There is a huge misconception among information security professionals today that data privacy laws are not applicable to private companies, but are only designed for publicly traded companies, government organizations or large financial institutions. This is not the case. Whether your company is public or private, large or small, today's information privacy regulations may affect you and your organization on many different levels, not just financially and legally.
Failing to integrate good security practices within a private organization can affect a company's bottom line, customer retention, business reputation and employee morale. In fact, there are dozens of privacy laws pertinent to all types of companies and more are on the way. These issues cover all facets of the information security landscape where governments and individuals are insisting on accountability from private corporations to control their data.
As a stakeholder or security professional for a private business, in the past you may have pushed aside these concerns as extraneous; someone told you that there's no legal obligation that you must safeguard data.
But many businesses don't seem to understand the extent to which consumers value the privacy of their personal data. In this article, we will attempt to review what is considered public and private information, outline some of the leading privacy laws on the landscape today and provide a few tips on how your organization can begin mitigating the risk of identity theft from your most valuable possession: information.
Taking responsibility for customer, employee data
Businesses of all sizes, not just big companies, are held accountable for complying with federal and state customer data security and privacy laws. As a matter of fact, customers have become extremely nervous about doing business with your organization, regardless of its classification.
Did you know:
- 85% of Americans are worried about becoming victims of identity theft.
- 64% of consumers say they have decided not to buy a company's product or service because they did not know how the company would use their personal information.
- 58% of consumers say if they were confident a business followed its declared security and privacy policies, they would recommend that business to family and friends.
Source: Privacy & American Business1.
If you are in a position to influence your organization's data security strategy, it is important that you have a fundamental understanding of data privacy laws and that you know the potential legal requirements that your organization may be confronted with when dealing with employee and customer information as a private organization. A key part of that effort is a responsibility to stay current on privacy and security laws affecting your business and your customers.
Laws are meant to compel companies to take the steps necessary to avoid a data theft or breach, which can be costly. A 2006 study by the Ponemon Institute found that data breaches can cost companies an average of $182 per compromised record, which is a 31% increase over 2005. Their study also concluded that the costs for each breach went from less than $1 million dollars to more than $22 million dollars.2.
According to statistics provided by the Federal Trade Commission (FTC) in early 2006, a total of 93,938 identity theft complaints were recorded in calendar year 2005, which is a steady increase from 2004 when there were only 76,815 complaints of identity theft.3 What is even more interesting is how a victim's information is misused:
26% - Credit card fraud
18% - Phone or utilities fraud
17% - Bank fraud
12% - Employment related fraud
9% - Government documents fraud
5% - Loan fraud
25% - Other identity theft
6% - Attempted identity theft
Source: FTC Complaint Data December 2005 4
Identity thieves can also use stolen information about your business to do damage by opening credit card accounts in your business' name, making purchases without your knowledge, or getting surreptitious business loans. In rare cases, identity thieves may secure enough information that they can actually sell your business or commercial property without your knowledge.
Categorizing public and private information
To review what is considered private and non-public information, this means what is not generally available from public records or commercial sources. Non-public information can include information that is protected from disclosure by law or by custom, such as medical records, employment records, tax returns and personal financial records. Typically, private information can only be released to the subject of the information and to those individuals who have a legitimate need-to-know, outside entities with the subject's written permission and others as allowed by law. A few examples of private information for businesses can include:
- Social Security numbers
- Birth dates
- Home phone numbers
- Health records
- Home addresses
- Ethnicity and citizenship
- Veteran and disability status
- Email addresses
- Drivers' license numbers
- Medical record numbers
- Health plan numbers
- Account numbers
- Certificate or license numbers
- Device identification/serial numbers
- Facial photographs
In regard to financial or credit card information, this includes any information obtained throughout the transaction of a financial product or service that is identifiable to an individual. This also covers what is obtained during the processing of a credit card payment transaction that identifies individual consumers and their purchases, such as:
- Phone number
- Account balances
- ACH numbers
- Bank account numbers
- Credit card number and Exp. Date
- Credit rating
- Date and location of birth
- Driver's license numbers
- Income data
- Payment data
- Account numbers
- Expiration dates
- Social Security numbers
You can find literally hundreds of reported cases on the Privacy Rights Clearinghouse Web site, for examples of chronologically reported identity theft.5
A look at the law
Now let's examine just a few major laws in place that are designed to protect the information of individuals whose private information has been exposed from a company whether they are a private organization or not.
California SB-1386 -- This was one of the first privacy laws and one of the most influential, causing a domino effect for other states to follow. This bill was passed in 2002 and provides strict requirements for businesses to notify consumers following any breach of unencrypted personal data. This includes any combination of an individual's name and such data as credit cards, social security numbers, driver's license numbers, and other information. Since the passage of SB-1386, there have been dozens of states that have created similar privacy laws and still others with legislation in the world.
While penalties such as fines or minimum prison time have not been specifically enumerated, damages from negative publicity in the media, costs in notifying customers and subsequent public relations nightmares are virtually limitless. Further, SB-1386 specifically allows civil lawsuits to recover damages.
HIPAA -- When it comes to all aspects of healthcare information, the Health Insurance Portability & Accountability Act of 1996 (HIPAA) requires an improved efficiency in healthcare information delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data. Almost all healthcare organizations, public health authorities, clearinghouses, self-ensured businesses, health providers, life insurers, service organizations and universities are bound by HIPAA. They are mandated to securely protect all patient health information (PHI) involved in electronic health transactions. Penalties include fines of up to $25K for multiple violations of the same standard in a calendar year, or 250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.6
Payment Card Industry Data Security Standard (PCI DSS) -- Although not a law, PCI DSS was established by credit card companies including Visa, MasterCard and Discover to ensure the proper handling and protection of cardholder account and transaction information. The PCI standard is a contractual obligation that consists of a set of 12 rules for the secure handling of credit card information. This can include credit card numbers and account holder's personally identifiable information. PCI applies to anyone who takes and stores credit card information, including e-commerce companies, financial institutions, and retail merchants.
According to PCI regulations:
- If a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.7
- Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.
Gramm-Leach-Bliley Act (GLBA) -- GLBA is a law comprised of several components including the Financial Privacy Rule, which requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used and how that information is protected. Secondly, the Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared to protect clients' nonpublic personal information. Like other laws, this rule is intended to do what most businesses should already be doing, protecting their clients.
Some examples of industries covered by GLBA include:
- Securities trading
- Insurance companies
- Tax preparers
- Credit counselors and financial advisors
- Real estate services
- Debt collector services
GLBA violations can include financial institutions being subject to a civil penalty of not more than $100,000 for each violation; the officers and directors of the financial institution shall be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation.
Federal Information Security Management Act (FISMA) -- FISMA requires federal agencies to develop, document and implement agency-wide programs to secure data and information systems supporting agency operations and assets, including those managed by other agencies or contractors. Federal agencies, state, local, and tribal governments, as well as private sector organizations composing the critical infrastructure of the United States are also accountable to FISMA.
Federal Information Processing Standards (FIPS) -- For applications or devices that include cryptography, U.S. federal government agencies are required to use a cryptographic product that has been Federal Information Processing Standard (FIPS) 140 validated or Common Criteria (CC) validated, and most CC protection profiles rely on FIPS validation for cryptographic security. The FIPS 140 requirement is applicable to all U.S. government departments and agencies which use cryptographic-based security systems to protect unclassified information, including any organization selling products to U.S. and Canadian government agencies.
Developing a data privacy strategy
Start by cataloging your data collection practices:
- Do you collect names, email addresses, home addresses, phone numbers, Social Security numbers or other personal information about your customers or employees?
- Are you storing customer information for any period of time?
- Do you accept credit/debit cards?
- Do you communicate customer information with businesses or organizations?
- Do you perform business on the Internet?
If you answered yes to any of the above questions, then you need to be worried about information security and privacy laws. Fortunately, companies can implement a number of preventive actions to help protect themselves and consumers:
- Monitoring and management of sensitive information -- Take proper care of sensitive information by means of encryption where appropriate. Establish an information retention policy for your business based on management and regulation requirements that outline how long you will store private information and when information can be destroyed. Destruction of information makes sure that personal information does not get into the wrong hands.
- Limit sensitive data collection -- If at all possible, never try and collect private information -- such as Social Security numbers or credit card numbers -- unless absolutely necessary. Many organizations are now creating unique customer IDs internally instead of using Social Security numbers, phone numbers or other personal customer information.
- Safeguard physical access to information -- You should try to protect access to sensitive areas at all times. Wherever sensitive data is stored, you should lock and control access to these areas and make sure that employees adhere to corporate policy for information access in order to protect critical data.
- Secure computer access -- There should be a clear separation of duties among employees and an implementation of role-based access controls (RBAC) for protecting logical access to information. No one person or persons should have "the keys to the kingdom." RBAC can help control which users have access to resources based on their roles. Access rights are grouped by role name, and access to resources are restricted to users who have been authorized to assume the associated role.
- Destroying digital information and physical documents -- All of your computer media should be clean of any personally identifiable information prior to being discarded or handed to third parties. It is important to know that data can reside on hard drives long after it is erased. This information can often be retrieved by computer experts. Sensitive paper documents should be shredded immediately and not sent off-site to be shredded by a third party.
- External information access -- All entry points into your network should have well configured firewalls/proxy servers, routers with strong access control lists, virus software protection, and intrusion detection devices -- at a minimum. Unless there is a strong business need to keep personal data available online, companies should keep it offline. External vulnerability assessments should be frequently conducted to test the strength of your technical security controls that are protecting these systems.
- Sensitive transmitted information -- Make sure that only non-sensitive or confidential information is transmitted in clear text. Sensitive information should be encrypted not only at rest but during transmission to its final destination.
- Incident response -- You should have an incident response plan in place that allows for immediate action in case of a security breach to your sensitive information. It is important that your team knows how to react in order to minimize damages, restore resources and attempt to guarantee data integrity.
- Security awareness/training -- Pretend your employees don't know anything about securing the company's information at this point. All employees that have any physical or logical access to sensitive information should be trained to meet security policy standards. In addition, you should enforce confidentiality or non-disclosure agreements that employees should sign stating they will follow corporate policy in order to protect information.
- Third-party relationships and service level agreements (SLA) -- Organizations that you rely on for outsourced services should practice strong information privacy policies, implement cutting edge technical controls to secure data and allow you to audit their network at any given point to assure you that they are adhering to your security standards, not just theirs.
Many businesses today either ignore or don't realize that data privacy laws and information security practices are applicable to private and public companies, in addition to various branches of government. These same businesses are at risk of losing or exposing their most prized possession, information, to an untrusted world that would gladly look to profit against that loss. Laws and regulations have rapidly grown in an attempt to force businesses of all sizes and various industries to pay more attention to the privacy and use of people's information.
Data privacy is a complicated and rapidly changing field with a legal landscape of surrounding issues that are subject to new legislation and constant interpretation by government agencies and the courts. It is necessary that you keep current on the laws as they apply to your business. Asking questions about the type of information your organization creates, stores, processes and transmits within your organization and implementing security best practices is only the beginning when it comes to mitigating your risks of a security breach.
Although there is no guarantee that you can avoid a publicized security breach, implementing information security policies and increasing employee security awareness can go a long way toward ensuring that your organization mitigates its areas of greatest risk.
About the authors:
Craig Norris, CISSP, CISA, MCSE, Security+, CAPM, TICSA, is an engagement manager at an IT consulting firm in Dallas. He has been involved with information technology and security for over 12 years. He can be contacted via firstname.lastname@example.org.
Tom Cadle, CISSP, CEH, MCT, MCSE, is the information systems security officer for a multibillion dollar, international company. He has been involved with information technology and security for over 16 years. He can be reached at email@example.com.
1Sherwood, Lorrie. P&AB ID Theft Survey: Victims on the Rise Business and Legislative Movement Underway. http://www.bbbonline.org/IDtheft/PABIDTheft.pdf. July 2003.
2Spinney, Mike. Ponemon Institute. Ponemon Report Shows Sharp Rise in the Costs of Data Breaches. http://www.ponemon.org/press/Ponemon_2006%20Data%20Breach%20Cost_FINAL.pdf
3Federal Trade Commission. Identity Theft Data Clearinghouse. Washington, DC. Identity Theft Victim Complaint Data. Figures and Trends. http://www.consumer.gov/idtheft/pdf/clearinghouse_2005.pdf. January 1- December 31, 2005.
4Federal Trade Commission. Consumer Fraud and Identity Theft Complain Data. http://www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf. January, 2006.
5Privacy Rights Clearinghouse. "A Chronology of Data Breaches." http://www.privacyrights.org/ar/ChronDataBreaches.htm. Posted April 20, 2005. Updated January 3, 2007. 6Phoenix Health Systems. HIPAA Advisory. "HIPAA Primer." http://www.hipaadvisory.com/regs/HIPAAprimer.htm. July, 2005.
7Visa USA. Operations and Risk Management. "Cardholder Information Security Program." http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_if_compromised.html.
8International Standard. ISO/IEC 17799:2005(E) Information technology — Security techniques — Code of practice for information security management. Second edition. 2005-06-15.
This was first published in November 2008