entire security program (at least annually) to evaluate security operations for effectiveness in preventing unauthorized access or use of personal information. Implement all necessary upgrades to limit risks.

Organizations must also oversee all third-party service providers, according to Massachusetts' and federal laws.

Sound best practices

Where computer systems exist, here are additional areas that require attention and integration into assessment, policies and procedures: encryption, firewall protection, malware detection and anti-virus software maintenance.

All organizations should consider these requirements to be sound best practices, whether or not specific state laws apply. For additional information and a free, step-by-step guide, please see the CSR white paper titled, Best Practices for Managing Personally Identifiable Information.

Dr. Ross Federgreen, CIPP/US, CIPP/G, CIPP/E, and Fellow, European Privacy Association, is the founder of CSR, the leading provider of global data compliance solutions and expert services that address Payment Card Industry (PCI) standards and personally identifiable information (PII) requirements. Ross can be reached at rfedergreen@csrcorporate.com. For more information or assistance in learning about the regulations applicable to you or your merchant customers' business, contact CSR at 866-462-7774 or online at www.csrcorporate.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios