As this article took shape, storage firm Iron Mountain lost backup tapes containing the personal records of 600,000 past and present Time Warner employees, and DSW announced that hackers had infiltrated its database, accessing personal information from 1.4 million credit and debit cards. In the past six months, George Mason University, the Las Vegas DMV, SAIC, Bank of America, Boston College and LexisNexis all admitted to security breaches that resulted in the theft of names, addresses and Social Security and driver’s license numbers. ChoicePoint, a data broker, was tricked into selling more than 145,000 records to fraud artists.
There appears to be a serious problem in how companies protect people’s personal data. There were 9.3 million identity theft victims in 2004, and those thefts cost the economy $52.6 billion. Data privacy is a growing issue that crosses application databases, operating environments and platforms.
To buck this trend, the United States has adopted federal privacy legislation, and individual states are adopting their own legislation as well. Consulting firms report increased business in their compliance areas, and numerous software solutions are appearing on the market. Using the appropriate tools, organizations should be able to automate their compliance management processes, effectively test their systems, and produce appropriate and complete documentation.
The Gramm-Leach-Bliley Act (GLBA) limits financial institutions’ ability to disclose “non-public personal information” about customers to third parties. These institutions are required to tell customers how their privacy is being protected.
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare professionals and institutions to protect the security and integrity of patients’ private information. NIST Special Publication 800-66, the recently released guideline for implementing HIPAA, is aimed at organizations that must comply with both HIPAA and Federal Information Processing Standards (FIPS). It points out links between physical security, information security, and data assurance.
The Food and Drug Administration’s Code of Federal Regulations Article 21, Part 11 (FDA 21 CFR 11) requires all pharmaceutical, healthcare and food services and medical equipment manufacturing companies to preserve and secure information by establishing audit trails.
The Sarbanes-Oxley Act requires companies become more fiscally accountable.
Section 302 requires companies certify that the officer who signs periodic financial reports has reviewed and found the reports true and not misleading, that internal controls were established and maintained, and that the audit committee has been apprised of all significant deficiencies.
Section 404 requires companies to document and assess their control environments. This is believed to be the single most important piece of federal legislation on corporate governance, financial disclosure and public accounting since the U.S. securities laws of 1930s. The Fair and Accurate Credit Transactions (FACT) Act makes major changes to the Fair Credit Reporting Act (FCRA) to provide specific protections from fraud and identity theft. It requires merchants and credit agencies to tighten their systems for handling consumer fraud complaints and for protecting sensitive information from unauthorized disclosure.
The USA Patriot Act requires that financial institutions verify new accountholder identification, maintain information used for account verification, and cross-reference identities against federal terrorism lists. The legislation also makes businesses responsible for seeking, detecting and reporting computer trespasses.
Privacy regulations have been changing continually, and we expect additional legislation and changes. Visa and MasterCard are imposing new information security rules to avert identity theft. California and other states are passing additional state legislation. Clearly, compliance requirements will continue evolve, and to meet them, businesses will need funds, personnel and software.