IN THIS ISSUE

Vol. 10, December 10, 2007

Print Article Print Entire Issue

Keeping It Simple — An Overview of Data Privacy Compliance Requirements  

Auditors can keep organizations from becoming the next big scandal by pointing out common compliance requirements for different data privacy laws and regulations.

David Campbell
Director of Information Security and Business Continuity Planning, AccessData

If an organization creates, processes, or stores personal information, most if not all data breaches will result in some type of mandatory public disclosure, which can be devastating to the business. In particular, a data privacy breach may lead to loss of customer support, regulatory investigations, and substantial fines. What's more, in many jurisdictions class action lawsuits are becoming the norm for data breaches involving significant numbers of affected individuals.

Given the number and complexity of privacy laws and regulations worldwide, and the severe penalties for violating them, every organization should strive to prevent the improper disclosure or use of personal customer or employee information. However, understanding the compliance requirements of each applicable law can be daunting. To make this task a little easier, internal auditors can help organizations reduce this learning curve by pointing out common compliance areas that overlap different data privacy laws and regulations. This, in turn, will help the organization chose and implement a compliance program that effectively mitigates internal and external security threats and stays up-to-date with the latest regulatory changes.

THE LAWS

Establishing an effective data security and privacy compliance program takes time, especially when the organization has to comply with several regulations, some of which may span country boundaries. Part of the task entails learning as much as possible about the different requirements the organization must comply with. Below is a summary of the main laws and regulations companies worldwide could encounter during their day-to-day operations. These include: state-level privacy breach disclosure laws in the United States, the U.S. Gramm-Leach-Bliley Act (GLBA), the U.S. Health Insurance Portability and Accountability Act (HIPAA), Australia's Privacy Law, Canada's Privacy Laws, the European Union (EU) Directive on Data Protection of 1995, the Organization for Economic Cooperation and Development (OECD) Guidelines, and the Payment Card Industry Data Security Standard (PCI DSS).

State-level Privacy Breach Disclosure Laws in the United States

To date, more than 35 U.S. states have adopted security breach disclosure laws. While the details of each law vary slightly from place to place, most of them follow a fairly consistent pattern. First, they offer a definition of the personal information that they apply to. For instance, most state privacy laws offer similar or even identical definitions of personal information. Here is an example from California's Senate Bill 1386 (SB-1386), which was the first state security breach disclosure law to be enacted: 

'For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

1. Social security number.
2. Driver's license number or California Identification Card number.
3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial  account.

For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Besides personal information, state laws identify what constitutes a reportable security breach and when an acceptable notification of the breach should take place. A reportable security breach is usually defined as the unauthorized acquisition of digital data that compromises the security, confidentiality, or integrity of the stolen personal information, while an acceptable notification of the breach should take place only when personal information was or is believed to have been acquired by an unauthorized person. For instance, most state laws require an organization that owns or licenses data to directly notify the persons whose data was disclosed. Organizations that do not own or license the disclosed information must also notify the owner or licensor of the data. In cases like these, disclosure of the breach must be made promptly, unless law enforcement requests that the notification be delayed.

Finally, many state privacy laws allow for affected consumers to sue for damages, and some even allow for treble damages. Treble damage provisions typically apply to anyone who has been harmed (e.g., an identity theft victim) as a result of a security breach. Some states offer very limited restrictions on this ability but, in general, if a treble damage provision exists, it applies to any resident of that state who has been harmed by a security breach as defined by the state's privacy law.

GLBA

This act made many changes to the way financial services firms are organized and regulated. The act also contains language that protects the privacy of an individual's personal information by requiring financial institutions to define their privacy practices, create a privacy notice that explains those practices, and distribute the privacy notice on a yearly basis to customers (i.e., someone who has a long-term or ongoing relationship with a financial institution).

In addition, GLBA requires financial institutions to provide copies of their privacy notice to consumers (i.e., someone who use the organization's services, but does not have an ongoing relationship with the financial institution) if the institution shares data with unaffiliated companies. Note that this provision does not apply if the data sharing is done to provide essential services (e.g., account servicing), is legally required, or is used to market an organization's products and services.

GLBA also gives individuals the right to opt out of certain data sharing arrangements that the financial organization may have established. For example, an individual may be allowed to limit or block the transfer of his or her information to non-affiliated companies for telemarketing, direct mail marketing, or e-mail marketing activities related to the non-affiliated company's products or services. However, a financial institution can still send data to an unaffiliated company that is performing a service on behalf of the financial institution, and the individual can't opt out. 

When complying with GLBA, it is important to understand that financial institution is defined broadly; even if an organization is not a bank, it may have to comply with GLBA. This is important to note because certain GLBA provisions require financial institutions to implement safeguards that:

1. Ensure the security and confidentiality of customer records and information.
2. Protect against any anticipated threats or hazards to the confidentiality or integrity of customer information.
3. Protect against unauthorized access to or use of customer records or information, which could result in substantial harm or inconvenience to any customer.

GLBA, however, does not go into much detail about the specific technical, managerial, or operational safeguards that must be implemented. This task is left to the eight federal and state agencies that are empowered to enforce the provisions of GLBA: the U.S. Federal Trade Commission, the Office of the Comptroller of the Currency, the U.S. Federal Reserve Board, the Board of Directors of the Federal Deposit Insurance Corporation, the Director of the Office of Thrift Supervision, the Administrator of the National Credit Union Administration, the U.S. Securities Exchange Commission, and state insurance regulators.

HIPAA

HIPAA affects many aspects of health care, including the privacy and security of private health information. The act's requirements apply to a covered entity, which is defined as an organization that is any of the following: a health plan, a health-care clearinghouse, or a health-care provider who transmits health information in electronic form in connection with a defined list of transactions. According to the act, covered entities must do the following:

1. Ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity creates, receives, maintains, or transmits.
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
3. Protect against any reasonably anticipated uses or disclosures of such information.
4. Ensure compliance with these requirements by its workforce.

HIPAA defines 42 security measures, referred to as implementation specifications, which may be required or optional for implementation. Required specifications include: the creation of a security management process, a risk analysis, enforcement of security policies, data backups, and implementation of a disaster recovery plan that specifies how to recover and restore lost data, among others. (For more information about HIPAA, read "Enhancing HIPAA Security Rule Compliance Efforts" published in ITAudit’s Aug. 10, 2006 issue.)

Australia's Privacy Law

The Australian Federal Privacy Act defines 11 Information Privacy Principles that apply to government agencies (read "Information Privacy Principles" sidebar for more information) and 10 National Privacy Principles (i.e., collection, use and disclosure, data quality, data security, openness, access and correction, identifiers, anonymity, transborder data flows, and sensitive information) that apply to private organizations and health services providers.

According to the act, collected information must be used for a lawful purpose only. Individuals must be informed of the purpose for which the information is being collected, whether the collection is mandated or authorized by law, as well as of any other persons or organizations their information is usually shared with. Furthermore, record keepers must ensure that information is current and complete, establish safeguards to prevent the unauthorized disclosure of collected information, and attempt to ensure that other persons or organizations that receive the information do the same, among other activities.

Canada's Privacy Laws

Canada has a privacy law for the government sector and another for the private sector. The Privacy Act applies to the government sector, while the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the private sector. Because Canada is also a member of the OECD, both of these laws adhere to OECD guidelines.

In essence, the Privacy Act states that no personal information can be collected by a government organization unless it relates directly to an operating program or activity of the same institution. The organization, therefore, should only collect personal information that is intended to be used for an administrative purpose concerning the individual to whom it relates, except where the individual authorizes otherwise. In addition, government organizations need to take all reasonable steps to ensure that personal information that is used for an administrative purpose is as accurate, up-to-date, and complete as possible. Furthermore, the organization needs to dispose of the personal information in accordance with the regulations and any directives or guidelines issued by the designated minister in relation to the disposal of that information.

On the other hand, the PIPEDA references the Model Code for the Protection of Personal Information, a set of guidelines that also follow the OECD guidelines. According to this act, any organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate under the circumstances. In addition, an organization may, without the knowledge or consent of the individual, use personal information only if:

• The organization becomes aware of information that could be useful in the investigation of a contravention of the laws of Canada.
• The information is used during an emergency that threatens the life, health, or security of an individual.
• The data is used for statistical, research, or scholarly study purposes that cannot be achieved without using the information.
• The information is publicly available.

EU Directive on Data Protection of 1995

In the EU, the most important legislation concerning the protection of private information is the Directive on Data Protection of 1995, which regulates the processing and storage of personal data. While the directive's definitions for the processing and storage of personal data are broad enough to effectively cover nearly every conceivable use of personal information, there are limited exceptions for areas such as national defense or law enforcement. For instance, the directive defines the processing of personal data as any operation that is performed on the data, whether this processing is automated or not.

According to the directive, data may not be processed unless:

• The data subject has unambiguously given his or her consent.
• Processing is necessary for the performance of a contract to which the data subject is party to or to take steps at the request of the data subject prior to entering into a contract.
• Processing is necessary for compliance with a legal obligation to which the controller is subject to.
• Processing is necessary to protect the vital interests of the data subject.
• Processing is necessary for the performance of a task carried out in the public's interest, in the exercise of official authority vested in the controller, or in a third party to whom the data is disclosed.
• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party to whom the data are disclosed, except where such interests are overridden by the data subject's fundamental rights and freedoms.

The directive also applies to data processors, which are companies or data centers that operate in EU member countries. Interpretation of the rules is left to individual EU member states, which are empowered and directed to implement laws regulating data processing that are compatible with overall EU directives. For additional information about the Directive on Data Protection, visit the EU's law Web site.

OECD Guidelines

After recognizing the need to protect privacy rights, while allowing the free flow of information between its member states, the OECD adopted its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data on 1980. These guidelines provide a common set of standards that allow the exchange of personal information in the public or private sectors between OECD member countries.

The OECD guidelines, like other privacy standards, define a number of critical terms. These are:

• Data controller — a party who according to domestic law is competent to make decisions on the contents and use of personal data regardless of whether or not such data are collected, stored, processed, or disseminated by that party or by an agent on its behalf.
• Personal data — any information relating to an identified or identifiable individual (i.e., data subject).
• Transborder flows of personal data — movements of personal data across national borders.

The guidelines then establish a set of eight principles that member states must follow:

1. Collection Limitation Principle (i.e., member states need to limit their collection of personal data, which should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject).
2. Data Quality Principle (i.e., personal data should be relevant to the purposes for which it is to be used and needs to be accurate, complete, and up-to-date).
3. Purpose Specification Principle (i.e., the purposes for which personal data is collected should be specified at the time of data collection. Any subsequent uses should be limited to the fulfillment of those purposes and need to be specified whenever a change of purpose occurs).
4. Use Limitation Principle (i.e., personal data should not be disclosed, made available, or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle, except with the consent of the data subject or by the authority of law).
5. Security Safeguards Principle (i.e., personal data should be protected by reasonable security safeguards against risks such as loss or unauthorized access to data, as well as destruction, use, modification, or disclosure of personal information).
6. Openness Principle (i.e., member states need to have a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available to determine the existence and nature of personal data and the main purposes for the information's use, as well as the identity and usual residence of the data controller).
7. Individual Participation Principle (i.e., an individual has the right to obtain confirmation on whether a data controller has information relating to him or her. In addition, individuals have the right to obtain this information within a reasonable time and manner, at a reasonable charge, and in a form that is readily intelligible, as well as have personal information erased, rectified, completed, or amended).
8. Accountability Principle (i.e., a data controller should be accountable for complying with measures that affect the principles stated above).

The PCI DSS

This standard addresses information security requirements for organizations that process credit card data. More specifically, the standard requires all merchants and service providers around the world who store, process, or transmit customer credit card data to adopt aggressive security controls that ensure the integrity of customer information. To obtain the compliance certificate, the standard requires organizations to complete a series of 12 steps to be certified annually and checked quarterly. These steps are organized in six categories:

• Building and maintaining a secure network (i.e., step 1: installing and maintaining a firewall to protect data, and step 2: not using vendor defaults for system passwords and other security parameters).
• Protecting cardholder data (i.e., step 3: protecting stored data by developing a data retention and disposal policy, among other activities, and step 4: encrypting transmission of cardholder data and sensitive information across public networks).
• Maintaining a vulnerability management program (i.e., step 5: using and regularly updating antivirus software, and step 6: developing and maintaining secure systems and applications).
• Implementing strong access control measures (i.e., step 7: restricting access to data on a need-to-know basis, step 8: assigning a unique identification number to each person with computer access, and step 9: restricting physical access to cardholder data).
• Regularly monitoring and testing networks (i.e., step 10: tracking and monitoring access to network resources and cardholder data, and step 11: testing security systems and processes regularly).
• Maintaining an information security policy (i.e., step 12: maintaining a policy that addresses information security).

While the compliance requirements for all processors are the same, the audit and verification requirements vary depending on factors such as the number of transactions or accounts processed annually. For example, merchants that process more than 6 million transactions per year, have suffered a security breach that resulted in account data exposure, or are specifically designated by a card issuer (e.g., VISA or MasterCard) must undergo an annual PCI DSS compliance audit and undergo quarterly network vulnerability scans. In addition, credit card service providers, payment gateways, or credit card processors that handle more that 1 million transactions or accounts annually must also undergo an annual PCI DSS compliance audit and undergo quarterly network vulnerability scans.

Although the PCI DSS is a not a law, its effect is much the same. Violations of PCI DSS security requirements can lead major credit card companies to stop doing business with a processor or merchant. This is what happened to CardSystems Solutions after a security breach exposed data on 40 million accounts.(For more information about the standard, read "Is Your Organization Ready for a PCI Standard Audit?" published in the June 10, 2006 issue of ITAudit.)

GETTING TO KNOW THE LAW

In today’s political and economic environment, individuals, states, and nations are increasingly intolerant of improper use or disclosure of private information, whatever the cause. As a result, many privacy protections continue to be enacted as law all over the world reflecting a global desire for personal privacy and a reaction to abuses of privacy, such as identity theft. However, while these regulations aim to protect personal information, their increase in numbers is making compliance efforts quite expensive and complex.

Although the language used varies significantly from country to country, the same basic themes and issues show up time after time in current law, industry standards, and proposed legislation. For instance, organizations are expected to respect individuals' privacy by collecting, using, and disclosing personal data only for legitimate purposes. Organizations are also expected to be open about their practices and to allow individuals to review the data that is collected about them. Last, but not least, organizations are expected to implement effective security safeguards to prevent the improper disclosure of personal information.

As part of their work, internal auditors should familiarize themselves with applicable privacy laws and regulations and recommend that organizations examine regulations that are specific to their industry. Armed with this knowledge, auditors can provide recommendations that can help organizations design and implement compliance programs that meet different regulatory requirements and point out common requirement areas to maximize and simplify compliance efforts.

David Campbell is the director of information security and business continuity planning for AccessData. Campbell has more than 20 years' experience in various aspects of software engineering, application and systems security, and database architecture. Prior to joining AccessData, he served as director of security applications architecture at Red Siren Technologies, where he was responsible for the architecture and design of systems supporting the organization's managed security service provider products.