CSR PII White Paper
- 1. Personally Identifiable Information (PII): Understanding Why Protection and Compliance are Critical
- 2. PII: Understanding Why Protection and Compliance are Critical | Page 2 Section I: OVERVIEW Handling, managing and storing Personally Identifiable Information (PII) is a significant and growing concern for organizations of every size and type. In its most basic form, PII represents information, standalone or in combination, that can identify an individual. This extends to specifics surrounding geographic and physical characteristics, purchasing habits, and even preferences such as voting behaviors. The correct and lawful acquisition, transmission, retention and destruction of PII is a business necessity. Failure to do so can lead to identity theft, a leading cause of concern among the consumers and regulators. PII loss or compromise violates multiple state and federal laws, and can readily trigger financial, civil and criminal penalties. In addition, reputational damage can disrupt business activities, resulting in lack of customer confidence, lost sales and declining shareholder value. The United States government regulates five PII elements: date of birth, Social Security numbers, driver's license numbers, credit and debit card numbers, as well as check routing and account numbers. Other data elements are also regulated, such as health and financial records. In fact, many states individually have broadened their definition of PII. For example, North Dakota's law includes mother's maiden name, employer-assigned ID numbers and electronic signatures. This white paper covers the basics of PII management, plus delves into legislative governance and a number of critical information technology concerns. CENTRAL QUESTIONS Each data element that falls under PII guidelines has a number of core characteristics that must be understood and analyzed in light of the requirements and risks. Storage environment, whether physical or electronic, must be evaluated against seven criteria for data compliance: 1. Where Stored 2. Sensitivity of the Information 3. Encryption Requirements 4. Multi-Jurisdictional 5. Ownership 6. Procedural 7. System Needs and Dependency Storage Regardless of information format, businesses must address information storage security. Ensuring and documenting that protected information is segregated or segmented from publicly available information is key. Sensitivity How much harm can result with the release of the information to an unauthorized recipient? Within the realm of privacy, categorization of both regulated and unregulated personal data is necessary. Standard classification consists of four levels of privacy encompassing confidential, proprietary, restricted and public information. Organizations must determine the best classification fit for data using specific decision parameters. Encryption Data encryption is a double-edged sword. Does it increase the security of data? The answer is a resounding yes. Does it make the utilization of information more difficult? Again, the answer is yes. The balance of these two factors is central to organizational decision-making around encryption. Legal compliance issues may also exist when various protected data elements are transmitted over electronic networks which may necessitate utilization of encryption. CSR Professional Services, Inc. 830 NE Pop Tilton Place / Jensen Beach / FL / 34957 / 888.294.6971 / www.csrps.com © 2015 CSR. All rights reserved. CSR refers to CSR Professional Services, Inc.
- 3. PII: Understanding Why Protection and Compliance are Critical | Page 3 Multi-Jurisdictional Different jurisdictions have different requirements for the protection and classification of PII. It is imperative to apply the most restrictive requirements when transmitting across boundaries and borders. The standard within our country is that states, such as North Dakota, may increase their requirements above federal standards. Further, privacy standards in Canada, Europe and Asia vary significantly from American requirements and are often more stringent. Ownership Who actually owns the data? Is the data being stored on behalf of a third party? What promises have been made? Is there explicit permission from the data source that information may be stored by a third party? Is there a contract or agreement in place between the multiple parties? Data ownership is a particularly difficult issue and must be fully understood and vetted. Procedural What are the policies and practices in place? Are individuals who handle sensitive data trained on the necessary safeguards? Isthe equipment that transmits and retains personal data uptothe latest specifications? Have upgrades, updates, patches been applied? Has there been a yearly review of all policies involved? Are audits regularly performed of the physical environment? These are just of a few of the issues that need to be addressed. System Needs and Dependency What are the information technology requirements surrounding the lifecycle of collected PII? Do these systems interface with owned, leased and shared hardware and software? Are there competing claims on the ownership of data? Who is responsible for security and maintenance of hardware and software? Are systems operated by employed, contract or leased personnel? These issues must be defined in absolute terms, including immunity, when PII is involved. LIFECYCLE ANALYSIS The PII lifecycle consists of five major areas: acquisition, retention, utilization, propagation and destruction. Businesses must fully understand and continuously monitor these areas. In addition, breach response is central to the overall management of PII. Response to an actual or suspected breach iscodified,which means defined reporting rules and regulations must be followed correctly and completely. The critical components of breach response include: ▲ Treating the affected area as a crime scene ▲ Preserving as much evidence as possible ▲ Immediate and accurate reporting to the correct authorities, including Federal and State agencies and other regulating bodies ▲ Immediate reporting to senior management ▲ Consumer notification Section II: GOVERNMENT POLICY Government Involvement in Privacy Issues For over 40 years, state and federal governments have been enacting legislation to protect privacy. Some of the major federal privacy initiatives include the following: ▲ The Fair Credit Reporting Act (FCRA) ▲ Health Insurance and Portability and Accountability Act (HIPAA) ▲ Gramm-Leach-Bliley Act (GLBA) ▲ The Children’s Online Privacy Protection Act (COPPA) ▲ The Drivers Privacy Protection Act (DPPA) Let's take a brief look at how two of these laws specifically affect organizations. The Fair Credit Reporting Act (FCRA) FCRA regulates the collection, dissemination and use of consumer information, and forms the base of consumer credit rights in the United States. Originally passed in 1970, it is enforced primarily by the Federal Trade Commission (FTC). CSR Professional Services, Inc. 830 NE Pop Tilton Place / Jensen Beach / FL / 34957 / 888.294.6971 / www.csrps.com © 2015 CSR. All rights reserved. CSR refers to CSR Professional Services, Inc.
- 4. PII: Understanding Why Protection and Compliance are Critical | Page 4 The law regulates consumer reporting agencies, like Experian, Equifax and TransUnion, who collect and disseminate information about consumers for credit evaluation and other purposes such as employment background checks. Credit bureaus have a number of responsibilities under FCRA: 1. Provide consumers with information about their credit report and to take steps to verify and correct any disputed entries within 30 days. 2. Negative information which is removed as a result of a dispute may not be reintroduced without notifying the consumer in writing within five days. 3. Negativeinformation, such as late payments may not remain on a consumer's credit report for an excessive period. The reporting time period is typically seven years from the date of the delinquency. The exceptions are bankruptcies at ten years and tax liens at seven years from the time they are paid. Gramm-Leach Bliley Act (GLBA) GLBA gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule. Regulations generally apply to "financial institutions," which include not only banks, securities firms and insurance companies, but companies providing many other types of financial products and services to consumers. The Financial Privacy Rule governs the collection and disclosure of consumers' personal financial information by financial institutions. The law requires that financial institutions protect information about individuals; it does not apply to information collected through business or commercial activities. Among many GLBA regulations, the law requires that a privacy notice be given to individual consumers by mail, online or in-person delivery. Reasonable ways to deliver a notice may depend on the type of business. For example, an online lender may post its notice on its website and require online consumers to acknowledge receipt as a necessary part of a loan application. Recent Legislative Privacy Developments Online retailers have become very sophisticated in tracking consumer online behavior, down to the "keystroke," to create target ads that will appeal to personal preferences. Some use tracking software services called "beacons" to capture information through keystrokes, including email addresses, medical conditions, purchases and just plain surfing preferences. The captured information is packaged into specific consumer profiles, even potentially including a person's name, so retailers can slice and dice visitors as well as new customers. In addition, major websites install tracking cookies on visitor computers, often without notice. The Commerce Department favors letting the industry continue to regulate itself via User Agreements and privacy policies where consumers simply check a box agreeing to abide by stated policies. Industry generally concurs, favoring "privacy by design" where privacy features are built into browsers or web sites. These features encourage greater transparency during data collection, with regard to the intended use, as well as increase the need for clearly worded privacy and user notices. The Commerce Department contends that targeted ads are helpful for consumers. Opposed to the Commerce Department, the FTC appears to be leaning toward a stricter standard that requires a "do not track" option on a web site similar to the "do not call" lists currently in place for telemarketers. The "do not track" system most likely would be built into a web browser, signaling a web site, the content providers and advertisers that the user did not want to be tracked. Most consumer advocates understandably favor the FTC approach. The current administration in Washington wants uniform standards. Federal regulators are trying to balance CSR Professional Services, Inc. 830 NE Pop Tilton Place / Jensen Beach / FL / 34957 / 888.294.6971 / www.csrps.com © 2015 CSR. All rights reserved. CSR refers to CSR Professional Services, Inc.
- 5. PII: Understanding Why Protection and Compliance are Critical | Page 5 consumer protection and commercial rights. An interagency panel is looking at how to further protect consumers while at the same time making United States companies more competitive internationally. The administration wants to ensure that restrictions will not impede law enforcement and national security efforts. This may be one area where Congressional bipartisan cooperation exists. The House and Senate have recently called on companies to account for intrusions or breaches of consumer privacy. The House Energy and Commerce Committee, which oversees the FTC and privacy issues, now has a Republican at its head, but members of both parties realize that privacy issues transcend partisanship, at least to a point. That said, in the past, Republican committee control often results in business interests presiding over consumer concerns. No federal legislation currently exists outside of the privacy initiatives previously discussed relating to the reporting of data breaches. Today, data breach reporting to authorities and notification to affected parties is generally governed by the 47 states, District of Columbia, Guam, Puerto Rico and the Virgin Islands who have all enacted independent, applicable legislation. There are three bills currently making their way through Congress that propose a national breach reporting law, but the process is slow-going. Independent from state reporting requirements, the card brands such as Visa, MasterCard, American Express and Discover have reporting requirements, as does the Secret Service. Section III. INFORMATION TECHNOLOGY Information Technology (IT) departments, and companies in general, are expected to have policies, processes and controls that address the confidentially, integrity and availability of PII. An effective information security system starts with processes that audit and monitor data. These functions should be the safeguards against unauthorized access, theft and illicit use of PII. Typically though, companies are not taking these activities seriously, and thus, are leaving their systems wide open to the possibility of theft. Most theft or misuse of PII and other information comes from within an organization. Effective monitoring tools that are configured properly and reviewed regularly are the first line of defense. Loss of data occurs from the lack of and adherence to policies and procedures related to information handling. It is estimated that between 85% and 90% of the data theft cases reported could have been detected and, in some cases, prevented with effective monitoring. IT organizations often struggle to implement strong tools because of cost and the inability to show a hard dollar return on investment. Unfortunately, executives realize the price of not implementing these tools after a PII theft event occurs; the company often pays far more than the original investment would have cost. Strong IT policies and procedures are also an integral component of prevention. IT executives have struggled for years to get their companies to adopt strong policies and procedures for the access, use, storage and destruction of information. This is especially true when it comes to PII handling and monitoring, which has left some of the world's most respected and seemingly secure companies vulnerable to theft. Companies need to focus on the preventative, detective and corrective aspects of their policies and procedures. They must also understand and manage the access and use of hardware and software. This goes well beyond internal use, applying to the company's software vendor policies, the use of hardware and software by external users and the exposure to the company's network to the Internet. Business eagerly embraces new technologies, always before security catches up. We have seen a proliferation of laptop computers, wireless networks and now, CSR Professional Services, Inc. 830 NE Pop Tilton Place / Jensen Beach / FL / 34957 / 888.294.6971 / www.csrps.com © 2015 CSR. All rights reserved. CSR refers to CSR Professional Services, Inc.
- 6. PII: Understanding Why Protection and Compliance are Critical | Page 6 smartphones. Theft today occurs frequently when an unrecognized email is opened that is embedded with a script to locate sensitive information, such as bank usernames and passwords. The script sends this data back to a hacker who can transfer money from an individual's or company's bank account in a matter of minutes. This happens on a daily basis and it typically takes a day or more to realize the theft has occurred. Wireless technologies compound the threat of illicit access. Wireless enables an in-office or home experience to access information virtually anywhere in the world via many different technologies. These technologies offer very little in the way of security, and companies are slow to set policy and implement safeguards to prevent unauthorized access to corporate networks. In a well-publicized case, a large retailer in the United States was breached externally through their wireless network. The perpetrators were camped out near one of the retailer's locations using a laptop computer and Virtual Private Network (VPN) technology to access the company's customer PII data - all without detection for 18 months. Even then, it was a third party that noticed the breach. Ironically, the mastermind of this enterprise refined his expertise while working as a Federal Bureau of Investigation (FBI) informant! There have been numerous cases of large amounts of personal data exposed by the loss of laptop computers, disk drives and back-up tapes. As stated above, companies need strong policies and administrative controls to keep all of their portable media secure. The latest business tool craze is smartphones. Smartphones are free from virus protection and strong encryption. Passwords are inconvenient. Until security is better developed, companies should think long and hard about using these devices to store, process or transmit PII. The ever-increasing capacity and low cost of media devices like flash drives and disk media have enhanced the capabilities of someone to easily walk away with mass amounts of data. This coupled with business requirements that allow external access to corporate systems, expose businesses to unauthorized access, premeditated theft and unintended loss of information. Media devices and their appropriate use must be defined, while monitoring them when essential and eliminating their use when deemed unnecessary. Networks and devices should be secured with layered authentication processes and stronger encryption, plus networks should be hidden from the open airwaves. Investment in technologies that secure information is no different from investing in insurance coverage. With all this said, companies must understand the value of their PII and what a breach might mean to their customers and their business. One critical element that is continuously underestimated is the ability of a business to gather the details of a suspected or actual breach, and then accurately and in a timely fashion report it to the proper authorities and regulating entities. Businesses constantly tell IT professionals to reduce cost, frequently at the expense of logging and audit trails because they increase hardware needs. This view is exactly what a potential hacker or rogue IT professional is looking for because they understand that detection and eventual rebuilding of "what happened" is nearly impossible without verbose tracking information. Just like accounting records, the more detailed the data and the more controlled the process, the more easily auditable and the more likely to prevent fraudulent activities. Companies should step back and understand the importance of IT policies, procedures and controls around PII and sensitive data. All customers have a non- negotiable expectation of privacy where their personal information is in play. Ignoring these elements can cause reputational embarrassment as well as result in large fines, which in some cases have been in the millions of dollars. CSR Professional Services, Inc. 830 NE Pop Tilton Place / Jensen Beach / FL / 34957 / 888.294.6971 / www.csrps.com © 2015 CSR. All rights reserved. CSR refers to CSR Professional Services, Inc.
- 7. PII: Understanding Why Protection and Compliance are Critical | Page 7 Section IV: CONCLUSION PII is and will remain a significant concern of regulators and the general population for the foreseeable future. It is clear that United States laws and regulations will be strengthened. Every organization that in any way touches PII elements in any context must be fully versed in compliance requirements and be prepared to act swiftly and accurately in the event of a breach. CSR strongly encourages all businesses to fully understand and formally evaluate their risk in terms of financial, civil and criminal penalties, as well as the costs associated with business disruption for failure to operate according to regulations. CSR Professional Services, Inc. 830 NE Pop Tilton Place / Jensen Beach / FL / 34957 / 888.294.6971 / www.csrps.com © 2015 CSR. All rights reserved. CSR refers to CSR Professional Services, Inc.