|
 |
By David Mertz
In February of 1999, the Aspen Group - a policy think tank - invited several industry, academic and industry leaders to gather in Aspen, Colorado “to discuss privacy, the privatization of the domain name system, the impact of the Internet on intellectual property rules, jurisdiction in cyberspace, the legal nature of e-commerce transactions, and the applicability of self-regulation and self-ordering for the resolution of Internet-related issues. ”
Dan Langin, an attorney currently in private practice specializing in security, technology and intellectual property law, was among those invited. In 1999, Langin was Division Counsel for Technology for USF&G.
Also, attending the conference was Ira Magaziner, the chief Internet policy advisor to President Clinton. Magaziner left an important impression on Langin. ”The gist of what he said was this - if industry does not take appropriate steps when collecting , storing, using and disclosing private user data according to certain principles - which correspond closely with the FTC's fair information practices - then government will act for you. It was almost like a gauntlet was laid down for us. ”
The group believed that Congress would not pass national privacy regulation similar to what has been passed by the European Union and Canada, Langin said. Rather, the prevailing view was it was best handled industry to industry and between the organization and the customer/consumer - using contracts and data protection disclosures to define each organization's responsibilities for handling and ownership of data.
Ira Magaziner's prediction on government taking the lead in protecting consumer rights has begun to take hold, although not in the same way as Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) or the 1995 EU Data Protection Directive. Instead of a single piece of legislation detailing privacy rights, there is now a patchwork of legislative initiatives - dating back even before the Internet Policy Group's activities in 1999 - which address privacy issues.
Domestically, 30 states have passed legislation requiring the protection of confidential data. Federal legislation addresses specific niches, i.e., HIPAA, Gramm-Leach-Bliley, Sarbanes-Oxley, FCRA, FACTA, etc. Industry-based standards such as the Payment Card Industry's Data Security Standard (PCI) have come into play. Large corporations, such as Fidelity and Ford, are imposing their own security requirements on vendors, and the Federal Information Security Management Act (FISMA) now defines the requirements for protection of confidential information stored on government computers and networks.
At the state level, the leader is California. In 2003, California passed SB 1386 - otherwise known as the California Security Breach Information Act SB 1386 - requires any company with a California resident as a customer to notify the customer in the event of a security breach. The national impact of SB 1386 began to be felt in 2005 beginning with the ChoicePoint data security breach. And, this legislation is most responsible for 2005 being declared the year of the “Security Breach.”
At the Federal level, the Federal Trade Commission (FTC) is the lead agency investigating security breaches. Using Section 5 of The FTC Act, the FTC has found the failure to take “reasonable and appropriate” steps to protect consumer data is an “unfair business practice.” FTC has reached out of court settlements with a number of companies since 2000 including the assessment of the largest fine in FTC history - $10 million - against ChoicePoint.
In addition to ChoicePoint, the FTC has investigated and reached settlements with companies such as CardSystems (now Pay By Touch™ Payment Solutions, LLC), DSW, BJ's Wholesale Club and Nations Title. Under all of these settlements, the companies are required to institute and adhere to an information security program which must be audited bi-annually by a qualified third party assessor for a period of twenty years, thus effectively making the FTC a key stakeholder in their businesses for the next two decades. It also is important to note that the focus of the FTC's investigation was not the person or persons who caused the security breach. Rather, the focus was on the company which collected and stored the data.
Sarbanes Oxley (SOX) regulations have impacted the way companies view data protection. There are three fundamental categories of controls under SOX - operations, compliance with laws and regulations, and reliability of financial reporting. A failure to meet compliance standards could be considered a significant deficiency/material weakness that must be reported to the audit committee and appropriately accounted for in securities filings with federal regulators.
“Management is responsible for their financial reporting,” says Langin. “Failure to meet regulatory requirements very well may be and probably should be considered a material weakness and may have to be disclosed. Look at the impact of security breaches such as BJ's Wholesale Club, ChoicePoint, DSW and others. The costs incurred by those companies each exceeded $10 million.”
Industry response to the protecting consumer data has fallen into one of four areas:
- Companies have imposed information technology (IT) security restrictions on their vendors. For example, Ford, Fidelity, and American Express require vendors to meet defined security standards when confidential data is involved.
- Various organizations, such as ISO, NIST, ISACA, etc., established standards for information security. When the term “best practice” is used, it generally implies standards as defined by these organizations.
- PCI - in 2004, Visa, MasterCard, American Express, Discover, etc. together defined a security standard for all merchants and service providers who “store, process, or transmit ...cardholder data. ” If you want to be involved in the storing, processing or transmitting of cardholder data - you have to adhere to PCI.
- Opinions rendered by Wall Street securities analysts, which is applicable to publicly traded corporations. Dorian Cougias is author of The Compliance Book and CEO of Network Frontiers, LLC, a California based regulatory compliance consulting firm. Cougias feels the ultimate compliance standard for publicly traded companies is the opinions rendered by analysts following the stock. “Analysts are beginning to view the failure to take these required steps to protect confidential data as evidence of a company's lack of internal controls. As a result, instead of getting an N or N+1 rating on internal controls, the rates are now N-1. ”
Impact of Regulation and Standards
Privacy requirements impact almost any business with an international focus. Canada, Europe, Asia and Latin America have regulatory requirements to protect consumer data. Further complicating issues, US laws - such as the Patriot Act - may make meeting these international requirements difficult because of the ability of US Courts to authorize access by government officials to employee and/or customer data.
With all of these regulatory and industry guidelines in place, the Cyber Security Industry Alliance's May 2006 Digital Confidence Survey found 50 percent of respondents reported avoiding making online transactions due to security concerns. “Unless each and every one of us, enterprises and consumers, can prove to the other that we are trusted partners, the risks associated with online transactions will become unacceptable, ” said Symantec CEO John Thompson. “If we fail to create a trusted digital environment, we won't just slow the growth of e-business, but of all business.”
So, what are consumer expectations? Are there unwritten rules consumers believe exist between themselves and their vendors regarding the protection of consumer data? Cass Brewer, Editorial and Research Director for the IT Compliance Institute (ITCI), sees it as very one sided. “I believe the consumer thinks it (a social compact) exists, but not the merchant. For a compact to exist, both parties need to believe it exists. I think of it more as an expectation.”
Cougias agrees with Brewer's assessment: “Business is just not there yet. If you look at the actions of the FDIC with regard to banking regulations, they believe it exists. If you look at recent actions taken by the FTC, they believe it exists.”
The 1999 Aspen Institute's Internet Policy Group reached a similar conclusion. “Ira Magaziner and the other representatives from federal agencies and academia very much believed the social compact existed,” said Langin. “However, the business representatives did not. They felt the ownership of the data was theirs and privacy issues for the most part didn't apply.”
So where do we find ourselves? “Legislation is not created in a vacuum,” Cougias said. “Rather, it fills the void left by the failure to act by others. We are seeing increasing regulation of confidential data, because organizations failed to realize the importance of protecting this data. So politicians do what politicians do - fill gaps.”
Consumer Data
Consumer data, also referred to as Personal Identity Information (PII) is usually defined as a person's name and/or address in conjunction with at least one other piece of information, such as a credit card number or social security number, birth date, financial account numbers, healthcare information, and in some cases, email address. This also applies to an organization's employee files. The data in these files easily meet the requirements of PII.
Meeting the Compliance Standards
The first step of meeting a data security standard starts in the board room, not in the IT department. Executive management commitment comes in three phases:
- Allocating adequate resources (funding, people and technology resources) to the project
- Defining the business rules through a set of policy documents
- Verification of organizational performance in line with corporate policy
All three phases must be in place for a compliance project to be effective.
The second most important step is defining a compliance framework. Most organizations do not have a single compliance standard to meet. Rather, there are multiple, sometimes conflicting standards.
For example, a company that is publicly traded on an US exchange must comply with Sarbanes-Oxley. Suppose that it also accepts credit card payments, and extends consumer credit in the US, Canada and Europe. For SOX, the recommendation is to use Cobit 4.0 to define policies, a mixture of ITIL and ISO 17799 for process and procedure documentation, and CMMI to manage verification of adherence to internal controls. Yet, there are still 30 state requirements to meet, not to mention Canadian privacy and banking requirements plus EU and individual European country privacy and banking requirements and the PCI Data Security Standard for protecting cardholder data.
Brewer notes there are advantages to using a single compliance framework to meet all compliance requirements: “By creating a single framework for IT compliance, one which encompasses all applicable compliance requirements, the focus moves from the standards themselves to the business' implementation of the framework. And, even further, how to leverage this implementation to bring operational improvement to the organization.”
A number of organizations have attempted to build universal compliance frameworks. The IT Compliance Institute's (ITCI) is one of the best. The Unified Compliance Project, based on pioneering work done by Network Frontiers, enables organizations to select the applicable regulatory (both national and internationally based) and industry standards. The UCP then builds a unified compliance framework based on these inputs in real time at the ITCI website.
Once, you have a compliance framework, the next step is implementation. Each implementation of a unified compliance framework is different. In a recent article Michael Rassmussen, VP of Risk and Compliance Research for Forrester Research, compared the ISO 17799 standard to “the framework of a house,” noting “it doesn't provide the drywall, electricity, plumbing, and so on. ” The same holds true for a compliance framework. It provides the flexibility you need to tailor the implementation of the regulatory and industry standards to the needs of your organization while still meeting the requirements of the regulation.
“Implementing a compliance framework is an opportunity to bring positive change to your organization,” Brewer said. “Accountability, transparency, and efficiency should be the result of the project. And, the verification practices you implement are a mechanism for continual organizational improvement.”
The next step is leveraging the compliance framework to define organization policies tailored to organizational objectives while still meeting compliance standards. This set of business rules define the organization's commitment to meeting the various compliance standards.
Once that is done, modify existing operational practices to meet the newly defined policies. This set of processes and procedures define how the policies are implemented within the organization. In addition, standards for performance are established. For example, application development standards are defined which more fully flush out an application development policy and leverage the adjusted operational practices.
Next, define controls. The controls should be placed strategically within the process and procedures. The goal of the controls should be to prevent one person from circumventing the defined process or procedure.
Effectiveness, efficiency and compliance with the internal control should then be evaluated on a pre-defined schedule published and made available to all employees. At each level of management, these controls are reviewed and a scorecard is developed to identify those areas of compliance and those areas where additional work is required to meet business objectives and risk profiles.
And, finally, an ongoing education program should be established which starts with the business objectives of the compliance program being implemented within the organization. It should seek and obtain employee “buy in” to the objectives, provide a means for employees to report violations of corporate policy a practices confidentially, and leverage organizational knowledge to bring improvement to the program in years 2, 3, etc.
Whether organizations realize it or not, there is at least one - and usually several - industry and/or regulatory standards which are applicable for protecting the consumer. However, taking the “reasonable and appropriate” steps to protecting confidential data requires identifying what standards must be met, building a compliance framework which encompasses the identified standards, and tailoring the implementation of the standards to the organization's business objectives. It takes vigilance to ensure day to day business practices are in line with business objectives.
David Mertz is Director, Compliance Service for GSI, an enterprise web hosting and IT services company located in Kansas City, MO. He consults with a wide range of companies in a number of different industries in meeting IT security standards, including the payment card industry (PCI), healthcare (21 CFR Section 11 and HIPAA), finance (GLB) or developing effective Business Continuity Plans.
Fig. 1
Fig. 1: “The basic consumer protection statute enforced by the Commission is Section 5(a) of the FTC Act, which provides that "unfair or deceptive acts or practices in or affecting commerce are declared unlawful" (15 U.S.C. Sec. 45(a)(1)).
"Unfair" practices are defined to mean those that "cause[] or [are] likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition" (15 U.S.C. Sec. 45(n)). In addition, the Commission enforces a variety of specific consumer protection statutes (e.g., the Equal Credit Opportunity Act, Truth-in-Lending Act, Fair Credit Reporting Act, the Cigarette Labeling Act) that prohibit specifically-defined trade practices and generally specify that violations are to be treated as if they were "unfair or deceptive" acts or practices under Section 5(a). “
|
