Understanding Why
Protection and Compliance is Critical
Handling, managing and storing Personally Identifiable
Information (PII) is a significant and growing concern for organizations of
every size and type.
In its most basic form, PII represents information,
standalone or in combination, that can identify an individual. This extends to
specifics surrounding geographic and physical characteristics, purchasing
habits, and even preferences such as voting behaviors.
The correct and lawful acquisition, transmission, retention
and destruction of PII is a business necessity. Failure to do so can lead to
identity theft, a leading cause of concern among the consumers and regulators.
PII loss or compromise violates multiple state and federal laws, and can readily
trigger financial, civil and criminal penalties. In addition, reputational
damage can disrupt business activities, resulting in lack of customer
confidence, lost sales and declining shareholder value.
The United States government regulates five PII elements: date of birth, social security numbers,
driver’s license numbers, credit and debit card numbers, as well as check
routing and account numbers. Other data elements are also regulated, such as
health and financial records. In fact, many states individually have broadened
their definition of PII.
For example, North Dakota’s law includes mother’s maiden
name, employer-assigned ID numbers and electronic signatures.
This white paper covers the basics of PII management, plus
delves into legislative governance and several critical information technology
concerns.
Each data element that falls under PII guidelines has
several core characteristics that must be understood and analyzed considering
the requirements and risks.
Storage environment, whether physical or electronic, must be
evaluated against seven criteria for data compliance:
Where stored
Regardless of information format, businesses must address
information storage security. Ensuring and documenting that protected
information is segregated or segmented from publicly available information is
key.
Sensitivity of the
information
How much harm can result with the release of the information
to an unauthorized recipient? Within the realm of privacy, categorization of
both regulated and unregulated personal data is necessary. Standard
classification consists of four levels of privacy encompassing confidential,
proprietary, restricted and public information.
Organizations must determine the best classification fit for
data using specific decision parameters.
Encryption
requirements
Data encryption is a double-edged sword. Does it increase
the security of data? The answer is a resounding yes. Does it make the
utilization of information more difficult? Again, the answer is yes. The
balance of these two factors is central to organizational decision-making
around encryption. Legal compliance issues may also exist when various
protected data elements are transmitted over electronic networks which may
necessitate utilization of encryption.
Multijurisdictional
Different jurisdictions have different requirements for the
protection and classification of PII. It is imperative to apply the most
restrictive requirements when transmitting across boundaries and borders. The
standard within our country is that states, such as North Dakota, may increase
their requirements above federal standards. Further, privacy standards in
Canada, Europe and Asia vary significantly from American requirements and are
often more stringent.
Ownership
Who owns the data? Is the data being stored on behalf of a
third party? What promises have been made? Is there explicit permission from
the data source that information may be stored by a third party? Is there a
contract or agreement in place between the multiple parties? Data ownership is
a particularly difficult issue and must be fully understood and vetted.
Procedures
What are the policies and practices in place? Are
individuals who handle sensitive data trained on the necessary safeguards? Is
the equipment that transmits and retains personal data up to the latest
specifications? Have upgrades, updates, patches been applied? Has there been a
yearly review of all policies involved? Are audits regularly performed of the
physical environment? These are just of a few of the issues that need to be addressed.
System needs and
dependency Storage
What are the information technology requirements surrounding
the lifecycle of collected PII? Do these systems interface with owned, leased
and shared hardware and software? Are there competing claims on the ownership
of data? Who is responsible for security and maintenance of hardware and
software? Are systems operated by employed, contract or leased personnel? These
issues must be defined in absolute terms, including immunity, when PII is
involved.
LIFECYCLE ANALYSIS
The PII lifecycle consists of five major areas: acquisition,
retention, utilization, propagation and destruction. Businesses must fully
under- stand and continuously monitor these areas.
In addition, breach response is central to the overall management
of PII. Response to an actual or suspected breach is codified, which means
defined reporting rules and regulations must be followed correctly and
completely.
The critical components of breach response include:
• Treating
the affected area as a crime scene
• Preserving
as much evidence as possible
• Immediate
and accurate reporting to the correct authorities, including federal and state
agencies and other regulating bodies
• Immediate
reporting to senior management
GOVERNMENT POLICY
For over 40 years, state and federal governments have been
enacting legislation to protect privacy. Some of the major federal privacy
initiatives include:
• Fair
Credit Reporting Act (FCRA)
• Gramm-Leach-Bliley
Act (GLB)
• Health
Insurance Portability and Accountability Act (HIPAA)
• Children’s
Online Privacy Protection Act (COPPA)
• Drivers
Privacy Protection Act (DPPA)
Let’s take a brief look at how two of these laws
specifically affect organizations.
The Fair Credit Reporting Act
FCRA regulates the collection, dissemination and use of
consumer information, and forms the base of consumer credit rights in the
United States.
Originally passed in 1970, it is enforced primarily by the
Federal Trade Commission (FTC).
The law regulates consumer reporting agencies, like
Experian, Equifax and TransUnion, who collect and disseminate information about
consumers for credit evaluation and other purposes such as employment
background checks.
Credit bureaus have several responsibilities under FCRA:
1. Provide
consumers with information about their credit report and to take steps to
verify and correct any disputed entries within 30 days.
2. Negative
information which is removed because of a dispute may not be reintroduced
without notifying the consumer in writing within
five days.
3. Negative
information, such as late payments may not remain on a consumer’s credit report
for an excessive period. The reporting time is typically seven years from the
date of the delinquency. The exceptions are bankruptcies at 10 years and tax liens
at seven years from the time they are paid
Gramm-Leach-Bliley Act
GLBA gives authority to eight federal agencies and the
states to administer and enforce the Financial Privacy Rule. Regulations
generally apply to “financial institutions,” which include not only banks,
securities firms and insurance companies, but companies providing many other
types of financial products and services to consumers.
The Financial Privacy Rule governs the collection and
disclosure of consumers’ personal financial information by financial
institutions. The law requires that financial institutions protect information
about individuals; it does not apply to information collected through business
or commercial activities.
Among many GLB regulations, the law requires that a privacy
notice be given to individual consumers by mail, online or in-person delivery.
Reasonable ways to deliver a notice may depend on the type of business. For
example, an online lender may post its notice on its website and require online
consumers to acknowledge receipt as a necessary part of a loan application.
PII: Understanding
Why Protection and Compliance is Critical to personal preferences.
Some use tracking software services called “beacons” to
capture information through keystrokes, including email addresses, medical
conditions, purchases and just plain surfing preferences. The captured
information is packaged into specific consumer profiles, even potentially
including a person’s name, so retailers can slice and dice visitors as well as
new customers. In addition, major websites install tracking cookies on visitor
computers, often without notice.
The Commerce Department favors letting the industry continue
to regulate itself via User Agreements and privacy policies where consumers
simply check a box agreeing to abide by stated policies. Industry generally
concurs, favoring “privacy by design” where privacy features are built into
browsers or web sites. These features encourage greater transparency during
data collection, about the intended use, as well as increase the need for
clearly worded privacy and user notices. The Commerce Department contends that
targeted ads are helpful for consumers.
Opposed to the Commerce Department, the FTC appears to be
leaning toward a stricter standard that requires a “do not track” option on a
web site like the “do not call” lists currently in place for telemarketers. The
“do not track” system most likely would be built into a web browser, signaling
a web site, the content providers and advertisers that the user did not want to
be tracked.
Most consumer advocates understandably favor the FTC
approach.
Washington wants uniform standards. Federal regulators are
trying to balance consumer protection and commercial rights. An interagency
panel is looking at how to further protect consumers while at the same time
making United States companies more competitive internationally. The
administration wants to ensure that restrictions will not impede law
enforcement and national security efforts.
This may be one area where Congressional bipartisan
cooperation exists. The House and Senate have recently called on companies to
account for intrusions or breaches of consumer privacy.
The House Energy and Commerce Committee, which oversees the
FTC and privacy issues, now has a Republican at its head, but members of both
parties realize that privacy issues transcend partisanship, at least to a
point. That said, in the past, Republican committee control often results in
business interests presiding over consumer concerns.
No federal legislation currently exists outside of the
privacy initiatives previously discussed relating to the reporting of data
breaches. Today, data breach reporting to authorities and notification to
affected parties is generally governed by the 46 states, District of Columbia,
Guam, Puerto Rico and the Virgin Islands who have all enacted independent,
applicable legislation. There are three bills currently making their way
through Congress that propose a national breach reporting law, but the process
is slow-going.
Independent from state reporting requirements, the card
brands such as Visa, MasterCard, American Express and Discover have reporting
requirements, as does the Secret Service.
PII: Understanding
Why Protection and Compliance is Critical
Section III:
INFORMATION TECHNOLOGY
Information Technology (IT) departments, and companies in
general, are expected to have policies, processes and controls that address the
confidentially, integrity and availability of PII. An effective information
security system starts with processes that audit and monitor data. These
functions should be the safeguards against unauthorized access, theft and
illicit use of PII.
Typically, though, companies are not taking these activities
seriously, and thus, are leaving their systems wide open to the possibility of
theft. Most theft or misuse of PII and other information comes from within an
organization.
Effective monitoring tools that are configured properly and
reviewed regularly are the first line of defense. Loss of data occurs from the
lack of and adherence to policies and procedures related to information
handling. It is estimated that between 85% and 90% of the data theft cases
reported could have been detected and, in some cases, prevented with effective
monitoring.
IT organizations often struggle to implement strong tools
because of cost and the inability to show a hard dollar return on investment.
Unfortunately, executives realize the price of not
implementing these tools after a PII theft event occurs; the company often pays
far more than the original investment would have cost.
Strong IT policies and procedures are also an integral
component of prevention. IT executives have struggled for years to get their
companies to adopt strong policies and procedures for the access, use, storage
and destruction of information. This is especially true when it comes to PII
handling and monitoring, which has left some of the world’s most respected and
seemingly secure
companies vulnerable to theft. Companies need to focus on the preventative,
detective and corrective aspects of their policies and procedures.
They must also understand and manage the access and use of
hardware and software. This goes well beyond internal use, applying to the
company’s software vendor policies, the use of hardware and software by
external users and the exposure to the company’s network to the Internet.
Business eagerly embraces new technologies, always before
security catches up. We have seen a proliferation of laptop computers, wireless
networks and now, smartphones. Theft today occurs frequently when an
unrecognized email is opened that is embedded with a script to locate sensitive
information, such as bank usernames and passwords. The script sends this data
back to a hacker who can transfer money from an individual’s or company’s bank
account in a matter of minutes. This happens daily and it typically takes a day
or more to realize the theft has occurred.
Wireless technologies compound the threat of illicit access.
Wireless enables an in-office or home experience to access information
virtually anywhere in the world via many different technologies. These
technologies offer very little in the way of security, and companies are slow
to set policy and implement safeguards to prevent unauthorized access to
corporate networks.
In a well-publicized case, a large retailer in the United
States was breached externally through their wireless network. The perpetrators
were camped out near one of the retailer’s locations using a laptop computer
and Virtual Private Network (VPN) technology to access the company’s customer
PII data — all without detection for 18 months. Even then, it was a third party
that noticed the breach. Ironically, the mastermind of this enterprise refined
his expertise while working as a Federal Bureau of Investigation (FBI)
informant!
There have been numerous cases of large amounts of personal
data exposed by the loss of laptop computers, disk drives and back-up tapes. As
stated above, companies need strong policies and administrative controls to
keep all their portable media secure.
The latest business tool craze is smartphones. Smartphones
are free from virus protection and strong encryption. Passwords are
inconvenient. Until security is better developed, companies should think long
and hard about using these devices to store, process or transmit PII.
The ever-increasing capacity and low cost of media devices
like flash drives and disk media have enhanced the capabilities of someone to
easily walk away with mass amounts of data. This coupled with business requirements
that allow external access to corporate systems, expose businesses to
unauthorized access, premeditated theft and unintended loss of information.
Media devices and their appropriate use must be defined,
while monitoring them when essential and eliminating their use when deemed
unnecessary.
Networks and devices should be secured with layered
authentication processes and stronger encryption, plus networks should be
hidden from the open airwaves. Investment in technologies that secure
information is no different from investing in insurance coverage.
With all this said, companies must understand the value of
their PII and what a breach might mean to their customers and their business.
One critical element that is continuously underestimated is
the ability of a business to gather the details of a suspected or actual
breach, and then accurately and in a timely fashion report it to the proper
authorities and regulating entities.
Businesses constantly tell IT professionals to reduce cost,
frequently at the expense of logging and audit trails because they increase
hardware needs. This view is exactly what a potential hacker or rogue IT
professional is looking for because they understand that detection and eventual
rebuilding of “what happened” is nearly impossible without verbose tracking
information. Just like accounting records, the more detailed the data and the
more controlled the process, the more easily auditable and the more likely to
prevent fraudulent activities.
Companies should step back and understand the importance of
IT policies, procedures and controls around PII and sensitive data. All
customers have a non-negotiable expectation of privacy where their personal
information is in play. Ignoring these elements can cause reputational
embarrassment as well as result in large fines, which in some cases have been
in the millions of dollars.
CONCLUSION
PII is and will remain a significant concern of regulators
and the general population for the foreseeable future. United States laws and
regulations will be strengthened.
Every organization that in any way touches PII elements in
any context must be fully versed in compliance requirements and be prepared to
act swiftly and accurately in the event of a breach.
I strongly encourage all businesses to fully understand and
formally evaluate their risk in terms of financial, civil and criminal
penalties, as well as the costs associated with business disruption for failure
to operate per regulations.
