Part I of this article, which can be found on our website at www.metrocorpcounsel.com, introduced the need for companies in all industries to conduct a privacy and information security risk assessment and identified some of the preliminary steps for this assessment. Part II of this article describes the remaining steps necessary for a thorough and effective assessment.
As discussed in Part 1 of this article, privacy and security must be critical areas of concern for any company that maintains personal information about customers or employees. The key first step in understanding and evaluating your risks in this area involves a privacy and security assessment, one that permits your company to evaluate its primary areas of legal obligation and to identify those areas that are most likely to create risk.
This assessment is not designed to answer all of your privacy and security questions - but it is a good starting point to consider areas of primary concern for your company. The key to an assessment is to identify how your company gathers, stores and discloses personal information about customers, employees and others. If you are an "unregulated" company - a typical retailer, for example - the goal will be to meet a reasonable baseline of privacy and security standards, as set by the Federal Trade Commission, numerous state laws and a variety of best practices that apply to personal information, largely independent of business context. If you're a tax preparer, a cell phone company, a bank or a health care company, you will have additional requirements and concerns specific to your business. But, for any company that creates, maintains or discloses personal information about customers and/or employees, you need to have an approach to dealing with each of the areas identified by this assessment, to allow you not only to identify and manage risk, but also to take reasonable - and sometimes surprisingly easy - steps to reduce your overall exposure.
The First Steps
As we identified in Part 1 of this article, an effective privacy and information security risk assessment must start with the following key steps:
• Information Security Practices
This assessment effort needs to focus on two broad categories of activities. First, companies need to recognize the increasing regulation of information security practices - from the Federal Trade Commission's "best practices" to the new standards imposed for any company that accepts credit cards. Beyond these overall compliance requirements, companies next need to focus on practical employee training and developing an effective overall security program.
• Core Privacy issues
There are a wide variety of substantive privacy laws that restrict how specific kinds of personal data can be used and disclosed, such as the HIPAA privacy rule for the health care industry and the Gramm-Leach-Bliley Act for the financial services industry. In addition to these industry-specific legal requirements, there are an emerging array of "best practices" for the collection, use and disclosure of personal information across industries, which are supplemented by a variety of additional context-specific requirements. Your privacy assessment should be designed to help your company identify the primary uses and disclosures of personal information so that you can concentrate on the relevant rules and best practices applicable to your business.
Once you have reviewed these initial "scope" issues, you are ready to move into "Part 2" of your assessment, by drilling down into some of the more complicated areas that have an effect on a large number of companies and create specific categories of risk.
Social Security Numbers
While broader questions of privacy and security can be complicated, companies should pay special attention to the single most sensitive piece of personal information that exists - the Social Security Number (SSN). The SSN is the Holy Grail if you are a data thief - it is the entryway to a wide range of opportunities for identity theft, financial fraud and other privacy and security harms. Yet, in most cases, companies cannot identify to any reasonable degree where the company collects SSNs, what these are used for, where they are stored, and to whom these materials are disclosed. In many cases, SSNs are routinely collected and disclosed simply because people are not thinking about the risks. There is no more effective means of reducing overall privacy and security risk within a company than to reduce dramatically the use and disclosure of and access to SSNs. Where companies collect this information from customers, the risks are substantial. But, many companies fail to assess the risks from the collection of SSNs from and about employees. In many circumstances, SSN information often is widely available across companies, and distributed to a wide range of service providers and business partners, without reasonable analysis of whether there is any need for this information to be provided or whether extra precautions can be taken to reduce risks. Companies should place an enormous priority on a thorough review of overall practices involving SSNs.
In addition to your own practices, all companies need to include in their assessment an identification of vendors who receive personal information, including what they receive, why they receive it, and what controls are placed upon them. Vendor risks are creating both significant legal risk and practical management challenges, particularly for companies that employ large numbers of vendors. For most companies, this problems cuts in two directions: most companies are both "principals" and "agents," and therefore need to develop appropriate contractual protections for both receiving and for passing on sensitive data.
Companies need to be aware that implementing appropriate vendor controls is a legal requirement in most situations. Accordingly, companies must focus their attention on (1) identifying their vendors that receive personal information; (2) ascertaining whether these vendors need to have this data; (3) developing appropriate contractual protections for any vendor that receives or creates personal information; and (4) identifying an appropriate means of monitoring the activities of their vendors, particularly those who have either large volumes of data or who engage in more sensitive activities.
While you are evaluating your vendors, keep in mind that your company is also likely to be a vendor to others, so be prepared to meet the demand for increased contractual commitments from your customers as well.
Security Breach Notice Issues
Much of the credit for making security breaches so visible in recent years rests with the laws in more than 40 states requiring notice of certain kinds of security breaches. These laws apply to any company that possesses the information covered by these laws - primarily social security numbers, credit card numbers and bank account numbers (although California recently added health care information to this list). Therefore, every company needs to be aware of these laws. Moreover, because these laws are triggered when something bad - a security breach - has happened, companies need to have a plan - in advance - for dealing with security breaches. It is critical to develop a mitigation plan that addresses not only security breach notice issues, but also the wide range of other problems that can arise. Mitigation means to identify and fix a problem so that the harm is minimized or eliminated and the cause of the problem is solved so that it does not recur.
While notice issues have occupied significant attention, companies often have failed to assess the underlying cause of security breach problems, leaving themselves open to future problems and more substantial regulatory or legal repercussions. So, it is critical for any company to have in place - before a breach - a plan for addressing and responding to a security breach. Knowing how to handle a security breach needs to be part of an initial assessment, mainly because companies - regardless of industry - are likely to have a security breach at some point regardless of the protections in place.
As if the complexity of U.S. privacy and security law were not enough, most companies also need to consider the impact of international privacy laws. For the most part, each country has developed its own privacy regime - and most are more burdensome and restrictive than those of the U.S.
For many U.S. companies, the first brush with the international data regulatory regime is related to employee data; transmitting employee data across international borders, particularly leaving Europe, is exceedingly complicated. For other companies, the requirements arise in relation to outsourcing contracts and other contractual obligations, where companies are required to make representations about their international compliance or the participation in the Department of Commerce Safe Harbor program. If you receive data from any other country about individuals - whether employees, customers, or others - or send data to vendors or business partners in other countries, your company will need to evaluate potential compliance options. Accordingly, as part of your overall privacy audit, you need to ask the following key questions:
• Do you have personal data that crosses international borders?
• If so, what kinds of data are involved, and why is this data being transferred?
• Do you outsource any functions that involve vendors located in other countries?
Once these basic data flow issues are identified through the assessment, companies can evaluate how they will manage these data flow issues, including what country's laws are involved and how the company proposes to comply with them. Looking to the future, there is no indication that the international information dilemma will become simplified, particularly as more and more countries create additional privacy and security regulation.
A privacy and security assessment is just the first step, although a critical one, for a company to begin to understand the magnitude of the privacy and security risks it faces. The basic message is clear - privacy and security risks affect every company today. In order to understand the magnitude of this risk and how to best mitigate that risk, a company must have an overall understanding of its data practices and become knowledgeable about whether the company is in compliance with the ever-growing array of legal, practical and contractual commitments imposed by the increasing variety of privacy and security rules.
Kirk J. Nahra heads the Privacy Practice at Wiley Rein LLP in Washington DC. He is a Certified Information Privacy Professional and is the Chair of the Confidentiality, Privacy and Security Workgroup of the American Health Information Community (AHIC). He can be reached at (202) 719-7335.
© Wiley Rein LLP. This article was previously published in the summer 2008 issue of the Journal of Communications Technology in Higher Education.