Over the past decade, enterprise data privacy has undergone a monumental shift in focus and motivation. Data privacy was originally driven by an organization's ethical commitment to protecting information about customers and third parties, with organizations largely left to their own devices to develop a set of sound privacy controls. After a series of high-profile data breaches, though, both the government and regulators stepped in...
and created a series of mandates strictly regulating how organizations may handle a variety of sensitive information.
In this tip, we'll examine the legal and regulatory environment surrounding data privacy in the United States, and offer some advice on building a privacy compliance program that facilitates compliance with these obligations.
Understanding legal obligations
The first source of compliance mandates are the collection of federal and state laws that govern the protection of personal information. Unlike member nations of the European Union, the U.S. does not have a single, sweeping data privacy law. Instead, we are left with a patchwork of targeted laws that tackle a specific information domain or group of individuals.
Most prominent among these laws is the Health Insurance Portability and Accountability Act (HIPAA). First passed in 1996 and updated as recently as 2013, the HIPAA Privacy Rule contains a series of safeguards designed to protect health-related information held by "covered entities" under HIPAA. This class of organization includes health care providers that engage in certain transactions, health plans and health care clearinghouses. Organizations subject to HIPPA's Privacy Rule must take steps to prevent the unauthorized disclosure of health information, provide individuals with access to their information, offer a means for individuals to correct inaccurate information and disclose the ways that the covered entity uses this information.
Three years after HIPAA was signed, Congress enacted the Gramm-Leach-Bliley Act (GLBA) to provide similar protections for sensitive financial information. GLBA applies to a broad class of organizations that fall under the act's definition of "financial institution" and requires that they provide customers with a notice of privacy practices, implement sufficient safeguards to protect non-public information and take measures to protect against social engineering attacks.
In addition to GLBA and HIPAA, many other federal and state laws address enterprises' privacy practices. For example, the Children's Online Privacy Protection Act regulates the handling of personal information about children. Also, 46 U.S. states now have a data breach notification law that requires organizations to notify residents of their state in the event of a breach of private personal information, with Alabama, Kentucky, New Mexico and South Dakota being the only outliers.
The various federal and state privacy laws only serve as the beginning for enterprises seeking to build a privacy compliance program. Organizations must also review the set of contractual and regulatory commitments they have made in the course of normal business.
The most commonly cited example of a data privacy regulatory obligation is the Payment Card Industry Data Security Standard (PCI DSS). This was designed to protect the privacy and security of credit card information, and any merchant who accepts credit card transactions agrees to this comprehensive set of regulations when they sign a merchant agreement with their bank. PCI DSS contains a series of detailed security and privacy controls that organizations must implement, organized into twelve control domains. Among these are provisions that organizations must safeguard sensitive cardholder information and immediately notify their bank of any potential breach.
While PCI DSS is a set of standards that uniformly affects organizations involved in credit card transactions, it's only the beginning for contractual obligations. Organizations must also scour the many agreements that they have signed in the course of business and identify any other privacy obligations that may arise from those business relationships.
From the editors: More on PCI DSS 3.0
Originally debuting on December 15, 2014, PCI DSS has undergone major changes in its nearly decade-long life span. That was certainly the case with the release of PCI DSS 3.0 as well. The SearchSecurity.com team provides a number of resources to get enterprise security teams up to date on the latest PCI happenings, though, including a timeline of PCI DSS, an overview of the five most important changes for merchants and a review of the standard's history from expert Mike Chapple. Check out SearchSecurity.com for even more PCI DSS resources.
Creating a privacy framework
It is easy to become overwhelmed by the prospect of building a privacy compliance program. Fortunately, there are four steps that organizations may follow to build a sound privacy foundation.
First, an organization must identify the protected information that it holds. This includes all info that the organization is required to protect, whether that mandate arises from law, regulation or the organization's own internal policies. This inventory is essential to correctly defining the scope of a privacy program.
Next, conduct a risk assessment, similar to those performed when evaluating other information security risks. This assessment should identify the threats and vulnerabilities potentially exposing the protected information listed in the inventory, and with that information in hand, assign a risk rating to each combination of threat and vulnerability that can be used to prioritize the implementation of protections.
After identifying potential risks to protected information, an organization should then design and implement a series of controls that mitigate that risk to an acceptable level. For example, an organization may utilize information gleaned from its risk assessment to determine that a malicious insider stealing large quantities of information is a major data privacy risk in its environment. The company might respond by implementing a series of controls that mitigate this risk, including conducting more thorough employee background checks, throttling policies that limit the amount of data an employee may access and implementing data loss prevention systems that inhibit unauthorized data exfiltration.
Finally, an organization must monitor the effectiveness of its privacy controls on an ongoing basis. This includes detailed monitoring of technical controls, as well as periodic reviews of the full set of controls to ensure that they remain adequate and effective.
Clearly, modern enterprises face a confusing array of data privacy obligations, but the risk stemming from those obligations can be effectively mitigated with the right data privacy compliance program in place. Each organization should focus on conducting a careful analysis of the laws and regulations that govern its unique business activities, and then ensure that it has implemented adequate controls to mitigate the threats targeting the information protected by those mandates.
About the author:
Mike Chapple, Ph.D., CISA, CISSP, is Senior Director for IT Service Delivery at the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as site expert on network security, is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and the Security+ Training Kit.