The Green Sheet Online Edition
June 24, 2013 • Issue 13:06:02
Data protection laws are global and enforced
Each of us in the payments space knows that data protection and regulation are central to all we do. No one in the industry is unfamiliar with the Payment Card Industry (PCI) Data Security Standard (DSS) at this point. Whether you are in favor of this or not, whether you believe in it or not, the truth is that data protection is real, growing and enforced.
In the United States, 46 states and three territories currently have some data protection regulation inclusive of breach reporting. In addition, data regulation is not restricted to credit or debit cards. In fact, the data governed by the PCI DSS is a subset of the growing list of data elements that fall under the concept of personally identifiable information (PII).
From a global perspective, 90 countries have enacted data protection regulation. A number of these countries consider the rules within the United States to be weak; they require special, additional safeguards to allow the transmittal of information from within their borders to the United States.
This is true, for example, in the European Union, which consists of 27 countries. The EU is in the process of replacing the rules that became effective in the mid-1990s with a much stronger and specific rule set under the new and proposed European Union Data Regulation Scheme. This proposal, which is expected to pass in the next six to 18 months, carries stringent requirements and penalties for those failing to follow the rules.
PII at issue
The key broader concept is PII. What is PII? It is any data point that either by itself or in combination with other specific data elements can identify an individual. This extends to information that has been anatomized. Remember that big business today is centrally focused on "big data," and that is what we are really talking about.
Some common elements that make up this pool of PII include Social Security number, birth date, driver's license number, bank account and routing numbers and, of course, credit and debit card numbers. Additional PII elements can include health information, information pertaining to criminal activities, photographs, vehicle identification numbers, and a wide array of other elements.
Current and pending laws
Currently, 14 states have enacted laws that impose an obligation to provide security for various types of personally identifiable information. These laws fall into a number of broad areas, which include liability, sanction, responsibility and security measures as minimum standards. In addition to the laws currently on the books, at least another 20 states have bills submitted to address these issues.
The states that currently have laws specifically enacted to impose obligations to provide security include Washington, Oregon, California, Nevada, Utah, Texas, Arkansas, Illinois, Minnesota, Massachusetts, Connecticut, Rhode Island, New Jersey and Maryland.
Civil and criminal sanctions
Remember, these laws are not the PCI DSS. They are in addition to the card brand requirements and carry with them the weight of law, versus the administerial issues associated with PCI DSS violations. Thus, it is possible to receive both criminal sanctions and be subject to civil procedures and penalties for violation of these state laws.
For example, the New Jersey law is divided into three components. The public laws in question (New Jersey § 56:8-161, 165 and 168) address the issues of definitions relative to security of personal information, regulations concerning security of personal information and unlawful practices and violations.
In the case of Arkansas, the laws are divided into four components: Ark. Code Ann. §4-110-101, 102, 103 and 104(b), which address the concepts of findings and purpose, definitions, and protection of personal information. As one other example, in the state of Utah, the laws are divided into three components: Utah Code Ann. §13-44-102, 201 and 301, which address definitions, protection of personal information and enforcement.
The scope of PII
Exploring the California statutes in more detail gives one a perspective on the depth and severity of these various state enactments. For example, per this excerpt from section §1798.80, all of the following are considered PII:
"Personal information" as used in this section means any information that, when it was disclosed, identified, described, or was able to be associated with an individual and includes all of the following:
(a) An individual's name and address.
(b) Electronic mail address.
(d) Age or date of birth.
(d) Names of children.
(e) Electronic mail or other addresses of children.
(f) Number of children.
(g) The age or gender of children.
(m) Telephone number.
(o) Political party affiliation.
(p) Medical condition.
(q) Drugs, therapies, or medical products or equipment used.
(r) The kind of product the customer purchased, leased or rented.
(s) Real property purchased, leased or rented.
(t) The kind of service provided.
(u) Social Security number.
(v) Bank account number.
(w) Credit card number.
(x) Debit card number.
(y) Bank or investment account, debit card or credit card balance.
(z) Payment history.
(aa) Information pertaining to creditworthiness, assets, income or liabilities.
Under California, statute §1798.84 the penalties for civil action can be extreme and have been enforced. Per the following excerpt, these include:
(b) Any customer injured by a violation of this title may institute a civil action to recover damages.
(c) In addition, for a willful, intentional or reck less violation of Section 1798.83, a customer may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.83.
(g) A prevailing plaintiff in any action commenced under Section 1798.83 shall also be entitled to recover his or her reasonable attorney's fees and costs.
Six defensive actions
So what does this mean? It simply means that all businesses involved in the collection, storage and transmittal of PII data, inclusive of that covered under the PCI DSS, must, in the broadest sense, be aware of the rules and regulations that affect this behavior and make serious efforts to comply.
At minimum, all organizations should adhere to the following six key defensive elements of the Massachusetts law 201 CRM 17.00: designation of a responsible data privacy individual or group, risk assessment, policies and procedures, employee training, restricted access and regular system monitoring. Here is an explanation of each:
- Designation of a responsible individual or group: Select a party (or parties) to be responsible for overseeing the planning, development and ongoing monitoring of all the activities required by law.
- Risk assessment: Identify and assess "reasonably foreseeable" internal and external risks to security, confidentiality and/or integrity of electronic, paper or other records of personal information. Also, identify the "life cycle" of data. Determine who can access data, as well as where, how and why it is stored over the duration of collection, use, storage and disposal.
- Policies and procedures: Develop and implement security policies covering storage, access and transportation of paper and electronic records. Include disciplinary measures for violations.
- Employee training: Develop an ongoing program to train new and current employees regarding PII.
- Restricted access: Restrict and control access to sensitive data, wherever it is, with secure user authentication and access protocols, including encryption with oversight of third-party providers and means for detecting and preventing security system failures.
- Regular monitoring: Conduct routine review of the entire security program (at least annually) to evaluate security operations for effectiveness in preventing unauthorized access or use of personal information. Implement all necessary upgrades to limit risks.
Organizations must also oversee all third-party service providers, according to Massachusetts' and federal laws.
Sound best practices
Where computer systems exist, here are additional areas that require attention and integration into assessment, policies and procedures: encryption, firewall protection, malware detection and anti-virus software maintenance.
All organizations should consider these requirements to be sound best practices, whether or not specific state laws apply. For additional information and a free, step-by-step guide, please see the CSR white paper titled, Best Practices for Managing Personally Identifiable Information.
Dr. Ross Federgreen, CIPP/US, CIPP/G, CIPP/E, and Fellow, European Privacy Association, is the founder of CSR, the leading provider of global data compliance solutions and expert services that address Payment Card Industry (PCI) standards and personally identifiable information (PII) requirements. Ross can be reached at email@example.com. For more information or assistance in learning about the regulations applicable to you or your merchant customers' business, contact CSR at 866-462-7774 or online at www.csrcorporate.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.