Be prepared

What your customers don’t know will hurt them. Most companies are unaware of all of the data protection and data breach regulations governing personally identifiable information (PII) that affect their businesses today. For that reason, most are out of compliance and don’t know it—yet.
 

Legislative trends and penalties

It’s critical that businesses get up to speed with these regulations as quickly as possible by examining how they handle data.

Identity theft is the No. 1 complaint the FTC (Federal Trade Commission) receives from consumers, according to a news release the agency issued in February 2015. In response, regulators are introducing and tightening requirements governing PII.

Twenty-nine bills have or will be introduced in 2015 to amend current bills or to address other types of PII.

One bill that was introduced earlier, U.S. Senate Bill 1897, the Personal Data Privacy and Security Act of 2014, would penalize any person who “intentionally and willfully conceals the fact of such security breach” with up to five years in prison.

Technology such as websites and email help your customers do business around the world. What your customers may not realize is that more than 100 countries have strict rules about how personal data about their citizens is collected and stored.

Businesses operating in Europe need to address stricter requirements than those in the U.S. Any business with a website selling products and services, collecting personal information from European Union (EU) residents, as well as those with employees and/or locations in the EU, must obey EU rules.

The pending General Data Protection Rule (GDPR) will mandate new guidelines affecting all non-European countries that operate in the EU and will include significant fines for noncompliance, including the possibility of fines ranging up to 5 percent of annual revenues.

Serious consequences of data loss affect businesses every day. According to Imprima, with a U.S. office in New York, 78 percent of organizations have experienced a data breach in the last two year.

Sixty percent of businesses that lose data will shut down within six months of the disaster, according to data reported by the Boston Computing Network, Boston.

Failing to manage data can lead to excruciating fines and other penalties. In the U.S., Massachusetts secured a $150,000 settlement in a “long reach” action from a firm in Rhode Island. Expect this trend to extend across the U.S., just as data breach legislation spread to 47 states, two territories and Washington. And, in the U.S. and Canada, 300 entities hold jurisdiction over different types of PII data, which could lead to numerous potential fines.

Ignorance of such laws will not be a valid excuse for failing to report data breaches. Announcing a data breach settlement, Vermont State Attorney General William Sorrell said, “At this stage of the game, having seen widely reported data breaches at big retailers like Target and dozens of others, we will not accept the excuse that a business did not know of its obligations to report a breach.”

Expect a similar reaction to breach risk management.
 

A complex task

HIPAA/HITECH (Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health) and PCI (Payment Card Industry) compliance are two areas that many, if not most, businesses understand. They seem straightforward because HIPAA/HITECH address one type of PII—health information—and the PCI Data Security Standard (DSS) addresses another—credit card information.

However, 14 federal laws address other types of PII. For example, Gramm-Leach-Bliley (GLB) protects financial information; Fair Credit Reporting Act (FACTA) protects consumer credit information; the Children’s Online Privacy Protection Act applies to the collection of personal information of children under the age of 13; and CAN SPAM draws specific requirements for businesses that send emails. In addition, many states have multiple laws that protect different types of PII.

The good news is that there are comprehensive programs you can provide to your customers to help them reduce, protect and secure PII data to lessen the risk of having a breach.
 

Getting prepated

Penalties can be avoided without a lot of pain, time lost or cost. According to a study by the Online Trust Alliance, Bellevue, Washington, 89 percent of breaches are preventable.

Businesses need to do a bow-to-stern review of the processes used to acquire, access, handle, transmit, store and destroy the PII of employees as well as that of customers and vendors. This review, known as data life cycle management, leads the privacy champions in the company through the requisite assessment for the loss or exposure of PII data by physical, technical or human methods.

A team of stakeholders to drive the program includes directors of human resources, IT, administration, sales and customer service. A thorough vetting of compliance requirements is followed by a detailed analysis of how the PII flows through the company, its staff, vendors, network, filing systems and devices. After a full examination, a list of policies and procedures is prepared, and remediation will bring processes up to standard.

The common elements of legislation that require companies to safeguard PII go beyond risk assessment and remediation to require employee training, detailed steps to take in the event of a data breach, which includes incident response and breach report planning, as well as ongoing audits of these processes on a regular, or at least an annual, basis.

The creation of this program will be well worth the time and effort. With a little time for tasks to improve processes, policy and procedure implementation and employee training, a robust program can be in place in a matter of hours. Thereafter, each annual review will be much faster and effective.

Additionally, aside from reducing the risk of a breach, compliance also could mean better insurance rates. It’s the hope of Bobbie Stempfley, deputy assistant secretary of cybersecurity strategy in the Department of Homeland Security, that insurance companies will reward businesses with lower costs for demonstrating due diligence regarding PII.
 

For your benefit

Storage and destruction service providers are well-positioned to offer the value-added solutions your current customers need, not only to meet legal requirements but also to make life easier. With minimal effort, you can add new substantial streams of recurring revenue that are meaningful to your customers.

In our experience serving businesses with the CSR Breach Reporting Service™ for the last three years, part of the CSR Readiness™ Suite, a data life cycle management program, company owners are relieved and grateful to know that privacy professionals essentially “have their back” by providing a value-added service through CSR channel partners to file breach reports to authorities and consumers for them.

Your customers already rely on your security expertise, so there is no one better to provide answers to regulatory requirements. Solutions are readily available that can be turnkey for you. You will ostensibly be inserting your business into every critical aspect of your customers’ daily activities that touch PII.

You easily can launch a program in 60 days that will give your customers the guidance they need to tailor the components of an information security program. Strong value-added solutions that you provide will strengthen your relationships and credibility as well as your revenue projections.
 

Dr. Federgreen, CIPM, CIPP/US, CIPP/C, CIPP/G, CIPP/E and European Privacy Association fellow, is CEO of CSR Professional Services Inc., a data breach preparedness solutions provider based in Jensen Beach, Florida. He can be reached via email at rfedergreen@csrps.com.