Every one of us in the payment space knows that data protection and regulation is central to all we do. There is no one in the industry that is not familiar with the PCI DSS at this point. Whether you are in favor of this or not, whether you believe in it or not, the simple truth is that data protection is real, growing and enforced.
Currently in the United States, there are 46 states and three territories that have some data protection regulation inclusive of breach reporting. In addition, data regulation is not restricted to credit or debit cards. In fact, the PCI DSS is a subset of the growing list of data elements that fall under the concept of Personally Identifiable Information (PII).
From a global perspective, ninety countries now have data protection regulation. Many countries outside of the United States consider the rules within the USA to be weak and require special additional safeguards to allow the transmittal of information to the USA. This is true, for example, within the European Union (EU) which consists of 27 countries. The EU is in the process of replacing the rules which become effective in the mid-1990s with a much stronger and specific rule set under the new and proposed European Union Data Regulation Scheme. This proposal, which the vast majority expect to pass in the next 6 to 18 months, carries stringent requirements and penalties for failing to follow the rules.
The key broader concept as stated above is PII. What is PII? PII is any data point that either by itself or in combination with other specific data elements can identify an individual. This extends to information which has been anatomized. Remember that big business today is centrally focused on ‘big data” and that is what we are really talking about. Some of the common elements that make up this pool of PII include social security number, birthdate, driver’s license number, banking account and routing numbers and, of course, credit and debit card numbers. Additional PII elements can include health information, criminal information, photographs, vehicle identification numbers as well as a wide array of other elements.
Currently there are fourteen states that have enacted laws which impose an obligation to provide security for various types of personally identifiable information. These laws fall into a number of broad areas which include liability, sanction, responsibility and security measures as minimum standards. In addition to the current laws on the books, there are at least another twenty states that have bills submitted to address these issues.
The states that currently have laws specifically enacted to impose obligations to provide security include Washington, Oregon, California, Nevada, Utah, Texas, Arkansas, Illinois, Minnesota, Massachusetts, Connecticut, Rhode Island, New Jersey and Maryland.
Remember that these laws are not PCI DSS, but are in addition to the brand requirements and carry with them the weight of law, versus the administerial issues associated with PCI DSS violation. In other words, it is possible to receive both criminal sanction and be subject to civil procedure and penalty for violation of these state laws.
For example, the New Jersey Law is divided into three components. The public laws in question (New Jersey §56:8-161, 165 and 168), address the issues of definitions relative to security of personal information, regulations concerning security of personal information and unlawful practices and violations. In the case of Arkansas, the laws are divided into four components: Ark. Code Ann §4-110-101, 102, 103 and 104(b) which address the concepts of findings and purpose, definitions and protection of personal information. As one other example, in the state of Utah the laws are divided into three components: Utah Code Ann. §13-44-102, 201 and 301 which address definitions, protection of personal information and enforcement.
Exploring the California statutes in more detail gives one a perspective on the depth and severity of these various state enactments. For example, under section §1798.80 all of the following are considered PII:
"Personal information" as used in this section means any information that when it was disclosed identified, described, or was able to be associated with an individual and includes all of the
(A) An individual’s name and address.
(B) Electronic mail address.
(C) Age or date of birth.
(D) Names of children.
(E) Electronic mail or other addresses of children.
(F) Number of children.
(G) The age or gender of children.
(M) Telephone number.
(O) Political party affiliation.
(P) Medical condition.
(Q) Drugs, therapies, or medical products or equipment used.
(R) The kind of product the customer purchased, leased, or rented.
(S) Real property purchased, leased, or rented.
(T) The kind of service provided.
(U) Social security number.
(V) Bank account number.
(W) Credit card number.
(X) Debit card number.
(Y) Bank or investment account, debit card, or credit card balance.
(Z) Payment history.
(AA) Information pertaining to creditworthiness, assets, income, or liabilities.
Under California, statute §1798.84 the penalties for civil action can be extreme and have been enforced. These include:
(b) Any customer injured by a violation of this title may
institute a civil action to recover damages.
(c) In addition, for a willful, intentional, or reckless violation
of Section 1798.83, a customer may recover a civil penalty not to
exceed three thousand dollars ($3,000) per violation; otherwise, the
customer may recover a civil penalty of up to five hundred dollars
($500) per violation for a violation of Section 1798.83.
(g) A prevailing plaintiff in any action commenced under Section
1798.83 shall also be entitled to recover his or her reasonable
attorney's fees and costs.
So what does this mean? It simply means that all businesses that are involved in the collection, storage, transmittal of PII data inclusive of that covered under the PCI DSS standards that in the broadest sense must be aware of the rules and regulations that affect this behavior and make serious efforts to comply.
At a minimum, this means that all organizations should follow these key defensive elements of the Massachusetts law 201 CRM 17.00.
- Designation of a responsible data privacy individual or group
- Risk assessment
- Policies and procedures
- Employee training
- Restricted access
- Regular system monitoring
1. Designation of a responsible individual or group
Select a party (or parties) to be responsible for overseeing the planning, development and ongoing monitoring of all the activities required by law.
2. Risk assessment
This requirement stipulates identifying and assessing “reasonably foreseeable” internal and external risks to security, confidentiality and/or integrity of electronic, paper or other records of personal information. Organizations should identify the “life cycle” of data. Determine who can access data, as well as where, how and why it is stored over the duration of collection, use, storage and disposal.
3. Policies and procedures
Security policies covering storage, access and transportation of paper and electronic records must be developed and implemented with disciplinary measures for violations.
4. Employee training
An ongoing program to train new and current employees regarding PII must also be developed.
5. Restricted access
Organizations must restrict and control access to sensitive data, wherever it is, with secure user authentication and access protocols, including encryption with oversight of third-party providers and means for detecting and preventing security system failures.
6. Regular monitoring
Routine review of the entire security program must be conducted (at least annually) to evaluate security operations for effectiveness in preventing unauthorized access or use of personal information. All necessary upgrades to limit risks are expected.
Organizations are also responsible to provide oversight of all third-party service providers, according to Massachusetts’ and federal laws.
Where computer systems exist, here are additional key areas that require attention and integration into assessment, policies and procedures:
- Firewall protection
- Malware detection
- Anti-virus software maintenance
All organizations should consider these requirements to be sound best practices, whether or not your state laws apply.
For additional information please see the CSR white paper titled, “Best Practices for Managing Personally Identifiable Information” for a free step-by-step guide.
Dr. Ross Federgreen, CIPP/ US, CIPP/ G, CIPP/E, Fellow, European Privacy Association, is the founder of CSR, the leading provider of global data compliance solutions and expert services that address Payment Card Industry (PCI) standards and Personally Identifiable Information (PII) requirements. Ross can be reached firstname.lastname@example.org. For more information or assistance in learning about the regulations applicable to you or your merchant customers’ business, contact CSR at 866-462-7774 or online at www.csrcorporate.com.