Privacy Compliance Challenges for Your Business

Assurance Point LLC ~ PrivacyNearly all States have enacted data breach notification laws to help individuals protect their personal information and avoid falling victim to identity theft. These statutes create new compliance obligations and potential liability risks for businesses regardless of size . Massachusetts has taken this further with the enactment of the MA 201 CMR 17.00 which mandates standards to safeguard personally identifiable information.

Does your business collect the following types of personal information? Consider these working definitions to determine if you have a requirement to comply with privacy law:

Personally Identifiable Information (PII)
First name and last name or first initial and last name in combination with any one or more of the following data:

• Social Security number
• Drivers license number
• State-issued identification card number
• Financial account number or debit and credit card number

Protected Health Information (PHI)
Health information created or received by a medical provider, group health benefit plan or clearing house in combination with any of the following:

• Name
• Address
• Date of Birth
• Email
• Health Benefit Plan number

The challenge of information privacy to all businesses today is the confusing mix of State and Federal laws that pertain to this area. The following is only a partial list of privacy regulations to which your business may be required to comply.

HIPAA – Health Insurance Portability and Accountability Act

GLBA - Gramm-Leach Bliley Act

FCRA – Fair Credit Reporting Act

COPPA – Children’s Online Privacy Protection Act FTC Act

FTC – Enforcement of unfair and deceptive trade practices pertaining to an organizations’ privacy practices.

A Holistic Approach to Privacy Compliance

Rather than developing individual policies, standards and procedures to comply with privacy laws, Assurance Point recommends taking a holistic approach to information privacy.

Privacy Policy
First, your organization should have a clear privacy policy which is aligned with your business objectives. This policy should address the collection, use, disclosure to 3rd parties and protection of personal information as mandated by law, but also reflect your organization’s core values about how you use and safeguard your customers and employees information. All parts of your business should "buy into" this policy, especially the major stakeholder areas of Human Resources, Marketing, Legal and IT. This policy is then communicated to your customers and employees through Privacy Notices which clearly explain the choices individuals can make to either “Opt-in” or “Opt-out” of information collection and sharing.

Comprehensive Controls
Secondly, map the privacy requirements of the applicable laws and your privacy policy to a set of information security controls based on a comprehensive framework such as NIST, ISO/IEC 27002 or COBIT. This has been proven to be a cost-effective approach which both ensures compliance and also minimizes the number of controls to implement and audit. See our “5 Step Program to Managed Privacy Risk” for additional information.