personally identifiable information – ftc: identity theft is the most common consumer complaint
DESCRIPTION
Retailers are liable for identity theft and can be subject to fines and criminal prosecution for breach. What consumer information is considered Personally Identifiable Information (PII)? What laws should retailers be aware of? What are the 6 General Mandates that affect every retailer? What can merchants do to secure their electronic payments systems and procedures?TRANSCRIPT
Personally Identifiable Information(PII)
Presentation by: Ross Federgreen*
*Founder, CSRSI® THE PAYMENT ADVISORS
PII
Covers a wide range of data elements which can be tied back to or represent a given individual and can be used to cause harm to the individual if used without proper authorization.
PII • Individual Name• Address• Telephone number• Social Security number• Driver License number• Date of Birth• Bank Account number• Credit and Debit card number• State Identification number• Passwords
PII • Regulation
• ALL States • Federal • Civil and Criminal
PII Federal Information Security Laws
Federal Trade Commission Act of 1914 (FTC Act) and FTC Standards for Safeguarding Customer Information (FTC Safeguards Rule) enacted in 2003.
PII Federal Information Security Laws
• Federal Privacy Act• Federal Information Security Management Act• OMB Security Act• Veterans Affairs Information Security Act• Gramm-Leach-Bliley Act• Federal Trade Commission Act (FTC ACT)• Fair Credit Reporting Act• Hospital Insurance Portability and Accountability Act (HIPAA)• Public Company Accounting Reform and Investor Protection Act
(Sarbanes-Oaxley)• Family Educational Rights and Privacy Act (FERPA)• Drivers Advocacy Protection Act (DPPA)• Fair and Accurate Transaction Act (FACTA)• USA Patriot Act
PII Federal Information Security Laws
Customer Identification Program Rules implementing Section 326 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act)
PII 110th Congress-Data Security Bills
Three bills were reported favorably out of Senate committees:• S.239 (Feinstein)• S.495 (Leahy)• S.1178 (Inouye)
• Information and Data Breach Notification Requirements
Other bills introducedS 806 (Pryor) S 1202 (Sessions) S 1260 (Carper) S 1558 (Coleman)
HR 516 (Davis), HR 836 (Smith), HR 958 (Rush), HR 1307 (Wilson)HR 1685 (Price), HR 2124 (Davis)
PII As of January 2008, 39 states have enacted data security laws requiring entities to notify persons affected by security breaches and in some cases, to implement security programs to protect the security, confidentiality and integrity of data.
Six states have introduced bills or enacted legislation to strengthen merchant security and/or hold companies liable for third party companies cost arising from data breaches.
CaliforniaConnecticutIllinoisMassachusettsMinnesotaTexas
PII Federal Trade Commission (FTC):
Identity theft is the most common complaint from consumers in all 50 states.
Represents between 35% and 40% of all complaints for the years 2005, 2006 and 2007
In 2006 there were over 246,000 complaints filed.
PII Data Breaches
Identity TheftFinancial Crimes
Credit Card FraudUtilities FraudBank FraudMortgage FraudEmployment Related FraudGovernment Documents FraudBenefits FraudLoan FraudHealth Care Fraud
PII Public concerns with Identity Theft:
Security of sensitive information
Security of computer systems
Federal laws protecting
Adequacy of enforcement
PII LIABILITY FOR Identity Theft:
RetailersCredit Card IssuersPayment ProcessorsBanksData Processors
PII CRIMINAL PROSECUTION
FAILURE TO REPORT
UNAUTHORIZED POSSESSION
UNAUTHORIZED ACCESS
FAILURE TO SAFEGUARD
PII Federal Trade Commission
CONSENT DECREE JANUARY 2008LIFE IS GOOD.com
Being embraced as a minimum standard for operating entities to comply
with on a going forward basis
PII Federal Trade Commission
CONSENT DECREE JANUARY 2008“COMPREHENSIVE INFORMATION-SECURITY PROGRAM”
Includes administrative, technical and physical safeguards tailored to the size of the commercial entity, the nature of its activities and the sensitivity of the personal information collected.
SIX GENERAL MANDATES
PII Federal Trade Commission
CONSENT DECREE JANUARY 2008Mandates:
Designation of an employee or employees to coordinate the information security program.
PII Federal Trade Commission
CONSENT DECREE JANUARY 2008Mandates:
Identification of internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place.
PII Federal Trade Commission
CONSENT DECREE JANUARY 2008Mandates:
Creation and implementation of safeguards to control the risks identified in the risk assessment.
PII Federal Trade Commission
CONSENT DECREE JANUARY 2008Mandates:
Monitoring the safeguard effectiveness
PII Federal Trade Commission
CONSENT DECREE JANUARY 2008Mandates:
Development of reasonable steps to select and oversee service providers that handle personal information
PII Federal Trade Commission
CONSENT DECREE JANUARY 2008Mandates:
Evaluation and adjustment of the program to reflect results of monitoring, material changes to the companies operations or other circumstances that may affect program efficiency.
PII VISA CISP BULLETIN MAY 14, 2007
LEVEL 4 MERCHANT COMPLIANCE PROGRAM REQUIREMENTS
1. TIMELINE OF CRITICAL EVENTS2. RISK-PROFILING STRATEGY3. MERCHANT EDUCATION STRATEGY4. COMPLIANCE STRATEGY5. COMPLIANCE REPORTING
PII CONCLUSION:
PCI DSS IS A SUBSET OF PII REGULATION
SIMPLY ASKING A MERCHANT TO ANSWER THE PCI DSS SAQ WITHOUT TRUE EDUCATON, RISK ANALYSIS AND FOLLOW-UP MONITORING FAILS TO MEET THE STANDARD
REGULATION, RISK AND LIABILITY WILL ONLY INCREASE IN THE CURRENT ENVIRONMENT
Review Articles
Federgreen, R; The facts on FACTA; The Green Sheet; 8:06:01; 2008
Federgreen, R; PCI DSS and HIPAA- The security standards share common ground. Transaction Trends; 2007
Federgreen, R; PCI Eye to eye with federal law; The Green Sheet; 7:07:02; 2007
VISA.COM/CISP
