IN THIS ISSUE
Keeping It Simple — An Overview of Data Privacy Compliance Requirements
Auditors can keep organizations from becoming the next big scandal by pointing out common compliance requirements for different data privacy laws and regulations.
Establishing an effective data security and privacy compliance program takes time, especially when the organization has to comply with several regulations, some of which may span country boundaries. Part of the task entails learning as much as possible about the different requirements the organization must comply with. Below is a summary of the main laws and regulations companies worldwide could encounter during their day-to-day operations. These include: state-level privacy breach disclosure laws in the United States, the U.S. Gramm-Leach-Bliley Act (GLBA), the U.S. Health Insurance Portability and Accountability Act (HIPAA), Australia's Privacy Law, Canada's Privacy Laws, the European Union (EU) Directive on Data Protection of 1995, the Organization for Economic Cooperation and Development (OECD) Guidelines, and the Payment Card Industry Data Security Standard (PCI DSS).
State-level Privacy Breach Disclosure Laws in the United States
To date, more than 35 U.S. states have adopted security breach disclosure laws. While the details of each law vary slightly from place to place, most of them follow a fairly consistent pattern. First, they offer a definition of the personal information that they apply to. For instance, most state privacy laws offer similar or even identical definitions of personal information. Here is an example from California's Senate Bill 1386 (SB-1386), which was the first state security breach disclosure law to be enacted:
'For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Besides personal information, state laws identify what constitutes a reportable security breach and when an acceptable notification of the breach should take place. A reportable security breach is usually defined as the unauthorized acquisition of digital data that compromises the security, confidentiality, or integrity of the stolen personal information, while an acceptable notification of the breach should take place only when personal information was or is believed to have been acquired by an unauthorized person. For instance, most state laws require an organization that owns or licenses data to directly notify the persons whose data was disclosed. Organizations that do not own or license the disclosed information must also notify the owner or licensor of the data. In cases like these, disclosure of the breach must be made promptly, unless law enforcement requests that the notification be delayed.
Finally, many state privacy laws allow for affected consumers to sue for damages, and some even allow for treble damages. Treble damage provisions typically apply to anyone who has been harmed (e.g., an identity theft victim) as a result of a security breach. Some states offer very limited restrictions on this ability but, in general, if a treble damage provision exists, it applies to any resident of that state who has been harmed by a security breach as defined by the state's privacy law.
This act made many changes to the way financial services firms are organized and regulated. The act also contains language that protects the privacy of an individual's personal information by requiring financial institutions to define their privacy practices, create a privacy notice that explains those practices, and distribute the privacy notice on a yearly basis to customers (i.e., someone who has a long-term or ongoing relationship with a financial institution).
In addition, GLBA requires financial institutions to provide copies of their privacy notice to consumers (i.e., someone who use the organization's services, but does not have an ongoing relationship with the financial institution) if the institution shares data with unaffiliated companies. Note that this provision does not apply if the data sharing is done to provide essential services (e.g., account servicing), is legally required, or is used to market an organization's products and services.
GLBA also gives individuals the right to opt out of certain data sharing arrangements that the financial organization may have established. For example, an individual may be allowed to limit or block the transfer of his or her information to non-affiliated companies for telemarketing, direct mail marketing, or e-mail marketing activities related to the non-affiliated company's products or services. However, a financial institution can still send data to an unaffiliated company that is performing a service on behalf of the financial institution, and the individual can't opt out.
When complying with GLBA, it is important to understand that financial institution is defined broadly; even if an organization is not a bank, it may have to comply with GLBA. This is important to note because certain GLBA provisions require financial institutions to implement safeguards that:
GLBA, however, does not go into much detail about the specific technical, managerial, or operational safeguards that must be implemented. This task is left to the eight federal and state agencies that are empowered to enforce the provisions of GLBA: the U.S. Federal Trade Commission, the Office of the Comptroller of the Currency, the U.S. Federal Reserve Board, the Board of Directors of the Federal Deposit Insurance Corporation, the Director of the Office of Thrift Supervision, the Administrator of the National Credit Union Administration, the U.S. Securities Exchange Commission, and state insurance regulators.
HIPAA affects many aspects of health care, including the privacy and security of private health information. The act's requirements apply to a covered entity, which is defined as an organization that is any of the following: a health plan, a health-care clearinghouse, or a health-care provider who transmits health information in electronic form in connection with a defined list of transactions. According to the act, covered entities must do the following:
HIPAA defines 42 security measures, referred to as implementation specifications, which may be required or optional for implementation. Required specifications include: the creation of a security management process, a risk analysis, enforcement of security policies, data backups, and implementation of a disaster recovery plan that specifies how to recover and restore lost data, among others. (For more information about HIPAA, read "Enhancing HIPAA Security Rule Compliance Efforts" published in ITAudit’s Aug. 10, 2006 issue.)
Australia's Privacy Law
The Australian Federal Privacy Act defines 11 Information Privacy Principles that apply to government agencies (read "Information Privacy Principles" sidebar for more information) and 10 National Privacy Principles (i.e., collection, use and disclosure, data quality, data security, openness, access and correction, identifiers, anonymity, transborder data flows, and sensitive information) that apply to private organizations and health services providers.
According to the act, collected information must be used for a lawful purpose only. Individuals must be informed of the purpose for which the information is being collected, whether the collection is mandated or authorized by law, as well as of any other persons or organizations their information is usually shared with. Furthermore, record keepers must ensure that information is current and complete, establish safeguards to prevent the unauthorized disclosure of collected information, and attempt to ensure that other persons or organizations that receive the information do the same, among other activities.
Canada's Privacy Laws
Canada has a privacy law for the government sector and another for the private sector. The Privacy Act applies to the government sector, while the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the private sector. Because Canada is also a member of the OECD, both of these laws adhere to OECD guidelines.
In essence, the Privacy Act states that no personal information can be collected by a government organization unless it relates directly to an operating program or activity of the same institution. The organization, therefore, should only collect personal information that is intended to be used for an administrative purpose concerning the individual to whom it relates, except where the individual authorizes otherwise. In addition, government organizations need to take all reasonable steps to ensure that personal information that is used for an administrative purpose is as accurate, up-to-date, and complete as possible. Furthermore, the organization needs to dispose of the personal information in accordance with the regulations and any directives or guidelines issued by the designated minister in relation to the disposal of that information.
On the other hand, the PIPEDA references the Model Code for the Protection of Personal Information, a set of guidelines that also follow the OECD guidelines. According to this act, any organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate under the circumstances. In addition, an organization may, without the knowledge or consent of the individual, use personal information only if:
EU Directive on Data Protection of 1995
In the EU, the most important legislation concerning the protection of private information is the Directive on Data Protection of 1995, which regulates the processing and storage of personal data. While the directive's definitions for the processing and storage of personal data are broad enough to effectively cover nearly every conceivable use of personal information, there are limited exceptions for areas such as national defense or law enforcement. For instance, the directive defines the processing of personal data as any operation that is performed on the data, whether this processing is automated or not.
According to the directive, data may not be processed unless:
The directive also applies to data processors, which are companies or data centers that operate in EU member countries. Interpretation of the rules is left to individual EU member states, which are empowered and directed to implement laws regulating data processing that are compatible with overall EU directives. For additional information about the Directive on Data Protection, visit the EU's law Web site.
After recognizing the need to protect privacy rights, while allowing the free flow of information between its member states, the OECD adopted its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data on 1980. These guidelines provide a common set of standards that allow the exchange of personal information in the public or private sectors between OECD member countries.
The OECD guidelines, like other privacy standards, define a number of critical terms. These are:
The guidelines then establish a set of eight principles that member states must follow:
The PCI DSS
This standard addresses information security requirements for organizations that process credit card data. More specifically, the standard requires all merchants and service providers around the world who store, process, or transmit customer credit card data to adopt aggressive security controls that ensure the integrity of customer information. To obtain the compliance certificate, the standard requires organizations to complete a series of 12 steps to be certified annually and checked quarterly. These steps are organized in six categories:
While the compliance requirements for all processors are the same, the audit and verification requirements vary depending on factors such as the number of transactions or accounts processed annually. For example, merchants that process more than 6 million transactions per year, have suffered a security breach that resulted in account data exposure, or are specifically designated by a card issuer (e.g., VISA or MasterCard) must undergo an annual PCI DSS compliance audit and undergo quarterly network vulnerability scans. In addition, credit card service providers, payment gateways, or credit card processors that handle more that 1 million transactions or accounts annually must also undergo an annual PCI DSS compliance audit and undergo quarterly network vulnerability scans.
Although the PCI DSS is a not a law, its effect is much the same. Violations of PCI DSS security requirements can lead major credit card companies to stop doing business with a processor or merchant. This is what happened to CardSystems Solutions after a security breach exposed data on 40 million accounts.(For more information about the standard, read "Is Your Organization Ready for a PCI Standard Audit?" published in the June 10, 2006 issue of ITAudit.)
GETTING TO KNOW THE LAW
In today’s political and economic environment, individuals, states, and nations are increasingly intolerant of improper use or disclosure of private information, whatever the cause. As a result, many privacy protections continue to be enacted as law all over the world reflecting a global desire for personal privacy and a reaction to abuses of privacy, such as identity theft. However, while these regulations aim to protect personal information, their increase in numbers is making compliance efforts quite expensive and complex.
Although the language used varies significantly from country to country, the same basic themes and issues show up time after time in current law, industry standards, and proposed legislation. For instance, organizations are expected to respect individuals' privacy by collecting, using, and disclosing personal data only for legitimate purposes. Organizations are also expected to be open about their practices and to allow individuals to review the data that is collected about them. Last, but not least, organizations are expected to implement effective security safeguards to prevent the improper disclosure of personal information.
As part of their work, internal auditors should familiarize themselves with applicable privacy laws and regulations and recommend that organizations examine regulations that are specific to their industry. Armed with this knowledge, auditors can provide recommendations that can help organizations design and implement compliance programs that meet different regulatory requirements and point out common requirement areas to maximize and simplify compliance efforts.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.