|
Today's Corporate Executives are faced with an array of Data Security legislation which mandates that they be personally accountable for the protection of customer account information. Crippling penalties present a modern day 'sword of Damocles' hanging above the desks of CTOs, CIOs, CFOs and CEOs.
Recent corporate scandals, the rise in identity theft, reports of miss-handling of sensitive client information has raised awareness and concern over the security of customer financial data. Due to the heavy reliance on the exchange of information; more and more corporations are finding that they are in possession of sensitive information that could be stolen by cyber thieves to perpetrate crimes.
Corporate officers are affected by at least one piece of legislation from the growing list that directly addresses the handling and protection of customer's personal information, levying serious penalties and even jail time for non-compliance. In most cases two or three laws can come into play, they include the following:
- ISO 17799
- Sarbanes-Oxley
- GLBA
- BASEL II
- HIPAA
- California SB1386
- PCI Data Security Standard
- New York Information Security Breach and Notification Act
- PIPEDA
C-Level executives need a method to stay informed of their corporate information security posture, easily track and document compliance and get back to the job of managing the business.
Sorting out Data Security
Doing business today requires you to have the ability to access and exchange information quickly and cost-effectively. B2B, ecommerce, online credit applications, background checks, etc. all dictate that you provide fast and easy access to information in order to remain competitive. Company officers cannot be burdened with knowing the specific methods and technologies necessary to carry out these functions, yet are held entirely accountable should any of this sensitive data fall into the wrong hands.
Ratified and put into law in 1999; the Gramm-Leach-Bliley act or Financial Services Modernization Act of 1999, primarily sought to "modernize" financial services by putting an end to regulations that prevented the merger of banks, stock brokerage companies, and insurance companies. The removal of these regulations, however, raised the risk that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use.
GLBA included three simple requirements to protect the personal data of individuals: First, banks, brokerage companies, and insurance companies must securely store personal financial information. Second, they must advise you of their policies on sharing of personal financial information. Third, they must give consumers the option to opt-out of some sharing of personal financial information.
The key phrase here is 'securely store'. This is the one function affecting the sharing of personal financial information that is entirely the responsibility of the financial institutions. The tenets of data security under GLBA are as follows:
- Involve the Board of Directors
- Assess Risk
- Manage and Control Risk
- Oversee Service Providers
- Adjust the Program
- Report to the Board
- Implement the Standards
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 42 U.S.C. 201 et seq., was passed by Congress to reform the insurance market and simplify health care administrative processes.
The primary intent was to improve the efficiency of the health care system by standardizing the electronic exchange of health information and to protect the security and privacy of member-identifiable health information.
As far as information security is concerned; sections 160, 162, 164 describe the primary areas of focus thusly:
- Evaluation o Security Management Process
- Policies / Procedures to prevent, detect, contain security violations. Conduct an accurate / thorough assessment of potential risks and vulnerabilities.
- Implement procedures to regularly review records of information system activity.
- Security Incident Procedures
The security and privacy sections both mandate good password policies and routine checking of password strengths; essential to strong network security.
PCI Data Security Standard
For the Credit Card industry, this in not a novel concept. The important advent of ratifying a common set of data security greatly simplifies the process for service providers that deal with more than one type of bank card.
One could argue that the Payment Card industry has in place, more stop-gaps to prevent misuse of customer account data than any other industry that deals in sensitive consumer financial data.
|
