September 14, 2009, 11:42 AM — In today’s digital environment, it’s easier and more convenient than ever to share, access, and store data. Many organizations depend on technologies that make the data easily accessible and communicated to colleagues, partners, and clients in order to go about their daily business. However, transferring private client information and confidential documents electronically does not come without pitfalls. Identity theft has been on the rise and the need for greater transparency and accountability in the handling of sensitive private data calls for stricter security controls. Legislative bodies at the state, federal, and even international level are now requiring businesses to take both proactive and reactive measures to address the concerns around data privacy.
Many organizations are either not aware of these regulations or don’t know how to effectively address this issue. Yet this does not excuse them from complying with these requirements. Thus, this resource is a guide to the various regulations requiring data encryption and privacy breach notification laws, as well as providing some best practices for implementing a secure environment for private data.
7 Best Practices for Securing Private Data
1. Use Encrypted Transfer Methods
Identify acceptable methods of transferring or communicating private data. Only transmit private data electronically via encrypted channels. Standard email and ftp systems do not have security measures or encryption, nor does instant message clients.
2. Track All Access to Private Data
Implement systems for auditing and tracking all access and communication of private data, including the ability to detect and report incidents of unauthorized access. You should be able to know exactly who accessed private data, what data was accessed, and when it was accessed.
3. Physically Protect Where Data is Located
Lock and password-protect unattended computers or other data storage media containing private data, even if the user is away for a few minutes. This is especially critical if the storage media is in a location that is accessible by the public.
4. Establish Protection Safeguards
Protect your organization against malware, viruses, network breaches, etc., by installing and updating anti-virus software on all computers, restricting the use of non-approved file sharing or P2P programs or even certain websites, setting up firewalls, closing commonly open ports to your IT infrastructure, etc.
5. Manage User Profiles
Centrally monitor user IDs, passwords, and access levels to private data. For example, terminated employees should have their IDs and access immediately blocked or disabled. Larger firms typically utilize an active directory server to easily manage user profiles.
6. Select Reliable Solution Vendors
If you are using a solution from a third party service provider to transfer or store private data, stick to those that have a track record for reliability and strong industry reputation for supporting data security. SAS70 certification, service level agreements (SLAs), and an established presence in your industry are good indicators of a trustworthy and reliable service provider.
7. Train Your Staff on Security Guidelines
Having a comprehensive security policies program is useless if your employees do not know about it or abide by it. Communicate and train your staff on proper security procedures, including educating users about phishing scams and not clicking or opening suspicious emails or links, keeping passwords in a safe location (a post-it note on your desk is NOT secure), making sure that laptops or laptop bags are not left in open view in cars or unattended locations, etc.
Stay up-to-date with security and data privacy laws as well as learn best practices from others.
Learn more and join our discussion group at http://www.leapfile.com/Data-Security-Compliance
For more information about LeapFILE, please visit http://www.leapfile.com.
Encryption Required for the Electronic Transmission of Personal Data
State laws requiring protection or encryption of personal data as a preventative measure:
There is no national data protection law at the moment, but two states are adopting their own legislation. However, the scope of the both laws cover all persons (or companies) that own, license, store or maintain personal information about a resident of the state, which essentially means that any business outside of those states who has data on clients residing within that state needs to comply with the law. Please verify with your state legislature on the details of the governing act.
Massachusetts - Mass. 201 CMR 17
The Massachusetts Office of Consumer Affairs and Business regulation (OCABR) extended the deadline for compliance to Mass. 201 CMR 17 to January 1, 2010.
This state law requires the data of MA residents be protected (notably by encryption) by “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts,” is said to be the strictest data security law in the country.
Section 17.04 – Part (3) of Computer System Security Requirements mandates encryption for all records and data containing personal information transmitted wirelessly as well as across all public networks. Part (4) requires a reasonable monitoring of systems, for unauthorized use of or access to personal information.
Nevada - NRS 597.970
Restrictions on personal information transferred through electronic transmission - A business in this State shall not transfer any personal data through an electronic transmission outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission. Effective October 1, 2008
Data Security Breach Notification
State laws and regulations mandating notification of security breaches of personal information:
Most of these laws require persons who conduct business to notify consumers or customers of breach in the security, confidentiality, or integrity of unencrypted computerized personal information held by the business. Typically, these laws not only apply to the company based in that state, but also apply if a business has customers or even one employee in that state. Most of these acts are a result of prior bills passed to prevent identity theft. Please verify with your state legislature on the details of the governing act.
Alaska - 2008 H.B. 65, Alaska Stat. §45.48.010
Arizona - SB 1338, Ariz. Rev. Stat. § 44-7501
Arkansas - SB 1167, Ark. Code Ann. § 4-110-101 et seq.
California - SB 1386, SB 20, Cal Civil Codes 1798.29, 1798.80-1798.84
Colorado - Co. Rev. Stat. §6-1-716(1)(a)
Connecticut - Con. Gen. Stat. §36a-701.
Delaware - Del. Code Ann. Title 6 Section 12B-101 to 12-B-106.
District of Columbia - DC Code Sec 28-3851 et seq.
Florida - Fla. Stat. Ann. 817.5681 et seq.
Georgia - SB 230, Ga. Code Ann. 10-1-910 et seq.
Hawaii - Haw. Rev. Stat. Sec 487N et seq.
Idaho - Idaho Code Ann. §28-51-104 to 28-51-107
Illinois - ILCS Sec. 530/1 et seq.
Indiana - Ind. Code Sec. 24-2-9 et seq., 4-1-11 et seq.
Iowa - Iowa Code § 715C.1 (2008 S.F. 2308)
Kansas - SB 196, Kansas Stat. 50-7a01, 50-7a02.
Louisiana - La. Rev. State. Ann. Sec. 51:3071 et seq.
Maine - Me. Rev. Stat. Ann. 10-21-B-1346 to 1349
Maryland - Md. Code, Com. Law § 14-3501 et seq
Massachusetts - HB 4144, Mass. Gen. Laws § 93H-1 et seq.
Michigan - Mich. Comp. Laws § 445.72
Minnesota - H.F. 2121, Minn. Stat. 325E.61 et seq.
Montana - HB 732, Mont. Code § 30-14-1701 et seq.
Nebraska - L.B. 876, Neb. Rev Stat. 87-801 et seq.
Nevada - SB 347, Nev. Rev. Stat. 603A.010 et seq.
New Hampshire - HB 1660 FN, NH RS 359-C: 19 et seq.
New Jersey - N.J. Stat. 56:8-163
New York - A4254, A3492, NY Bus. Law Sec. 899-aa
North Carolina - SB 1048, N.C. Gen. Stat. 75-65
North Dakota - SB 2251, N.D. Cent. Code 51-30-01 et seq
Ohio - HB 104, Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192
Oklahoma - HB 2245, HB 2357, Okla. Stat. 74-3113.1
Oregon - SB 583
Pennsylvania - SB 712, 73 Pa. Cons. Stat. 2303
Rhode Island - H. 6191, RI Gen. Law 11-49.2-1 et seq
South Carolina - 2008 S.B. 453, Act 190
Tennessee - SB 2220, Tenn. Code § 47-18-2107
Texas - SB 122, Tex. Bus & Com. Code Ann. 4-48-103, 48.001 et seq.
Utah - SB 69, Utah Code 13-44-101 et seq
Vermont - Vt. Stat. Tit 9 Sec. 2435
Virginia - Va. Code § 18.2-186.6
Washington - SB 6043, Wash. Rev. Code § 19.255.010
West Virginia - W.V. Code §§ 46A-2A-101 et seq.
Wisconsin - SB 164, Wis. Stat. § 134.98 et seq.
Wyoming - Wyo. Stat. § 40-12-501 to -501
* States with no security breach law: Alabama, Kentucky, Mississippi, Missouri, New Mexico, and South Dakota.
Healthcare Insurance Portability and Accountability Act (HIPAA)
- Limits the use and disclosure of individually identifiable information relating to the physical or mental health of individuals absent the consent or authorization from the patient.
- Requires all records be managed as part of the organization’s official records management program.
- Requires training to ensure employees are aware of the requirements.
- Security Rules under the Act became effective in April 2006.
- Applies to doctors, hospitals, pharmacies, medical billing services, health care plans, HMOs, and business associates of these entities such as their accountants and attorneys.
- Imposes strict data disposal requirements, including overwriting or physically destroying all magnetic media that is no longer in use or that is given away or sold.
Gramm-Leach-Bliley Act (GLBA)
- Requires financial institutions to ensure the security and confidentiality of customers’ non-public, personal information.
- Organizations are required to automatically send privacy notices to customers.
- Harm caused by “identity theft” has led the federal government to create mandates such as this to prevent the negligent disclosure of private information.
Sarbanes-Oxley Act (SOX)
- Implements multiple sweeping reforms for public companies, auditors, board members and lawyers.
- Applies to all U.S. and non-U.S. public companies that have issued securities in the U.S. public markets and are required to file periodic reports with the SEC.
- Prescribes a system of federal oversight of public auditors.
- Imposes new criminal penalties relating to fraud, conspiracy, destruction of evidence and interfering with investigations.
- Requires management to establish and maintain internal control structure and procedures for financial reporting.
- Requires establishment of a process for employees to submit, in confidence and with anonymity, concerns regarding questionable accounting matters.
International Business Regulations:
These regulations apply to companies that conduct business or have clients located in these countries.
Safe Harbor Act
- In October 1998, the European Union passed the EU Data Protection Directive. It places requirements on businesses that process personal data from an EU Member State.
- The transfer of personal information from an EU Member State to a non-EU country is forbidden unless the receiving country provides an “adequate” level of privacy protection.
- In order to avoid disruptions in trade between the U.S. and the EU, the U.S. Dept. of Commerce developed the Safe Harbor framework, which allows U.S. companies a means of assuring European consumers that they will provide an adequate level of privacy protection, thereby satisfying the requirement of the EU Data Protection Directive.
Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
- Governs the collection, use, and disclosure of personal information in commercial activities by organizations of all types, including the Canadian offices or subsidiaries of foreign companies.
- Applies to both traditional paper-based business as well as online commercial activities.
• “The FAQs about SB-1386”. SearchCIO.com.
• “Strictest data law in nation”. SC Magazine.
• “State Security Breach Notification Laws”. National Conference of State Legislatures.
• “Notice of Security Breach State Laws”. Consumers Union.
• “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)”. National Institute of Standards and Technology (NIST).