The floodgates of guidance about Massachusetts’ new data privacy regulations are officially open.
The new rules, bureaucratically known as 201 CMR 17.00, took effect March 1 and are widely considered to be the toughest privacy standard in the nation. They apply to any company that “owns or licenses” personal information—whether stored in electronic or paper form—about Massachusetts residents. The law defines personal information as a person’s first and last name, or first initial and last name in combination with any of the following: Social Security Number; driver’s license or state-issued identification numbers; financial account numbers; and credit or debit card numbers.
Costa
Corporations have had more than a year to digest the rules and plan accordingly for compliance, but during a March 23 Webcast on the topic, Daniel Costa, an advisory services senior manager with Grant Thornton, said he still hears a multitude of questions from companies. What qualify as “reasonable” measures to protect data? What are the consequences for non-compliance? What could the maximum financial penalty be per violation? Given that continuing ambiguity, Costa recommended that companies start by conferring with their legal departments to understand the full scope of the privacy rules.
Richard Davis, an advisory services principal with Grant Thornton also part of the Webcast, said compliance officers should pull in their financial and IT departments as well, to understand how they handle privacy and data security in their functions; all that can then be applied to the company’s overall risk assessment. Moving forward, he said, the internal audit department is “ideally suited to help organizations think through risk and control elements.”
And while companies do have many other privacy regulations to contend with—the Health Insurance Portability and Accountability Act, the Gramm-Leach Bliley Act, and PCI Security Standards, for example—designed to protect personal information, Davis warned against organizing “an all-encompassing compliance approach.” Instead, he said, use the existing standards as a starting point to map out common objectives among all the rules and develop an overall governance strategy; then start a compliance program for the Massachusetts regulations based on that.
The PII Life Cycle
Davis and Costa laid out a four-part plan for companies to follow when thinking about how to maintain the correct handling of personally identifiable information (PII).
“How you think about your interactions with vendors and how you organize your interactions with them going forward is ‘critical.’”
—Richard Davis,
Advisory Services Principle,
Grant Thornton
Phase 1: Volume and Storage. Overall, this phase takes inventory of current people, processes, and technology as they relate to data privacy. Start with an assessment of the amount of information and number of transactions being gathered in your systems that contain personal information, and ask how any consumers do you gather personal information from?
The retail industry can be particularly vulnerable on this point. Retailers constantly acquire demographic information to predict consumer behavior more accurately and, as a result, maintain vast troves of personal data that attract hackers.
Davis
“The overall business model lends itself to a significant amount of data risk with respect to customer information,” Davis said. The poster child, of course, is TJX Cos., the Massachusetts-based retailer that in 2007 disclosed a data breach where hackers swiped 45.7 million customer records—the largest data breach in U.S. history, which then inspired Massachusetts lawmakers to pass the current privacy law.
During Phase 1, companies must also strive to know exactly what personal data they gather. They need to physically gather sample forms that contain personal information (credit card applications, preferred customer reports, new employee applications) to understand all the attributes of the data being collected, Costa said.
PRIVACY INVESTMENT
The chart below shows how companies typically invest in privacy projects:
Grant Thornton Privacy Webcast (March 23, 2010)
Next, companies should pinpoint where that information is stored. For example, when a new employee is hired, most employee applications are printed and stored in filing cabinets or e-mailed to the HR department and keyed into an HR database.
Phase 2: Movement and Access. Beyond the storage of information, companies must also identify the l movement of information. Is data moved electronically via e-mail, or physically via paper? “So really start to think of the movement of information, which we think is a very high risk,” Costa said.
Pay attention to the movement of personal information externally as well. Does your company put personal customer data into the hands of outside vendors, for example? (Hint: Most do, such as to data storage firms like Iron Mountain.) Knowing which employees have access to personal information and how often they use that data is also important.
Phase 3: Remediation. Following a thorough risk assessment, phase three is to implement policy and procedure. This is where having a comprehensive written security policy comes in, and it should contain the following elements:
GOOD PRIVACY PRACTICES
Grant Thornton offers companies a roadmap to good privacy practices:
1. Identify Risks
2. Inventory Location of Personal Information
3. Limit Collection of Data
4. Routinely Evaluate and Adjust Program
5. Encrypt Hardware and Data Transmissions
6. Obtain Written Guarantees of Adherence from Third Parties
Source
Grant Thornton Privacy Webcast (March 23, 2010)
Governance framework. “People change jobs. You don’t want to have to recreate the wheel. So having some type of governance process on how this process will be managed in the future is very, very important to the overall success of the program,” Davis said.
Privacy awareness, including training and development.And ask yourself: How does this link to your company’s current Code of Ethics?
Compliance with the Massachusetts data privacy standards. How does your compliance framework align with the overall objectives of the data privacy law?
Access control. Companies that are already PCI and SOX compliant likely have a good understanding of the access controls, Davis said. “That should be embedded in your security policy,” he said.
Data security and retention. What procedures do you have in place to limit the collection of data? Do you have a cycle to purge old data?
Vendor management. How do you manage third parities? How you think about your interactions with vendors and how you organize your interactions with them going forward is “critical,” Davis said.
Encryption. What type of encryption technologies are you using? “What you don’t want to do is create undue stress to a very fluid process that really is organized to deliver service to your clients and your stakeholders,” Davis said.
Phase 4: Maintain Solution. Develop a sustainable solution with the ability to incorporate and evaluate future initiatives.
Davis noted that, with a typical privacy project investment, proven practices show that companies spend roughly 60 to 65 percent of their time on risk assessment and control evaluations, 15 percent on developing policies and procedures, and 20 percent on establishing an ongoing monitoring strategy.
“It’s not a one and done deal,” Costa said. “Just make sure it’s a very easy approach that can be maintained and sustained over time.”
No comments yet