Report security breaches: new rules aid privacy efforts, but challenge businesses. (2003 Technology & Business Resource Guide: Privacy Protection).Effective July 1, entities or persons doing business in California will be required to notify California residents if their personal information--contained in databases under their control--may have been acquired by unauthorized people through a security breach. Signed into law last year, this legislation--Senate Bill 1386--is a leap forward in terms of privacy and identity theft protection. In terms of computer systems, however, this is a nightmare. In April 2002, the state of California waited more than two weeks before notifying employees that hackers broke into the state's payroll system and compromised its payroll information. While SB 1386 grew out of this incident, it is not unique. The European Union European Union (EU), name given since the ratification (Nov., 1993) of the Treaty of European Union, or Maastricht Treaty, to the European Community formulated privacy guidelines in 1995, which were subsequently adopted in various forms by numerous European countries, Australia, New Zealand New Zealand (zē`lənd), island country (2005 est. pop. 4,035,000), 104,454 sq mi (270,534 sq km), in the S Pacific Ocean, over 1,000 mi (1,600 km) SE of Australia. The capital is Wellington; the largest city and leading port is Auckland. and Canada. In the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. , the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ,) and the Children Online Privacy Protection Act (COPPA COPPA Children's Online Privacy Protection Act of 1998 (FTC) ) impose special privacy rules in their respective areas. Among the states and federal government, however, California's legislation is the most far-reaching, although no less severe than HIPAA or COPPA. WHO'S AFFECTED? This law applies to any person or business doing business in California, including state agencies. It requires the notification of California residents. It does not require notification of non-California residents. But, from a practical standpoint, who would want to notify only Californians and then be subject to criticism for failing to notify non-Californians? This law also applies to service bureaus that maintain computerized personal information data for others. The statute specifically identifies the following as personal information: First name or first initial and last name in combination with Social Security number, driver's license Noun 1. driver's license - a license authorizing the bearer to drive a motor vehicle driver's licence, driving licence, driving license license, permit, licence - a legal document giving official permission to do something number or California identification card number. Also considered personal information is an account number or credit or debit card debit card, card that allows the cost of goods or services that are purchased to be deducted directly from the purchaser's checking account. They can also be used at automated teller machines for withdrawing cash from the user's checking account. number in combination with any required security code, access code or password. CHALLENGES TO BUSINESSES For businesses, there are at least three challenges associated with this legislation: 1. Protecting personal information from unauthorized distribution; 2. Protecting systems from security breaches; and 3. Informing the public that their personal information may have been acquired by unauthorized parties. The statute defines a security system breach as "... unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the person or business. Good faith acquisition of personal information ... is not a breach ... subject to further unauthorized disclosure." If unauthorized acquisition occurs, the law requires notification of California residents that their personal information may have been compromised. The notification requirements vary according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the notification cost and the number of individuals affected by the unauthorized acquisition. If the notification cost is less than $250,000 and the number of people affected is less than 500,000, the business can notify those affected by written or electronic notice. But if the notification cost exceeds $250,000 or the number of people affected exceeds 500,000, then substitute notice is allowed. Substitute notices include e-mails to individuals where e-mail addresses See Internet address. e-mail address - electronic mail address are available, conspicuous notice on the business website and notification via major statewide media. These requirements also apply to service bureaus that maintain computerized personal information data for others. Just because the information contained in their systems is not their own information does not relieve them from these notification requirements. The legislation provides legal remedies A legal remedy is the means by which a court of law, usually in the exercise of civil law jurisdiction, enforces a right, imposes a penalty, or makes some other court order to impose its will. In Commonwealth common law jurisdictions and related jurisdictions (e.g. for failure to meet its requirements, which open the door for class-action lawsuits. Undoubtedly this law will be challenged in court. For the exact text of the statutes and a legal opinion, consult your legal counsel. WHAT CAN BE DONE? There are many steps companies can take to make them-and the information they house-less vulnerable. First, this potential exposure requires that companies encrypt personal information they store in their databases and that they limit access to the application programs that encrypts and decrypts the personal information. If the systems already provide this functionality, it's less of a problem. If not, encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. needs to be added and the encryption/decryption mechanisms need to be secure. Second, companies need to exercise more than prudent management of their systems to ensure that their systems cannot be compromised and if breaches are detected, contained and immediately reported to executive management. Third, systems need to be constantly monitored. Running an IT department just got harder with this new legislation. It means serving the needs of the company; operating technical resources; and involves a never-ending struggle to maintain secure systems. Other steps to keep in mind: * Collect only information that is required. There is a tendency to collect as much information as possible, but that unnecessarily increases your risk; * Delete information that is no longer necessary; * Develop a security plan; * Keep systems up to date; * Constantly monitor system logs for signs of unauthorized access; and * Conduct periodic security audits by external parties to detect weaknesses in security policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental and implement their recommendations. FAR-REACHING PRIVACY RULES Lest California businesses feel picked on, consider the privacy rules of HIPAA, which took effect April 14. These regulations outline 18 identifiers that range from name and address to biometric indicators that identify personal health information. To use or disclose this information beyond authorized medical care and payment purposes, these 18 identifiers need to be removed. These requirements, however, reach far beyond the health care profession. These rules touch all organizations that maintain this information in connection with coverage and benefit administration. HIPAA casts a broad net in its mandate to protect medical information. RISKS IN A WIRED WORLD Concerns about privacy and personal information will continue to be raised as we move farther into the wired world. Society and businesses alike will struggle with the intersection of commerce and privacy. As technology becomes more integrated into our daily lives, look for more restrictions and limitations on the collection, maintenance and distribution of personal information. In the film, The Legend of Bagger Vance, golf is described as a game that cannot be won, only played. Likewise with security. Security cannot be permanently resolved, only continuously maintained. In terms of balance, remember that most security breaches happen internally, not externally. Jerald M. Savin savin a neurotoxic war gas similar to organophosphorus insecticides but considerably more toxic, as demonstrated in the Tokyo subway massacre in 1995. , CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. is president and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Cambridge Technology Consulting Group Inc. in Santa Monica Santa Monica (săn`tə mŏn`ĭkə), city (1990 pop. 86,905), Los Angeles co., S Calif., on Santa Monica Bay; inc. 1886. Tourism and retailing are important, and the city has motion-picture, biotechnology, and software industries. . You can reach him at (310) 229-8947 or jsavin@ctcg.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion