By: Mitchell H.Levine.CISA
Audit Serve, Inc.
Organizations regardless of the industry they serve need to have a designated job functions to track existing and upcoming data privacy regulations. Data privacy regulations primarily started in 1990s as data breach notification requirements which are now part of state law within 45 states. These data breach notifications did not provide detailed guidelines of what is considered a data breach requiring regulatory and impacted party notifications until the state of California came up with their data breach notification law in 2003 which stated “notification to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person”. However, even this definition leaves a lot of unanswered questions by the statement “reasonably believed to have been to have been, acquired by an unauthorized person”. Are they referring to an external threat in which a hacker was able to gain access to a file containing CA resident PII or could it also include an internal threat in which an individual has read access to a file containing CA resident? Does the definition “reasonably believed to have been required” necessitate proof that the individual actually opened the file? Unfortunately, unless there are audit trails established to identify when, how and who accessed the data, companies will not categorize these as data breaches. Companies will still run the risk of being “outed” for not being in compliance with data breach notification laws based on whistleblowers within their company.
Other regulations have gone beyond the data breach notification laws and actually require security assessments to be performed over the access restriction to PII data. The Gramm-Leach-Bliley Act (GLBA) of 1999 501(b) require financial institutions to secure an individual’s financial information (e.g., SS#, credit card #, FI account #) using administrative, technical and physical safeguards. These safeguards are intended to protect the confidentiality and integrity of data. Unfortunately, GLBA does not provide the specific standards for the administrative, technical and physical safeguards and does not provide guidance on the methods which should be used to validate whether these safeguards have been established. Common approaches include performing control walkthroughs of an organization’s departments which have access to PII data and assess whether this data is properly restricted. Other approaches include compliance tests to validate these representations.
Up to this present time there are few standards which provide specific standards that organizations need to abide by to protect the confidentiality and integrity of key data. One of these specific standards is the Payment Card Industry (PCI) requirements which are used to protect credit card data contains 225+ standards that are independently validated by a QSA(Qualified Security Assessor) in order to issue a ROC (Report of Compliance).
Another of these standards which has specific standards is the March, 2010 Massachusetts CMR 17 law which is comprised of specific standards for the protection of personal information (i.e., Name + SS# or Driver’s License # or Financial Acct# or Credit card #) of Residents of the Commonwealth. This four page standard list 8 specific security measures which need to be established such as the “encryption of all personal information stored on laptops or other portable devices” along with the requirement that contracts with business partner and vendors which are provided PII data contain a provision which requires them to be CMR 17 compliant. Organizations do not realize that they need to be compliant with CMR 17. If they have one customer who lives in Massachusetts, the organization needs to be CMR 17 compliant.
This article will continue in the next issue of Audit Vision which includes a detailed explanation and compliance approach to the newly issued 2013 HITECH/HIPAA Rules