Saturday, January 17, 2009

Compliance

I want to talk a moment about compliance. While largely a voluntary concept, compliance is supposed to provide detailed guidelines that can be scaled to fit most any organization. And for entities that adopt those guidelines, provide the protections the program is attempting to define. These measures also usually define consequences for non-compliant organizations in the event of litigation. Now, it can be the decision of a business as to whether to be compliant or not, and to risk the consequences of non-compliance. When it comes to identity theft we have been experiencing a growth pattern that is not only mirroring the rise in data gathering across the board but also the global downturn in the economic climate. Remember, as long as the data has value it will be stolen, sold, and used. As I reported recently, more than half of all data breaches occur in businesses, and result in an unknown number of identity thefts. We do know however, that there are nearly 10 million victims of identity theft each year, and a significant number of them cannot be traced to any specific source. Especially since a lot of the cases are not discovered until months or even years after the fact, or are the result of "multiple identity theft" where the victim is affected by more then one type of identity theft at a time. This figure of 10 million is predicted to rise by a factor of 20 within the next 12 to 18 months. Also, keep in mind that businesses and their executives are held completely responsible for these breaches.

The cost to government and business is astronomical. In 2007 OMB and FTC estimates show at least $48 billion in lost business revenue, fines, investigative costs, law suits, etc. As a result states are looking to control their costs as police departments, and county and state attorneys' offices are inundated with identity theft complaints that add a large burden on their offices. This brings me to the point of this column. We have had guidelines now for several years, and now certain compliance regulations that clearly show the steps every business, non-profit, school system, and local municipality should follow to reduce breaches and identity theft episodes. These guidelines are defined in the 1999 Gramm Leach Bliley Act or GLB, the 2003 and 2005 provisions of the FACT Act, and again by way of the Red Flags rules of 2008.

Massachusetts has now stepped in and announced that these very guidelines are law of the Commonwealth. Any organization that does business in Massachusetts or has any client that resides in Massachusetts must adhere to the regulations that go into effect May 1st of 2009. This not only applies to the business in question but also includes mandatory oversight of the data security practices of all business that are 3rd party service providers and contractors. Massachusetts has gone so far as to announce that if any other state enacts more stringent regulations than these they will adopt the more stringent terms. Surely other states will follow, it is simply a matter of when. A unifying federal regulation is on the horizon. With the inauguration of the first U.S. President who is expected to appoint a Chief Information Security Officer a federal regulation will come from Congress sooner than later, perhaps as soon as this year.
And it will probably come from Senator Diane Feinstein, the incoming Chair of the Senate Select Intelligence Committee. Sen. Feinstein has long been an advocate of personal privacy oversight, and identity theft law. Below is a great article on the new Mass. legislation.

Massachusetts Gets Tough on Data SecurityJan 15, 2009
By Maria Bruno-BritzBank Systems & Technology
As if banks didn't have enough on their plates with compliance and regulation on the federal front, come May 1, they will have to be mindful of strict new rules coming from the Commonwealth of Massachusetts around data security.
The Massachusetts Data Security Regulations are perhaps like no other in terms of their depth and scope. During a teleconference, attorneys from the privacy and data security practice of the law firm
Goodwin Procter (Boston) described this very detailed, all-encompassing set of rules designed to keep consumers' personal data safe. They go beyond the rules of other states and the federal government that simply require companies to notify their customers of theft of their personal information. "Personal information," for the purposes of the regulation, is described as someones first and last name or first initial and last name, in combination with Social Security Number, driver's license number or financial account number.
At its core, the regulation states that companies, including banks, that handle the personal data of a Massachusetts resident must show they have in place a comprehensive, written information security program with heightened security procedures around how this information is handled.
The rules also extend to entities' service providers and the degree to which they too must show they comply with the Massachusetts rules of handling data on residents. Companies have until May 1 to amend their vendor contracts to reflect this and until Jan. 1, 2010 to certify their vendors comply. Furthermore, companies must comply with these rules even if they do not have a single office in the Bay State or if they are in an already heavily regulated industry, like financial services. As long as customers in businesses' databases reside in Massachusetts, those companies are affected by the rules.
According to partner Deborah Birnbach, this is some of the most intrusive legislation as it relates to the operation of businesses. "It requires changes in your physical access, changes in your relationships with your vendors, changes to your training programs, and changes in the type of information stored and how you store it," Birnbach explained to attendees. "This is not business as usual as it relates to the personal information of Massachusetts residents."
Under the rules, companies have a duty to monitor their security programs on an ongoing basis. The size and type of company will be taken into account by lawmakers, however. Partner David Goldstone said businesses are required to develop, implement, maintain and monitor a "comprehensive" written information security program. "They expect the information security program to be a living and breathing information security program," he said.
The safeguards in the program must be administrative, technical and physical in nature. Entities will be required to identify all records used to store personal information. Although companies won't be expected to keep an inventory of this data per se, they are expected to know where it is, Goldstone noted. One of the suggestions to facilitate this process is to create an information flow map that shows where information is stored and transmitted.
Businesses must also identify and assess both internal and external risks to the organization. Once these steps are completed, they must then evaluate (and improve, if necessary) the safeguards in place around such areas as employee training and physical security.
In addition to all this, companies will be obligated to limit the collection and use of personal information. They must identify the purposes for which they collect this kind of information and identify how long the wish to keep it and who can access it.
Another big component of the regulation is around the protection of data in transit and data on portable devices, like laptops, Blackberrys and thumb drives. Companies will be required to encrypt data that is not only stored but also when it is being transmitted over networks or physically moved as when an employees take a laptop home.
Properly educating and handling employees will also be key to compliance. The rules state, for example, that companies must be vigilant when dealing with terminated employees so that their access to data is "immediately" denied.
"Massachusetts may be the first with such detailed regulations, but it is not likely to be the last," predicted Lynne Barr, a partner with the firm.