Tom Considine & Associates
"Information Privacy Professionals"
Protection Laws and Organizational Requirements
Regardless of size or industry, any organization that maintains records which contain personal information of a resident of the state of Nevada shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.
Any organization doing business in the state of Nevada accepts a payment card in connection with the sale of goods or services, the organization shall comply with the current version of the Payment Card Industry Data Security Standards (PCI-DSS).
To achieve compliance under NRS 603A you need to hire, designate, or appoint an individual(s) as your Information Protection Manager (IPM) to develop and monitor your Information Security Program.
Responsibilities of the IPM include:
- Document and conduct an initial and annual risk assessment, internal audits and data inventory of your organizations exposure and handling of Personally Identifiable Information (PII) and consumer financial information
- Develop a Written Information Security Program (WISP) to include policies and procedures
- Implement a formal security awareness program for all employees and service providers
- Develop and implement an incident response plan
- Perform due diligence reporting on new hires and service providers (IT, Payroll, Payment Card Processors, Accounting, etc.) which you grant access to PII of a Nevada resident
- Ensure contracts between your organization and service providers contain written provisions requiring your service providers to adhere to NRS 603A
- Ensure industry best practices are utilized in the use of Computer System Security (CSS) and encryption requirements
- Conduct initial hire and annual training for all managers, staff and service providers with access to PII
- Ensure initial and annual compliance assessments are completed, signed and maintained on file to present upon request
- Review and update the WISP at least annually or as changes to the business processes take place
Massachusetts 201 CMR 17.00
MA 201 CMR 17 compliance training, MA 201-CMR-17 Compliance training, MA201CMR17
Regardless of the businesses size or location, 201 CMR 17 applies to all persons who own, processes, license, or maintains personal information about a resident of the Commonwealth. *Note* These requirements include organizations that do not have a physical presence/location in Massachusetts but do business with a resident of the Commonwealth.
Requirements;
- Designate one or more employees responsible for the information security program, referred to here as the "Information Protection Manager"
- Conduct internal/external electronic and physical security risk assessments
- Inventory and document all Personally Identifiable Information (PII) in electronic and paper formats
- Encrypt all laptops, portable devices, and PII transmitted across public networks and wireless
- Develop a comprehensive Written Information Security Program (WISP)
- Implement the WISP with ongoing training for: all management, staff, and temporary labor
- Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures consistent with 201 CMR 17 and applicable federal regulations
- Continual monitoring of programs effectiveness
Fair and Accurate Credit Transaction Act (FACTA) "RED FLAG RULES"
FACTA Red Flags compliance training, Red Flags compliance training, Red Flags Rule Training
The Red Flag Rule requires financial services and creditors to develop a written Identity Theft Prevention Program. A “creditor” is considered anyone who creates consumer accounts or bills for services or products. Organizations falling into this category include financial, payday loan, pawn shops, automotive sales, telecommunications, landlords, medical, higher education, public utilities, home and yard cleaning services, etc.
If you’re covered by the Rule, your program must:
- Designate in writing one or more employees (Information Protection Manager) responsible for program development and monitoring
- Identify the types of red flags relevant to your business and operations
- Explain your process for detecting red flags
- Describe how you’ll respond to red flags to prevent and mitigate identity theft
- Continual monitoring of your programs effectiveness
Federal Trade Commission Safeguard Rules
The FTC safeguard rule applies to all business, regardless of size, that are significantly engaged in providing financial products or services. This includes for example, check-cashing, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, ATM operators, and courier services.
Payment Card Industry Data Security Standards (PCI-DSS)
PCI-DSS combines technical, physical and administrative controls; educational requirements; written policies and procedures and regular audits to protect consumer cardholder security.
Health Information Portability and Accountability Act of 1996 (HIPAA)
HIPAA has both, a Security rule and a Privacy rule.
The Security rule adopts standards for the security of electronic Protected Health Information (ePHI) to be implemented by health plans, healthcare clearinghouses, and certain healthcare providers known as Covered Entities.
Covered Entities must take steps to mitigate any breach in security or other violations of its policies and procedures.
HIPAA privacy rule mandates
- Confidentiality-information may only accessed by those with a need to know
- Integrity-methods for assuring no unauthorized altering or destruction of data
- Availability-requires backup, disaster recovery, and access to data at all times
HIPAA security rule mandates
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
Health Information Technology for Economic and Clinical Health Act (HITECH)
The American Recovery and Reinvestment Act (ARRA) signed into law by President Obama, created the HITECH Act. The HITECH Act is designed to establish a nationwide health information technology infrastructure that allows for the secure electronic use and exchange of protected health records.
The HITECH Act amends parts of HIPPA and improves privacy and security provisions. HITECH requires:
- Application of the HIPPA security provisions and penalties to "Business Associates" of covered entities.
- A national breach notification law requiring covered entities, business associates, service providers and vendors to post breaches on the Health and Human Services (HHS) website.
- Increases fines and penalties to 1.5 million for willful neglect.
- Authorizes enforcement powers of the provisions of the law to State Attorney General, as well as HHS.
Enforcement of Information Protection Laws
Depending upon state or federal regulations; oversight of information protection laws could be conducted similar to the oversight methods used by the Occupational Safety and Health Administration (OSHA).
1. Unannounced Audits
2. Whistle blower Audits
3. Incident Audits
Incidents audits are the most in-depth of all audits, and are in response to a complaint of identity theft from a client, consumer, creditor, financial intuition etc., or in response to a security breach which has been traced back to the organization. This form of audit may at times utilize the resources of the FBI and Secret Services.
4. Vendor Audits
FACTA "Red Flags" HIPAA, Nevada and Massachusetts Information Protection Laws, require organizations to utilize all steps necessary to reasonably verify vendors are compliant with these mandates prior to granting access to PII. Failure to meet these compliance requirements may result in termination of the businesses relationship for cause.
Penalties of Non-Compliance
Should criminals or employees illegally access PII, the cost of correcting fraudulent activities can be many thousands to millions of dollars. A survey released by the Ponemon Institute revealed 31% of respondents reported ending all relations with organizations involved in a security breach.
Recent data breaches for organizations that were deemed negligent in their protections of PII have resulted in multi-million dollar settlements. It is much cheaper to protect PII then it is to be caught not protecting information.
Information Protection Managers
Ensure your Information Protection Manager has the knowledge and tools necessary to perform the job correctly the first time. Training opportunities are available which will save your organization precious dollars. The state of
Every organization should have at least one Information Protection Manager on staff. For smaller organizations your Information Protection Manager can assume responsibility for your compliance while also performing tasks such as: management, human resources, loss prevention/security, purchasing, marketing or any other position.
Larger organizations may require a full time Information Protection Manager to oversee the program and one Information Protection Manager in each department.
• Reduced likelihood of a security breach, protecting your organization
• Personnel are trained and aware of the organizations policies and their
responsibilities
• Security awareness helps identify criminal activity in and outside the workplace. Almost 70% of identity crimes are intentionally committed by an employee of the organization leaving non-compliant organizations liable for damages
• Protections under the laws caps an organizations liability in the event of a breach
Tom Considine & Associates
Information Privacy Professionals
Ph: (702) 702-3492
