Data Protection- Regulatory Compliance
Do your existing company policies and procedures comply with state and federal legislation?
All companies have procedures in place to protect data, but the recent explosion of state and federal legislation has potentially changed the rules for everyone. The question in this case, is what action must the company take to meet legislative requirements (compliance), and, in particular, is the company’s data security policy sufficient to meet those requirements?
Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a):
requires that “reasonable and appropriate” measures be taken to protect consumer and financial data. However, because this requirement doesn’t necessarily mandate public disclosure of breaches when a company cannot prove they took reasonable and appropriate measures to protect the data, many states have enacted legislation that forces disclosure of such types of breaches.
One of the first, and certainly the most well-known, states to enact this type of consumer data protection legislation was California with SB1386.
|
|
| 1) | under what circumstances a breach of “personal information” must be publicly disclosed to consumers, and |
| 2) | what exactly constitutes “personal Information” |
SEC. 2. Section 1798.29 is added to the Civil Code, to read: 1798.29.
(a) Any agency that owns or licenses computerized data that includes personal information shall
disclose any breach of the security of the system following discovery or notification of the breach
in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Personal Information ‘Personal information’ means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
This does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Many other states have since passed equivalent bills, and the Federal Government is also proposing to enact legislation to protect consumers’ personal information:
There are 2 important sources of information on how to ensure that encryption-based data security solutions meet the “reasonable & appropriate” test. These are the NIST publication “SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES”, and the FTC publication “Financial Institutions and Customer Information: Complying with the Safeguards Rule”.
Armed with all this documentation, it is possible to define a best-practices approach to the problem—an Encryption Compliance Checklist. This checklist allows companies to quickly assess the effectiveness of their data encryption software following a breach.
Test your organization against the Encryption Compliance Checklist
|
Learn more about California SB1386
