Monday, March 20, 2017

Understanding Why Protection and Compliance is Critical



Understanding Why Protection and Compliance is Critical

Handling, managing and storing Personally Identifiable Information (PII) is a significant and growing concern for organizations of every size and type.

In its most basic form, PII represents information, standalone or in combination, that can identify an individual. This extends to specifics surrounding geographic and physical characteristics, purchasing habits, and even preferences such as voting behaviors.

The correct and lawful acquisition, transmission, retention and destruction of PII is a business necessity. Failure to do so can lead to identity theft, a leading cause of concern among the consumers and regulators. PII loss or compromise violates multiple state and federal laws, and can readily trigger financial, civil and criminal penalties. In addition, reputational damage can disrupt business activities, resulting in lack of customer confidence, lost sales and declining shareholder value.

The United States government regulates five PII elements:  date of birth, social security numbers, driver’s license numbers, credit and debit card numbers, as well as check routing and account numbers. Other data elements are also regulated, such as health and financial records. In fact, many states individually have broadened their definition of PII.

For example, North Dakota’s law includes mother’s maiden name, employer-assigned ID numbers and electronic signatures.

This white paper covers the basics of PII management, plus delves into legislative governance and several critical information technology concerns.

Each data element that falls under PII guidelines has several core characteristics that must be understood and analyzed considering the requirements and risks.

Storage environment, whether physical or electronic, must be evaluated against seven criteria for data compliance:

Where stored

Regardless of information format, businesses must address information storage security. Ensuring and documenting that protected information is segregated or segmented from publicly available information is key.

Sensitivity of the information

How much harm can result with the release of the information to an unauthorized recipient? Within the realm of privacy, categorization of both regulated and unregulated personal data is necessary. Standard classification consists of four levels of privacy encompassing confidential, proprietary, restricted and public information.

Organizations must determine the best classification fit for data using specific decision parameters.

 Encryption requirements

Data encryption is a double-edged sword. Does it increase the security of data? The answer is a resounding yes. Does it make the utilization of information more difficult? Again, the answer is yes. The balance of these two factors is central to organizational decision-making around encryption. Legal compliance issues may also exist when various protected data elements are transmitted over electronic networks which may necessitate utilization of encryption.

Multijurisdictional

Different jurisdictions have different requirements for the protection and classification of PII. It is imperative to apply the most restrictive requirements when transmitting across boundaries and borders. The standard within our country is that states, such as North Dakota, may increase their requirements above federal standards. Further, privacy standards in Canada, Europe and Asia vary significantly from American requirements and are often more stringent.

Ownership

Who owns the data? Is the data being stored on behalf of a third party? What promises have been made? Is there explicit permission from the data source that information may be stored by a third party? Is there a contract or agreement in place between the multiple parties? Data ownership is a particularly difficult issue and must be fully understood and vetted.

Procedures

What are the policies and practices in place? Are individuals who handle sensitive data trained on the necessary safeguards? Is the equipment that transmits and retains personal data up to the latest specifications? Have upgrades, updates, patches been applied? Has there been a yearly review of all policies involved? Are audits regularly performed of the physical environment? These are just of a few of the issues that need to be addressed.

System needs and dependency Storage

What are the information technology requirements surrounding the lifecycle of collected PII? Do these systems interface with owned, leased and shared hardware and software? Are there competing claims on the ownership of data? Who is responsible for security and maintenance of hardware and software? Are systems operated by employed, contract or leased personnel? These issues must be defined in absolute terms, including immunity, when PII is involved.

 LIFECYCLE ANALYSIS

The PII lifecycle consists of five major areas: acquisition, retention, utilization, propagation and destruction. Businesses must fully under- stand and continuously monitor these areas.

In addition, breach response is central to the overall management of PII. Response to an actual or suspected breach is codified, which means defined reporting rules and regulations must be followed correctly and completely.

The critical components of breach response include:

             Treating the affected area as a crime scene

             Preserving as much evidence as possible

             Immediate and accurate reporting to the correct authorities, including federal and state agencies and other regulating bodies

             Immediate reporting to senior management

 GOVERNMENT POLICY

For over 40 years, state and federal governments have been enacting legislation to protect privacy. Some of the major federal privacy initiatives include:

             Fair Credit Reporting Act (FCRA)

             Gramm-Leach-Bliley Act (GLB)

             Health Insurance Portability and Accountability Act (HIPAA)

             Children’s Online Privacy Protection Act (COPPA)

             Drivers Privacy Protection Act (DPPA)

Let’s take a brief look at how two of these laws specifically affect organizations.

The Fair Credit Reporting Act

FCRA regulates the collection, dissemination and use of consumer information, and forms the base of consumer credit rights in the United States.

Originally passed in 1970, it is enforced primarily by the Federal Trade Commission (FTC).

The law regulates consumer reporting agencies, like Experian, Equifax and TransUnion, who collect and disseminate information about consumers for credit evaluation and other purposes such as employment background checks.

 Credit bureaus have several responsibilities under FCRA:

1.            Provide consumers with information about their credit report and to take steps to verify and correct any disputed entries within 30 days.

2.            Negative information which is removed because of a dispute may not be reintroduced without notifying the consumer in writing within 

five days.

3.            Negative information, such as late payments may not remain on a consumer’s credit report for an excessive period. The reporting time is typically seven years from the date of the delinquency. The exceptions are bankruptcies at 10 years and tax liens at seven years from the time they are paid

Gramm-Leach-Bliley Act

GLBA gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule. Regulations generally apply to “financial institutions,” which include not only banks, securities firms and insurance companies, but companies providing many other types of financial products and services to consumers.

The Financial Privacy Rule governs the collection and disclosure of consumers’ personal financial information by financial institutions. The law requires that financial institutions protect information about individuals; it does not apply to information collected through business or commercial activities.

Among many GLB regulations, the law requires that a privacy notice be given to individual consumers by mail, online or in-person delivery. Reasonable ways to deliver a notice may depend on the type of business. For example, an online lender may post its notice on its website and require online consumers to acknowledge receipt as a necessary part of a loan application.

PII: Understanding Why Protection and Compliance is Critical to personal preferences.

Some use tracking software services called “beacons” to capture information through keystrokes, including email addresses, medical conditions, purchases and just plain surfing preferences. The captured information is packaged into specific consumer profiles, even potentially including a person’s name, so retailers can slice and dice visitors as well as new customers. In addition, major websites install tracking cookies on visitor computers, often without notice.

The Commerce Department favors letting the industry continue to regulate itself via User Agreements and privacy policies where consumers simply check a box agreeing to abide by stated policies. Industry generally concurs, favoring “privacy by design” where privacy features are built into browsers or web sites. These features encourage greater transparency during data collection, about the intended use, as well as increase the need for clearly worded privacy and user notices. The Commerce Department contends that targeted ads are helpful for consumers.

Opposed to the Commerce Department, the FTC appears to be leaning toward a stricter standard that requires a “do not track” option on a web site like the “do not call” lists currently in place for telemarketers. The “do not track” system most likely would be built into a web browser, signaling a web site, the content providers and advertisers that the user did not want to be tracked.

Most consumer advocates understandably favor the FTC approach.

Washington wants uniform standards. Federal regulators are trying to balance consumer protection and commercial rights. An interagency panel is looking at how to further protect consumers while at the same time making United States companies more competitive internationally. The administration wants to ensure that restrictions will not impede law enforcement and national security efforts.

This may be one area where Congressional bipartisan cooperation exists. The House and Senate have recently called on companies to account for intrusions or breaches of consumer privacy.

The House Energy and Commerce Committee, which oversees the FTC and privacy issues, now has a Republican at its head, but members of both parties realize that privacy issues transcend partisanship, at least to a point. That said, in the past, Republican committee control often results in business interests presiding over consumer concerns.

No federal legislation currently exists outside of the privacy initiatives previously discussed relating to the reporting of data breaches. Today, data breach reporting to authorities and notification to affected parties is generally governed by the 46 states, District of Columbia, Guam, Puerto Rico and the Virgin Islands who have all enacted independent, applicable legislation. There are three bills currently making their way through Congress that propose a national breach reporting law, but the process is slow-going.

Independent from state reporting requirements, the card brands such as Visa, MasterCard, American Express and Discover have reporting requirements, as does the Secret Service.

 PII: Understanding Why Protection and Compliance is Critical


Section III: INFORMATION TECHNOLOGY

Information Technology (IT) departments, and companies in general, are expected to have policies, processes and controls that address the confidentially, integrity and availability of PII. An effective information security system starts with processes that audit and monitor data. These functions should be the safeguards against unauthorized access, theft and illicit use of PII.

Typically, though, companies are not taking these activities seriously, and thus, are leaving their systems wide open to the possibility of theft. Most theft or misuse of PII and other information comes from within an organization.

Effective monitoring tools that are configured properly and reviewed regularly are the first line of defense. Loss of data occurs from the lack of and adherence to policies and procedures related to information handling. It is estimated that between 85% and 90% of the data theft cases reported could have been detected and, in some cases, prevented with effective monitoring.

IT organizations often struggle to implement strong tools because of cost and the inability to show a hard dollar return on investment.

Unfortunately, executives realize the price of not implementing these tools after a PII theft event occurs; the company often pays far more than the original investment would have cost.

Strong IT policies and procedures are also an integral component of prevention. IT executives have struggled for years to get their companies to adopt strong policies and procedures for the access, use, storage and destruction of information. This is especially true when it comes to PII handling and monitoring, which has left some of the world’s most respected and

 seemingly secure companies vulnerable to theft. Companies need to focus on the preventative, detective and corrective aspects of their policies and procedures.

They must also understand and manage the access and use of hardware and software. This goes well beyond internal use, applying to the company’s software vendor policies, the use of hardware and software by external users and the exposure to the company’s network to the Internet.

Business eagerly embraces new technologies, always before security catches up. We have seen a proliferation of laptop computers, wireless networks and now, smartphones. Theft today occurs frequently when an unrecognized email is opened that is embedded with a script to locate sensitive information, such as bank usernames and passwords. The script sends this data back to a hacker who can transfer money from an individual’s or company’s bank account in a matter of minutes. This happens daily and it typically takes a day or more to realize the theft has occurred.

Wireless technologies compound the threat of illicit access. Wireless enables an in-office or home experience to access information virtually anywhere in the world via many different technologies. These technologies offer very little in the way of security, and companies are slow to set policy and implement safeguards to prevent unauthorized access to corporate networks.

In a well-publicized case, a large retailer in the United States was breached externally through their wireless network. The perpetrators were camped out near one of the retailer’s locations using a laptop computer and Virtual Private Network (VPN) technology to access the company’s customer PII data — all without detection for 18 months. Even then, it was a third party that noticed the breach. Ironically, the mastermind of this enterprise refined his expertise while working as a Federal Bureau of Investigation (FBI) informant!

There have been numerous cases of large amounts of personal data exposed by the loss of laptop computers, disk drives and back-up tapes. As stated above, companies need strong policies and administrative controls to keep all their portable media secure.

The latest business tool craze is smartphones. Smartphones are free from virus protection and strong encryption. Passwords are inconvenient. Until security is better developed, companies should think long and hard about using these devices to store, process or transmit PII.

The ever-increasing capacity and low cost of media devices like flash drives and disk media have enhanced the capabilities of someone to easily walk away with mass amounts of data. This coupled with business requirements that allow external access to corporate systems, expose businesses to unauthorized access, premeditated theft and unintended loss of information.

Media devices and their appropriate use must be defined, while monitoring them when essential and eliminating their use when deemed unnecessary.

Networks and devices should be secured with layered authentication processes and stronger encryption, plus networks should be hidden from the open airwaves. Investment in technologies that secure information is no different from investing in insurance coverage.

With all this said, companies must understand the value of their PII and what a breach might mean to their customers and their business.

One critical element that is continuously underestimated is the ability of a business to gather the details of a suspected or actual breach, and then accurately and in a timely fashion report it to the proper authorities and regulating entities.

Businesses constantly tell IT professionals to reduce cost, frequently at the expense of logging and audit trails because they increase hardware needs. This view is exactly what a potential hacker or rogue IT professional is looking for because they understand that detection and eventual rebuilding of “what happened” is nearly impossible without verbose tracking information. Just like accounting records, the more detailed the data and the more controlled the process, the more easily auditable and the more likely to prevent fraudulent activities.

Companies should step back and understand the importance of IT policies, procedures and controls around PII and sensitive data. All customers have a non-negotiable expectation of privacy where their personal information is in play. Ignoring these elements can cause reputational embarrassment as well as result in large fines, which in some cases have been in the millions of dollars.

CONCLUSION

PII is and will remain a significant concern of regulators and the general population for the foreseeable future. United States laws and regulations will be strengthened.

Every organization that in any way touches PII elements in any context must be fully versed in compliance requirements and be prepared to act swiftly and accurately in the event of a breach.

I strongly encourage all businesses to fully understand and formally evaluate their risk in terms of financial, civil and criminal penalties, as well as the costs associated with business disruption for failure to operate per regulations.