Tag: PIPEDA

A Country in Crisis: Data Privacy in the US

March 4, 2020 at 4:17 pm by Heidi White

In 2019, the United States held the world record of having the highest average cost per data breach at $8.19 million (IBM Security and Ponemon Institute, 2019), and healthcare data breaches affected 80% more people than just two years prior in 2017. (Statista, 2020). In today’s data-driven environment, it seems not a day goes by without hearing of a data breach or leak. Data privacy in the US is a growing problem caused primarily by the exponential increase of digital data, the trend of moving data storage to the cloud, and lack of a federal data privacy regulation.

Over the past several years, digital data has been increasing at an unprecedented rate. To put it into perspective, in 2019 the overall global population increased at just over 1% to 7.7 billion, while the number of unique mobile phone users increased by 2% to 5.8 billion. In addition, the number of internet users increased 9% to 4.4 billion, which is 57% of the global population. (Hootsuite & We Are Social 2019). As global urbanization continues, the sheer number of people utilizing data in their day-to-day lives will continue to grow. Combining personal use with the fact that nearly all businesses have a website and run their organizations using computers, it becomes clear that the use of data will only continue to increase in the coming years. All of this data, which moves across continents in seconds, needs to be stored and managed somewhere. This exponential increase in the use of digital data has required an equally aggressive increase in data storage capabilities.

data centerAs digital data increases, so does the trend of moving data storage to the cloud. Often misunderstood, the cloud is not some mystical Cumulus floating in the sky with ones and zeros suspended in it. Rather, the cloud is nothing more than large data centers that house racks and racks of servers and drives that run 24/7. These constantly moving parts create an immense amount of heat, so data centers utilize massive cooling mechanisms to keep temperature down. Understandably, data centers therefore use an excessive amount of energy, making operation fairly expensive. While larger businesses previously owned their own data centers or used in-house data storage, there has been a rapid shift to cloud service providers over the past five years. From 2017 to 2019, the number of cloud service data centers rose from 7,500 to 9,100, with 2020 expecting to see that number top 10,000. On the flip side, there were 35,900 data centers owned by non-technology firms in 2018, and that number is expected to significantly decline to 28,500 by the end of 2020. In fact, it is expected that the number of large companies in North America shifting away from using their own data centers to cloud service providers will increase from 10% in 2017 to 80% by 2022. (Loten, A. 2019). The move to cloud service providers is further evidenced by the increasing number of mergers and acquisitions in the cloud service sector. But how does this affect data privacy? It puts the onus of maintaining data privacy into the hands of technology giants rather than individual organizations who know that a breach could literally destroy their businesses. As data increases exponentially and its storage shifts inexorably to the cloud, concerns over data security and privacy escalate in parallel, leading to much-needed data privacy legislation.

data breach costsIn 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR) in an effort to protect the privacy of European consumers. And while Canada had implemented the similar Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000, GDPR proved to be far more aggressive legislation both in terms of reach and monetary penalty. GDPR requires that all organizations that do business with EU citizens adhere to the legislation, meaning that global organizations such as Apple, Facebook, and Google, as well as smaller US companies that sell to Europeans, are required to follow GDPR. Since its inception in May of 2018, GDPR has leveraged hundreds of millions of Euros in fines and is only getting more aggressive with enforcement; however, GDPR only affects organizations that have dealings with EU citizens. Conversely, the United States has fallen behind in data privacy legislation, leaving the onus of maintaining data privacy to individual states. As of February 2020, only California, Nevada, and Maine have implemented data privacy legislation, with only the California Consumer Privacy Act (CCPA) requiring deletion of personal data if requested, similar to GDPR. (Noordyke, M. 2020). Considering that well over half of all global data breaches occur in the United States and, as previously discussed, those breaches are increasing due to the exponential increase in global data, the lack of a federal data privacy law is concerning. Unlike their European counterparts, Americans are largely left to their own devices when it comes to data privacy and have little recourse when a breach occurs. In fact, one of the largest breaches of 2012 occurred with major online retailer Zappos, affecting 24 million customers. In 2019, the agreed upon settlement to a class action lawsuit provided reparation to the affected individuals in the form of a 10% Zappos discount code that was only good through 31 December 2019. Needless to say, a 10% discount code (which actually helps Zappos rather than punishes them) in exchange for breached personal data hardly seems equitable. (Doe, D. 2019). Until the United States takes federal data privacy as seriously as their European and Canadian counterparts, the privacy and security of American citizens will continue to erode.

Data privacy and security is a serious and growing global issue, even more so in the United States where the bulk of data breaches occur. As more and more people embrace technology, the need for data storage increases, increasing the need for larger and faster data centers. Additionally, the dramatic shift from on-premise to cloud storage only exacerbates the problem of data privacy by relying on technology giants to protect organizations’ consumer data. Breaches will only escalate in line with our digital footprint, of that there is no question. Without a federal data privacy law, the privacy of American citizens’ data will continue to be at serious risk. And 10% off a pair of shoes simply isn’t the answer.

 

Heidi White is Director of Marketing at SEM and is a self-proclaimed data security fanatic. Contact Heidi at h.white@semshred.com.

 

References

IBM Security and Ponemon Institute (2019). Cost of a Data Breach Report. Retrieved from  https://www.ibm.com/security/data-breach

Statista (2020). Number of U.S. residents affected by health data breaches from 2014 to 2019.  Retrieved from https://www.statista.com/statistics/798564/number-of-us-residents-affected-by-data-breaches/

Hootsuite & We Are Social (2019), Digital 2019 Global Digital Overview. Retrieved from https://datareportal.com/reports/digital-2019-global-digital-overview

Loten, A. (2019, August 19). Data-Center Market Is Booming Amid Shift to Cloud. Wall Street Journal. Retrieved from https://www.wsj.com/articles/data-center-market-is-booming-amid-shift-to-cloud-11566252481

Noordyke, M. (2020). US State Comprehensive Privacy Law Comparison. Retrieved from https://iapp.org/resources/article/state-comparison-table/

Doe, D. (2019, October 18). Zappos data breach settlement: users get 10% store discount, lawyers get $1.6m. Retrieved from https://www.databreaches.net/zappos-data-breach-settlement-users-get-10-store-discount-lawyers-get-1-6m/

PIPEDA: Protecting the Privacy of Canadian Citizens

September 28, 2019 at 8:46 am by Paul Falcone

What is PIPEDA?

Since crafting the original Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000, Canada has been an innovative force in sensitive-data privacy protection. Originally created to foster trust in ecommerce, PIPEDA has evolved to provide more stringent data protection across the digital landscape.

The basic premise of PIPEDA is to prevent Personally Identifiable Information (PII) from being used or disseminated without purposeful consent from the individual. If an organization wants to use PII for more than one explicit purpose, multiple requests or a comprehensive request must be made to secure the individual’s consent. The law also grants individuals the right to access their data and stipulates that organizations must make their compliance policies readily accessible and easily understood.

As of November 1, 2018, a new provision regulating protocol for a PII data breach was added to PIPEDA. All organizations that experience such a breach must report any ramifications that may put individuals at risk to the Privacy Commissioner of Canada. The organization must also notify the individuals affected by the breach and notify any other organizations that may be able to help the individuals avoid data misuse or harm. Detailed records regarding each breach must be kept at least 24 months after the date of the incident.

Organizations Subject to PIPEDA Regulations

PIPEDA applies to any private-sector organization (including those regulated on a federal level by the Canadian government) that collects personal information through commercial activity. Commercial activity excludes donations and fundraising, organizational membership fees, and lists related to communication generated by nonprofit organizations, schools, hospitals and political parties. However, if such lists are sold, bartered, or leased, that activity becomes subject to PIPEDA regulations.

Additionally, if a province has its own private-sector law that is similar to PIPEDA, then any private-sector organization operating solely within that province is not subject to PIPEDA. Currently, Alberta, British Columbia, and Quebec have such laws in effect; however, any business operating in Canada that handles PII is subject to PIPEDA if that information crosses provincial or national borders. Organizations operating solely within Ontario, New Brunswick, Newfoundland, Labrador, and Nova Scotia are also exempt from PIPEDA as concerns health data only. Since PIPEDA is similar to the EU’s General Data Protection Regulation (GDPR), information is allowed to flow freely from compliant organizations within the EU and Canada.

What Information is Covered by PIPEDA?

PII under PIPEDA regulations includes age, name, ID numbers (including Social Insurance and driver’s license numbers), financial information (including credit and loan records and disputes with merchants), race, religion or ethnic origin, marital status, health information (including DNA and blood type), education, and employment history (including employee files such as opinions and comments, evaluations, and disciplinary actions).

The Fair Information Principles

PIPEDA Schedule 1 Section 5 outlines ten stipulations—referred to as the Fair Information Principles—that must be followed:

1. Accountability: PII under an organization’s control is that organization’s responsibility. Organizations must designate a Privacy Officer to ensure compliance.
2. Identifying Purposes: At the time of PII collection, organizations are required to disclose any and all purposes for which the personal data will be used.
3. Consent: Except for cases in which legal, medical, or security reasons render consent impossible or impractical, an individual’s consent is required for collection, use, or disclosure of PII.
4. Limiting Collection: Data collection must be limited to data needed for purposes identified by the organization prior to individuals’ consent.
5. Limiting Use, Disclosure and Retention: PII may only be used for the purposes of its collection as agreed to by the individual. PII may only be retained for as long as is required to serve those purposes; subsequently, it must be disposed of securely (unless the individual consents to further PII retention and use).
6. Accuracy: PII must be as accurate and complete as possible to satisfy the purposes for which it’s used.
7. Safeguards: PII must be safeguarded against theft, loss and unauthorized access, use and modification.
8. Openness: Organizations must ensure that policies and procedures related to their management of personal data are easily accessible to individuals in language that is generally understood.
9. Individual Access: Upon request, individuals shall be informed of the existence, use, and disclosure of their PII and be granted access to it. Individuals may challenge the completeness of the information and have it amended. The only exception to this principle is when the information cannot be disclosed for legal or security reasons.
10. Challenging Compliance: An individual may challenge an organization’s compliance with PIPEDA directly through its Privacy Officer.

PIPEDA and Data Destruction

Fair Information Principle 5 stipulates that PII in any form no longer serving its specifically intended purposes must be disposed of securely, and that any information retained for statistical purposes must be rendered anonymous. Organizations should have a comprehensive plan addressing the PII life cycle that mandates (through proprietary or third-party means) adequately secure data destruction. Should destruction of electronic devices be necessary, one person should be assigned responsibility.

Organizations may use properly credentialed third-party vendors for data destruction and disposal, although the organizations are responsible for verifying results. Organizations must ensure that the third-party vendor used has comprehensive plans for both secure transportation and transmission of sensitive data to/from their facility, as well as comprehensive destruction plans. Ideally, the organization would have the capability to monitor third-party data destruction and conduct periodic reviews and audits. Of course, the most secure method is to utilize in-house data destruction.

Acceptable methods of data destruction are dependent on the media. Hard copies of data must be destroyed to the point of impossible recovery. Acceptable methods include disintegration, incineration, pulverization, melting, and shredding. Electronic copies of data must be destroyed through complete deletion without means of simple recovery, complete overwriting with non-sensitive data, or degaussing (for magnetic media only).

When being completely destroyed, all media containing PII should be disposed of in accordance with the parameters defined in internationally recognized data destruction guidelines from DIN Standard 66399. Materials classified within the DIN Standard are:

• Original-sized physical media (e.g., paper, printing plates—classified as “P”)
• Reduced-sized physical media (e.g., microfilm—classified as “F”)
• Optical media (e.g., CDs or Blu-Ray—classified as “O”)
• Magnetic data devices (e.g., payment cards and floppy disks—classified as “T”)
• Hard disk drives (classified as “H”)
• Electronic data devices (e.g., USB drives and SSDs—classified as “E”)

For each media classification, DIN Standard 66399 outlines security measures from 1 (lowest level: reproduction of destroyed data requires little effort) through 7 (highest level: reproduction of destroyed data is impossible given current state of technology) that have associated data-destruction specifications.

When procuring third-party vendors or machinery for data destruction, it’s imperative you ensure compliance with, and adherence to, the appropriate security ratings and PIPEDA regulations. Companies like SEM provide sophisticated data destruction technology solutions to keep your organization in compliance with PIPEDA and other global security standards.

Data Security Regulation Compliance: Challenges and Solutions

July 1, 2019 at 8:28 pm by Paul Falcone

GDPR. GLBA. FACTA. These are just a few of the recent onslaught of acronyms that have risen to govern federal and state privacy and data security regulations for businesses and organizations. Some are truly new, while others have been established for quite some time and are just getting more attention now. Indeed, consumer privacy laws and protocols have been the focus of society’s conversation at large for the last two years. And, this global conversation is only just getting started.

If you’re just joining in on the discussion, or even if you’re not and you want a quick refresher, continue reading for a quick overview of the most important national and international data security regulations currently in effect.

The Top 8 Data Security Regulations

HIPAA Privacy & Security Rules

Providers, professionals, and clearinghouses (hereto referred as covered entities) in the healthcare industry that are covered under HIPAA must also adhere to specific security regulations for all Protected Health Information (PHI) that the organization collects.

The HIPAA Privacy Rule requires the covered entity to implement appropriate physical (e.g., facility access and control; workstation and device security), technical (e.g., access control; audit controls; integrity controls; transmission security), and administrative (e.g., security management process; security personnel; information access management; workforce training; policy and procedure evaluation) safeguards for PHI to avoid prohibited as well as incidental use and disclosure of the PHI data. See 45 CFR 164.530(c). In addition, the HIPAA Security Rule also requires the covered entity to set policies and procedures for the disposal of electronic PHI (ePHI). As part of this mandatory safeguard process, covered entities must also train their workforce members on the proper disposal policies and procedures erected and enforce these policies. See 45 CFR 164.310(d)(2)(i).These rules hold especially true with the disposal of PHI and requires the covered entity to not only destroy the ePHI and the hardware or electronic media on which it is stored, but to first properly dispose of the ePHI data on the media before that media is made ready for reuse. Failure to adhere to the HIPAA Security and Privacy Rules could result in unlawful release of PHI, and consequently, the potential for identity theft, employment discrimination, or even harm to the individual’s reputation. Moreover, the covered entity can face serious penalties for noncompliance.

FACTA

The Fair and Accurate Credit Transactions Act (FACTA) is an addendum to the Fair Credit Reporting Act (FCRA) and covers creditors, accountants, lawyers, financial institutions, and other organizations dealing with consumer credit information. FACTA limits how consumer information can be shared as well as controls how this private data is disposed of, to ensure protection of the individual to whom the information pertains from identity theft.

When it comes to the proper disposal of consumer information, FACTA stipulates that reasonable measures must be taken by the organization to prevent the theft or otherwise unauthorized access and use of the protected data. The Rule mandates said data be destroyed by the pulverization, shredding, or burning of all papers in which the consumer information is printed, rendering the information unreadable and otherwise unable to be reconstructed in any manner. FACTA disposal policies also extend to the electronic media housing the protected consumer information.

Organizations under FACTA may also need to incorporate their data disposal policies into the organization’s security information program as required by the Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 CFR part 314 (“Safeguards Rule”) and for persons subject to the Gramm-Leach-Bliley Act.

GLBA

The Gramm-Leach-Bliley Act (GLBA) of 1999 mandates that financial institutions and any other companies that offer financial products to consumers such as loans, financial or investment advice, and insurance must have safeguards to protect their customers’ sensitive data and must also disclose in full their information-sharing practices and data security policies to their customers.

Check-cashing businesses, payday lenders, real estate appraisers, professional tax preparers, courier services, mortgage brokers, and nonbank lenders are examples of businesses that don’t necessarily fall under the “financial institution” category yet are included in the GLBA. Because these organizations are significantly involved in providing financial products and services, they therefore have access to personally identifiable and sensitive data like social security numbers, phone numbers, addresses, bank and credit card numbers, and income and credit histories.

GLBA-covered organizations must develop a written information security plan that details the policies put in place at the organization to protect customer information. The security measures must be appropriate to the size of the business and the complexity of the data collected. Moreover, each company must designate an employee or a group of personnel to coordinate and enforce its security measures. Lastly, the organization must continually evaluate the effectiveness of its developed security measures, identifying and assessing risks to improve upon the policy and measures taken as needed.

FISMA

To ensure the protection of proprietary United States data within government agencies and affiliated organizations, legislation to regulate proper data and information security management was passed as part of the Electronic Government Act of 2002. Called the Federal Information Security Management Act (FISMA), this law focuses on the importance of data security as it relates to the economic and national security interests of the US. As such, FISMA stipulates that all US government agencies, government contractors, and any organization that exchanges data directly with a government system must safeguard all of their information technology (IT) systems, including stored data, by developing, documenting, and implementing an information security program.

In 2014, this law was amended to the Federal Information Security Modernization Act (FISMA 2014) to bolster the authority of the Department of Homeland Security (DHS) to administer, implement, and provide technical assistance with policies for information security for non-national (civilian) security federal Executive Branch systems. FISMA 2014 also updated and clarified the oversight authority of the Office of Management and Budget (OMB) and its ability to eliminate inefficient and wasteful reporting of any organization under FISMA. It also sanctions DHS’ role in assisting OMB with this responsibility.

The purpose of FISMA is to protect government information, assets, and operations against natural threats and criminal activity, whether from within the US or outside. Therefore, any US organization directly related to or doing business with the US government, including federal- and state-level government agencies and contractors, state government departments, military subcontractors, and even data clearinghouses fall under FISMA regulations.

Failure to pass a FISMA inspection by DHS or OMB can result in unfavorable publicity for the organization and an IT budget cut, as well as significant administrative ramifications to the organization. However, failure to comply with FISMA, especially when it comes to breach-avoidance and proper data destruction, can have much grander and more catastrophic implications. Should any private, secured federal data be compromised and the organization was found to be noncompliant, there are serious civil and criminal federal consequences.

GDPR

While a security regulation of the EU, the General Data Protection Regulation (GDPR) of 2016 is applicable to those US-based organizations that do business internationally. GDPR effectively puts the customer first over the business, ruling that all private data is owned by the customer and not the business in which it was collected.

GDPR ensures the protection and privacy of consumer data as it is handled, stored, disclosed, and disposed of by the organization that holds it. Following GDPR requires obtaining consumer consent before collecting any data, providing consumers with a full report on what data has been collected and how it’s used if they request it, as well as a copy of the data itself and the immediate and proper destruction of data if the consumer requests it to be deleted. The organization must also have proper security controls in place for the safeguarding of consumer data and must place someone within the company to oversee and manage these compliance policies, including for data disposal.

gdpr-data-center

An organization under GDPR that is found to be noncompliant is subject to a fine equaling two to four percent of its global annual revenue for the most recent fiscal year (on average, calculated at as much as $11-24 million).

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal privacy law for the handling of personal information by all federally regulated organizations as well as private-sector commercial organizations, regardless of the industry.

Like GDPR, organizations covered by this law must first obtain a consumer’s permission and consent before collecting, using, disclosing, and/or storing any personally identifiable information (PII). In addition, PIPEDA mandates that the information obtained can only be used for the purpose in which it was originally collected or else the organization needs to obtain renewed consent by the consumer for the use change. Moreover, consumers have the right to access their stored personal information as well as the right to challenge its accuracy. (The only organizations exempt from PIPEDA are those that are already subject to the similar privacy laws for private-sector organizations within Alberta, British Columbia, and Quebec provinces.) Canadian-based organizations that handle PII crossing provincial or national borders are also subject to PIPEDA compliance.

SOX

Aptly referred to as the “Corporate and Auditing Accountability and Responsibility Act” or the “Public Company Accounting Reform and Investor Protection Act,” the Sarbanes-Oxley (SOX) Act of 2002 addresses the standards by which the management and board of directors of any US-domestic public company handle the financial information and financial reporting of the organization. The SOX Act also extends to public accounting firms as well as to other companies that do business with publicly traded companies, even if said company is not a publicly traded entity.

The SOX Act is made up of two main clauses. According to Section 404 under the Management Assessment of Internal Controls, Clause A requires these publicly traded companies to create a commission on behalf of the company that develops and enforces rules for maintaining an internal control report for each annual financial report by section 13(a) or 15(d) of the Securities
Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)). This internal control report must include information and policies on how management establishes and maintains an adequate structure for internal control as it pertains to the financial reporting of the company. Clause A also requires the commission to write up an annual report on the effectiveness of the internal control policies and financial reporting procedures at the end of each fiscal year.

Clause B expands on the regulations for the internal control evaluation and reporting, adding in required responsibility of the commission or registered public accounting firm issuing the audit report to accurately prepare the audit as stated in Clause A. That is, said commission or public accounting firm is also held liable to the reported information claimed about the management of the stated financial information in the internal control report.

Maintaining compliance with the SOX Act therefore means ensuring all financial information and reporting that pertains to the organization is kept secure and protected from unauthorized personnel and possible theft.

PCI DSS

The Payment Card Industry (PCI) Data Security Standard (DSS) protects consumer cardholder data by helping to alleviate the vulnerabilities experienced by credit card merchants for payment card transactions and processing systems.

Following common sense, PCI DSS mandates the credit processing merchant organization adhere to the following three steps: 1) Assessment, as in analyzing the IT assets and payment card processing protocols for the organization to identify any vulnerabilities with regard to the storage of cardholder data; 2) Remediation, as in the fixing of all identified vulnerabilities, and also applicable to ensuring cardholder data is not stored unless it is needed by the business; and 3) Reporting, as in the compilation of records to ensure validity of any remediation actions and the submission of all compliance reports to the bank and card brands with whom the organization does business. Finally, these DSS rules apply to all entities globally that store, process, and/or transmit cardholder data, and with guidance for software developers and manufacturers of applications and devices used in those transactions.

A Standard for Compliance

Depending on the type of business you manage or own, your organization may be subject to one or more of these data and privacy security laws. Rather than create varied sets of rules and policies for each, which could cause issues in overhead and personnel costs, not to mention unnecessary protocol confusion and training needs, it would behoove your business to develop one data security protocol to cover all applicable regulations.

Data Disposal Best Practices

This one-size-fits-all mindset is especially cost-effective when it comes to the data destruction policies under the various laws and regulations.

No matter which regulation your organization follows, it’s recommended that you first create a private space within your organization to house a data and/or drive destruction machine rather than work off-site with a third party at their establishment. You should also create a limited group of personnel with the sole authorization to oversee all data security compliance processes as it pertains to the destruction of data that’s reached end-of-life.

Furthermore, when it comes to the end-of-life cycle, both data and the device in which the data is housed must be destroyed via shredding, degaussing, disintegrating, incinerating, melting, or pulverizing machinery so that neither device nor data can be read or otherwise reconstructed. It may also behoove your organization to keep a record audit of all data destruction events to prove your company’s compliance if a breach at this level does occur.

To ensure these procedures remain as cost-effective as possible, you’ll want to choose a third-party vendor like SEM that has both documentation software, like the iWitness, as well as NIST- and NSA-approved data destruction machinery to purchase and keep at your organization.