Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

According to NIST, SP 800-144 is geared for those involved in cloud computing initiatives; security personnel responsible for security and privacy measures for cloud computing; system and network administrators; and users of public cloud computing services.

In what's become a hallmark of the NIST's cloud reports, SP 800-144 is extensively cross-referenced and includes "a detailed list of Federal Information Processing Standards and NIST special publications that provide materials particularly relevant to cloud computing and are recommended to be used in conjunction with SP 800-144."  This highlights one of the downsides of NIST's prodigious output production, namely, that reports are often complimentary and are best read and utilized with others.  Page x of the Guidelines lists no fewer than fifteen other Special Publications that are "especially relevant to cloud computing and should be used in conjunction with this report."  The upside is that each can be updated and refreshed to reflect the rapidly changing cloud and security landscape, but at the cost of keeping track of each additional report.

Given that public cloud computing offers significant security challenges that may not be present in private or hybrid cloud operations, NIST's Guidelines are a worthwhile resource and will help any cloud user interested in public cloud services review the many issues and concerns that should be addressed before data is stored up in a public cloud.

To discuss the Guidelines further, or your own specific cloud needs or cloud contracts and SLAs, feel free to contact me or any of the other attorneys at the InfoLawGroup.

In December 2009, the Israeli parliament (the 'Knesset') enacted the Biometric Identifiers and Biometric Data Inclusion in Identification Documents and a Database Act (The "Biometric Data Act"). The act is meant to tackle large-scale loss and theft of identification cards and passports, later used by criminals and terrorists.

The Biometric Data Act is far-reaching. Following a two year trial period, every citizen will be compelled to provide two fingerprint samples and a facial photograph, to be digitally stored in a national database and on chips embedded in passports and national IDs (National IDs are mandatory in Israel for citizens over the age of 16). The digital ID will also carry a certified electronic signature to be used as a substitute for regular signatures in execution of transactions.

The biometric database is not made solely to manage the identification of ID and passports applications. It will also serve as a valuable source of information for law enforcement agencies, under the supervision of a new authority that the Ministry of Home Affairs established specifically for that purpose.

The act as a whole and specifically the biometric database, raise significant concerns. Privacy advocates urged the Home Office to reevaluate the potentially grave risks to information security and privacy that the database poses, including the irreversibility of biometric data loss and the public's general mistrust in the government's ability to secure the database. A proposal to transform the database into a blurred set-base that will enhance security and privacy was recently offered by Prof. Adi Shamir, a well-known cryptographer. The Law Information and Technology Authority (ILITA) backed Prof. Shamir's proposition, however the government eventually rejected it.

The new regulations under the biometric data act include a set of procedures for issuing a biometric ID, taking fingerprints and facial images from applicants, encrypting and securing the data and transferring data between authorities.

A governmental order accompanies the regulations and sets specific rules for the two-year trial period. During this period that starts in November 2011, biometric IDs will be issued to Israeli citizens, subject to their written and signed consent. At the end of the trial period, professional auditors will evaluate the extent of the trial's success under a set of predetermined parameters and feedback from applicants. Unless the Ministry of Home Affairs decides otherwise in light of the trials results and public debate, the Biometric Data Act will come into full effect at the end of the trial period, and all citizens will have to provide their biometric data at that time for inclusion in their IDs and passports.

Some legislators and advocates have criticized as too narrow the definition of “personal information” that is within the scope of the Act. Specifically, the Safe Data Act would require breach notification only when an individual’s name, phone number or credit card number is compromised along with a Social Security number, driver's license number or other government-issued ID. This definition is significantly narrower than the personal information within the scope of the numerous existing state breach notification laws. One of the concerns is that because the Safe Data Act would preempt existing state information security and breach notification laws, the passage of the Act would lead to less protection for consumers.

Existing state breach laws typically require notification when an individual's first name or initial and last name are compromised in conjunction with a Social Security number, driver’s license number, government-issued ID number or a financial account number. In practice, the gap between state breach laws and the Safe Data Act is even wider. This is because companies operating nationwide affected by a multi-state breach often follow the broadest notification requirements among the various state laws. With some state laws requiring notification when, for example, a credit card number, financial account number, Social Security number, taxpayer ID or biometric data alone (without the individual’s name) is compromised, the practical notification threshold under current state breach notification laws may be significantly lower than that proposed by the Safe Data Act. Committee members expect the bill to evolve to address this and other concerns as it moves through Congress.

InfoLawGroup Says:

While there are disagreements regarding the specifics, the Trade Subcommittee’s approval of the Safe Data Act (especially while Congress is paralyzed by the debt ceiling negotiations) suggests strong support for federal information security legislation. For businesses, perhaps the most significant aspect of the Act is the preemption of over 45 existing state information security and breach notification laws. The preemption provision would provide much needed certainty for businesses in addressing information security breaches that currently are subject to the multitude of state requirements.

According to Mr. Ryoo, the new law extends data protection requirements across a broad spectrum of information processing. Mr. Ryoo notes that whereas the scope of existing data protection statutes is limited to certain entities and types of information, PIPA broadly governs the collection and processing of any personal data, by private and public entities.

Generally, PIPA requires the individual’s informed consent for any collection, use or disclosure of personal information. The law, however, provides for a number of exceptions to the consent requirement. The new law also puts limits on the amount of personal data that individuals may be required to provide.

PIPA applies broadly to "personal information" processed by any entity deemed to be a “handler” of personal information.” PIPA defines “personal information” as any information from which, by itself or combined with other information, an individual can be identified, whether from the individual’s name, identification number, image or other attributes. A “handler” of personal information is any entity, company, government organization, individual or other person that, directly or through a third party, handles personal information for business purposes. PIPA applies to both electronically and manually recorded information.

Remedies for data protection violations include the right to seek class action mediation and litigation.

For detailed analysis of PIPA’s provisions, please refer to Mr. Ryoo’s article.

InfoLawGroup Says:

As more and more countries adopt comprehensive data protection laws that often incorporate EU-like provisions, the compliance equation gets more complicated for companies operating worldwide. Many of these laws share common elements, such as notice, consent, choice, access and data security. You also can find these elements articulated in the Federal Trade Commission's Fair Information Practice Principles. Structuring your company's personal information practices around these elements should help in achieving compliance in the U.S. as well as in foreign jurisdictions.

Factual Allegations

The FTC alleged in its complaint that Google violated Section 5 of the FTC Act by engaging in deceptive tactics and violating its own privacy promises to consumers in connection with the launch of the company’s social network, Google Buzz, in 2010. The FTC also alleged that with respect to the data of its European users, Google violated the Notice and Choice principles of the U.S.-EU Safe Harbor self-regulatory framework for cross-border data transfer, in violation of the company’s certification of adherence to the framework.

The FTC alleged that when Google launched Buzz, the company used its customers’ email contact lists to populate the social network. As a result, by default, when Buzz launched, Gmail users became social network “followers” of other users – including those in their email contact lists – and were “followed” by their contacts. While Google's set-up process appeared to provide users with choices not to enroll in Buzz (such as “Nah, go to my inbox” and “Turn off Buzz”), the FTC alleged that selecting those options did not actually opt the users out of Buzz.. Instead, users continued to be followers of and followed by other Gmail users. Gmail users complained that the automatic generation of follower lists resulted, in some cases, in users following and being followed by individuals against whom they obtained restraining orders, abusive ex-spouses, clients of mental health professionals and attorneys, and job recruiters.

The FTC also alleged that Google did not adequately inform users that their previously private information, such as their contact lists and profiles, would become public by default when they used Buzz. According to the FTC, Goggle did not provide clear means for users to change privacy settings to prevent the public disclosure of this information.

The FTC further alleged that the launch of Buzz resulted in the disclosure of personal information that was contrary to the users’ specific choices. For example, if a Gmail user blocked another individual from Google Chat, that individual could still be a follower of the user on Buzz. Further, Buzz users did not have the ability to block followers who did not have a public Google profile. Finally, a flawed design of the Buzz comment reply mechanism resulted in broad disclosure of users’ private email addresses.

Violations of the FTC Act

The FTC alleged that that Google’s handling of privacy settings in connection with the launch of Buzz (as described above) violated the company’s own privacy notices and Section 5 of the FTC Act prohibition against unfair or deceptive acts or practices. Specifically, according to the FTC, Google:

• By using Gmail information to populate Buzz -- failed to abide by the pledge in the company’s privacy policy to use information from consumers signing up for Gmail only for the purpose of providing them with a web-based email service;

• By using Gmail information in connection with Buzz -- failed to abide by the pledge in the company’s privacy policy to seek users’ consent to use their information for a purpose other than that for which the data was collected; and

• By not respecting user’s privacy choices (such as “Nah, go to my inbox” and “Turn off Buzz”), and misleading users about what information in their profiles would become public and which of their contact lists would become public  in connection with Buzz – engaged in deceptive acts or practices.

U.S.-EU Safe Harbor Framework Violations

The Google Buzz settlement is the FTC’s first substantive U.S.-EU Safe Harbor framework enforcement action in which the Commission alleged specific violations of the Safe Harbor privacy principles. On several previous occasions, the FTC took enforcement action against companies that claimed to be Safe Harbor certified but were not in fact members of the program. Google maintained an up-to-date Safe Harbor self-certification on the U.S. Department of Commerce Safe Harbor list and stated in its privacy policy that it adhered to the Safe Harbor privacy principles.

The Safe Harbor framework consists of a set of privacy principles developed by the U.S. Department of Commerce in collaboration with the European Commission. The framework is intended to provide U.S. companies with a mechanism for receiving personal information from the European Union, European Economic Area or Switzerland in compliance with the European Commission’s Data Protection Directive 95/46/EC and the Swiss Federal Act on Data Protection. U.S. companies that participate in the Safe Harbor framework are deemed by the European Commission and the Information Commission of Switzerland to provide an “adequate” level of privacy protection, enabling the certified U.S. companies to receive and process European data in the U.S.

Among other provisions, the Safe Harbor privacy principles require companies that receive European personal data in the U.S. to give the individuals to whom the information pertains:

• Notice of how the company uses their personal information (the Notice principle);

• Choice to direct the company to refrain from sharing the information with certain third parties (the Choice principle); and

• The opportunity to opt out of having their information used for purposes incompatible with those for which the information was collected or to which they have consented (also the Choice principle).

In practice, a Safe Harbor-certified company in the U.S. that wishes to use or disclose personal data of European residents for purposes incompatible with the purposes for which the information was collected or to which the users have consented, must (i) provide users with a notice of the proposed new use or disclosure, and (ii) give users an opportunity to direct the company not to use or disclose the information in the proposed manner.

The FTC alleged that Google relied on its Safe Harbor certification to transfer data collected from Gmail users from Europe to the United States for processing. According to the FTC, the company also processed this information in connection with the launch of Buzz. The complaint alleged that Google violated the Notice and Choice principles by not giving European users notice before using their Gmail information in connection with Buzz. Google’s alleged non-compliance with the Safe Harbor Notice and Choice principles constituted a deceptive act or practice in violation of Section 5 of the FTC Act.  

Settlement

The FTC has billed this enforcement action as a “tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.” The settlement includes several major requirements.

Prohibition Against Misrepresentations

The settlement prohibits Google from misrepresenting the company's privacy practices with respect to “covered information” or the company’s compliance with any privacy, security or other compliance program, including the U.S.-EU Safe Harbor framework. Importantly, the term “covered information” is broader than the term “personal information” that the FTC has used in its previous privacy enforcement consent orders. “Covered information” includes not only the traditional personal information elements (e.g., name, postal or email address, and telephone number), but also an IP address or an individual’s physical location or list of contacts. The broader definition of “covered information” is consistent with the FTC’s increasingly expansive view of the information associated with an individual that warrants protection. For example, in its report on Self-Regulatory Principles For Online Behavioral Advertising: Tracking, Targeting, and Technology, the FTC refused to provide a bright line rule for delineating personal and non-personal information. Instead, the FTC took the position that behavioral advertising principles "should apply to data that could reasonably be associated with a particular consumer or computer or other device, regardless of whether the data is 'personally identifiable' in the traditional sense." Similarly, the FTC’s report on “Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers ("Privacy Report"), argued for protecting consumer data that can reasonably be linked to a specific consumer, computer or device.

Notice and Consent

The settlement requires Google to provide its users with notice and choice prior to sharing users’ information with third parties in certain circumstances. Specifically, if the proposed disclosure is contrary to the data sharing practices Google represented to be in effect at the time the information was collected, the settlement requires Google to give users a clear and prominent notice of the proposed disclosure and to obtain their “express affirmative consent.” While the settlement does not define “express affirmative consent,” at a minimum, this provision will require Google to offer users a prominent, transparent means for exercising their privacy choices. 

Comprehensive Privacy Program

The FTC stated that the Buzz settlement is the first to require a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. The inclusion of his requirement in the settlement appears to be the first application of the “privacy by design” philosophy that the Commission articulated in its Privacy Report. The FTC’s “privacy by design” approach calls on companies to build privacy protections into their business practices. Such protections should include sound mechanisms for allowing consumers to exercise their privacy choices, reasonable security for consumer data, limited collection and retention of consumer data, secure disposal of the data, and reasonable procedures to promote data accuracy. The report also called for companies to implement and enforce procedurally sound privacy practices throughout the organizations, including by assigning personnel to oversee privacy issues, training employees and conducting privacy reviews for new products and services.

The settlement requires Google to maintain a written, comprehensive privacy program that is reasonably designed to (i) address privacy risks related to the development and management of new and existing products and services, and (ii) protect the privacy and confidentiality of covered information (as defined above). Goggle must include in its privacy program the privacy controls and procedures appropriate to the company's size and complexity, the nature and scope of its activities, and the nature of covered information.

Specifically, the settlement requires Google to:

• Designate staff responsible for the privacy program;

• Conduct a risk assessment to identify reasonably-foreseeable risks that could result in the unauthorized collection, use, or disclosure of covered information and assess the sufficiency of any safeguards in place to control these risks;

• Design and implement reasonable privacy procedures to control the risks identified through the privacy risk assessment;

• Regularly test or monitor the effectiveness of the program’s key privacy controls and procedures;

• Develop and use reasonable steps to select and retain service providers capable of appropriately protecting the privacy of covered information they receive from Google;

• Require relevant service providers by contract to implement and maintain appropriate privacy protections; and

• Evaluate and adjust the company's privacy program in light of the results of the testing and monitoring, any material changes to the company's operations or business arrangements, or any other circumstances that may have a material impact on the effectiveness of the company’s privacy program.

Compliance Requirements

In addition to the specific requirements regarding the company’s privacy practices, the settlement mandates a compliance and reporting program, including biennial assessments and reports from a qualified, objective and independent third-party professional. The reports must certify, among other things, that:

• Google has in place a privacy program that provides protections that meet or exceed the protections required by the settlement order; and

• Google’s privacy controls are operating with sufficient effectiveness to provide reasonable assurance that the privacy of covered information is protected.

Google must retain the materials relied upon to prepare the third-party assessments for a period of three years from the date of the assessment. 

The settlement also requires Google to:

• Retain all “widely disseminated statements” that describe the extent to which the company maintains and protects the privacy and confidentiality of any covered information, along with all materials relied upon in making or disseminating such statements, for a period of three years;

• Retain for a period of six months (i) all consumer complaints directed at Google, or forwarded to Google by a third party, that allege unauthorized collection, use or disclosure of covered information and (ii) any responses to such complaints;

• Retain for a period of five years documents that contradict, qualify or call into question the company’s compliance with the terms of the settlement;

• Disseminate the consent order to the company’s current and future principals, officers, directors and managers, and to all current and future employees, agents and representatives who have supervisory responsibilities relating to covered information; and

• Notify the FTC of changes in the company’s corporate status.

Action Item

As we often note on this blog, privacy enforcement activity is rising exponentially, whether in the format of state and federal regulatory actions, class action suits, media exposés or public admonitions by regulators. This enforcement activity presents a significant risk to companies whose business models rely heavily on the collection, use or disclosure of information associated with individuals. If your company has not already done so, now is the perfect time to review the company’s privacy and information security practices, conduct a privacy and information security assessment, and take steps to ensure that the company’s practices comply with the various privacy and information security requirements, including FTC guidance.

Members of the ABA Information Security Committee identified a number of challenged facing the Smart Grid community. These challenges include (i)  inconsistent or patchwork of legal requirements regarding the privacy and security of personal information processed in connection with the Smart Grid; (ii) immature consumer expectations regarding Smart Grid privacy; (iii) issues of government authority to access the personal information processed in connection with the Smart Grid; (iv) ownership and right to control the collection, use, disclosure and other processing of the personal information; and (v) liabilities associated with failing to adequately secure the Smart Grid. 

The working group's initial tasks likely will include (i) identifying relevant Smart Grid stakeholders and mapping relevant flows of personal information; (ii) preparing a 50 state survey of laws and regulations governing the privacy and security of the personal information collected, used, disclosed or otherwise processed in the Smart Grid, and identifying legislative and regulatory gaps; and (iii) identifying and summarizing the work of government agencies and other organizations and groups that are actively engaged in thinking through Smart Grid privacy and information security issues.

Action Item: For more on privacy issues affecting the Smart Grid, please join us for a free webinar on February 24, 2011 from 12:30 to 1:30 p.m. EST. To register, please email bsegalis@infolawgroup.com.

The goal in revising EU data protection rules (which also apply to members of the European Economic Area) is to facilitate the establishment of clear and consistent data protection requirements as well as to modernize Europe’s data protection laws to meet the challenges raised by new technologies (e.g., behavioral tracking) and globalization. Europe's data protection laws are currently based in large part on the 1995 EU Data Protection Directive.

The Commission’s announcement comes on the heels of the Data Protection Commissioners Conference in Jerusalem, during which many participants highlighted the need to bring data protection legislation up to date, and raised concerns about inconsistent and complex data protection requirements in various countries (including among EU member states).

The Commission’s strategy to revise data protection rules is based on the goals of:

• Limiting the collection and use of personal data to the minimum necessary;
• Transparency as to how, why, by whom and for how long personal data is collected and used;
• Informed consent;
• Right to be forgotten;
• Reducing administrative compliance burdens on businesses;
• Uniform implementation of data protection rules in EU member states;
• Improving and streamlining procedures for data transfers outside the EU;
• Cooperation with countries outside the EU and promotion of high standards of data protection at a global level;
• Strengthening enforcement of data protection rules by harmonizing the role and power of national data protection authorities;
• Facilitating consistent enforcement of data protection laws across the EU; and
• Implementing coherent rules for the protection of personal data in the fields of police and criminal justice.

Notably, many of these goals were announced at the Jerusalem conference.

The Commission’s review will serve as the basis for further discussions of data protection rules and, ultimately, new legislation, which the Commission expects to propose in 2011.

Please see the Commission’s press release, FAQs, and the strategy document for more details. The Commission is encouraging organizations and individuals to submit comments.

Stay tuned for more about the proposed revisions.

One consequence of the growing body of laws, regulations, standards, and contractual requirements dealing with protected categories of personally identifiable information (PII) is a heightened awareness of the importance of establishing effective internal governance mechanisms. The organization needs to be clear on who decides, and how, key questions such as these:

• Which kinds of PII should be collected in the first place?
• Which categories of PII require particular safeguards or treatment, either legally or because the information is considered especially sensitive by customers and employees, or by the organization itself?
• How should PII be secured?
• Who should be given access to PII, and for what purposes?
• How are individuals informed of events (such as business changes and security breaches) and options (such as op-in or opt-out choices) that affect their privacy and personal security?
• How should PII be disposed of at the end of its useful life?

In some cases, legislators, regulators, and industry standards bodies provide guidance on PII management and governance, at least by implication. But for the most part, organizations must find their own way to weave privacy compliance and PII risk management into effective internal governance procedures. Adding privacy to the organization’s governance structure, with constant reference to evolving privacy rules and standards, is one way to avoid costly mistakes and arm the organization with legal defenses in the event of a security breach or a serious privacy complaint.

I recently presented a workshop on “information governance” at the Vanguard Security 2010 conference in Las Vegas. Some of the participants, typically managers of enterprise IT security functions, were concerned about whether their employers -- companies, universities, healthcare systems, and government agencies -- were organizationally equipped to make appropriate decisions about collecting, securing, and using PII in a rapidly changing legal and regulatory environment.

It’s a legitimate concern. Organizations in both the private and public sectors are increasingly held accountable for the proper handling of sensitive or potentially dangerous PII such as health records, Social Security Numbers, bank account and payment card details, credit reports, and background checks. An effective system of both privacy and security governance is essential if the organization is to achieve substantial compliance, manage litigation and market risks, and respond adequately to privacy challenges and to security threats and incidents. Relevant laws, standards, and contract requirements sometimes mandate certain aspects of privacy or security management and, less frequently, governance. Otherwise, it is ultimately a matter of finding what best fits your organization’s leadership culture – although it may be helpful to compare models from other organizations with similar needs.
 

What PII Do You Handle?

Don Harris of HR Privacy Solutions often refers to personal data as the latest “controlled substance.” For purposes of this discussion, I use the term “PII” to mean whatever personally identifiable information your organization has an obligation to protect from unauthorized disclosure, use, loss, or alteration. In the US, that varies considerably by sector and jurisdiction. US state laws requiring personal information security measures or notification of security breaches (in all but four states) typically apply only to limited categories of PII that raise the greatest risk of identity theft, such as the SSN, driver’s license number, and bank account or payment card number (combined with a PIN or other access code). The US federal HIPAA and HITECH acts and a number of state laws more broadly regulate health records, while the federal Gramm-Leach-Bliley Act (GLBA) and financial supervisory authorities focus on the confidentiality of financial records. The Fair Credit Reporting Act is concerned with consumer reports. Equal Employment Opportunity laws often address the proper collection and use of information about race, ethnicity, religion, age, gender, disability, family status, or sexual life. Other laws protect information about students and their parents, licensed drivers, telephone and cable subscribers, persons renting DVDs and videotapes, library patrons, clients of mental health and substance abuse programs, people who seek refuge in battered women’s shelters, genetic data, and an array of other categories of PII deemed potentially risky to individuals. Meanwhile, an organization may be required contractually to handle certain kinds of data in a prescribed manner, such as the PCI-DSS standards that apply to the processing of credit and debit card payments.

By contrast, PII can be almost any information relating to an identifiable individual under the more comprehensive privacy and data protection laws in Canada, the European Union, Australia, Japan, and several other jurisdictions. Even in those jurisdictions, however, there is often an enhanced obligation to protect especially sensitive categories of PII such as those relating to race or ethnicity, health and sex life, religion, political opinion, trade union involvement, criminal records, consumer profiles, bankruptcy, personal financial records, genetic data, geolocation data (such as tracking a person’s physical location through his mobile phone or RFID security badge), and official identifiers such as passports and national ID numbers that could be used in fraud and identity theft.

Who Is Responsible?

Within the organization, who accepts responsibility for ensuring that all relevant categories of PII are handled appropriately? In some organizations, the Chief Legal Officer, Chief Information Officer, or Chief Technology Officer is considered primarily responsible for PII policy decisions. In others, the decisions may be made by senior executives responsible for human relations (employee data) or customer relations (consumer data). Obviously, policy decisions should be made in consultation with the legal or compliance functions in the organization. IT security managers will provide some of the tools and techniques – once they know what the requirements are and how to classify the data. HR management should be on top of employee privacy issues in all the jurisdictions in which the organization has employees (and their dependents) or independent contractors and temporary workers. The customer relations and marketing managers should understand the restrictions under which they operate and the disclosures and choices they must provide. Records management should implement appropriate storage and disposal policies. And many organizations now have a “privacy officer” (under any of a variety of titles) who is charged with offering guidance and making recommendations relating to PII.

Business managers also typically make recommendations, but their primary job is to see that the organization’s policies are implemented – that is the management function. Security and privacy governance refers to the process by which those policies are adopted in the first place and then monitored and adjusted. Ultimately, policy decisions should be made by senior or C-level executives or (for the most fundamental policies) by the board of directors or agency chief. Ideally, the CEO and directors are at least broadly aware of privacy and security issues affecting the organization’s handling of PII -- well before the first embarrassing privacy complaint or security breach hits the news.

Governance Requirements and Tools

Most PII laws and regulations are not terribly detailed in referring to information governance issues. It is simply the organization’s obligation to find the best ways to achieve compliance.

Corporate governance, particularly in publicly traded companies, offers some familiar and relevant models for information governance. In the US (especially under the Sarbanes-Oxley Act or “SOX”), Canada, Europe, and Japan, financial reporting laws or stock exchange rules require management controls in all areas material to the accurate reporting of financial results to investors and regulators. Under those laws, a CFO, CEO, or Audit Committee of the board must certify the effectiveness of the company’s control procedures. In most modern companies, IT is used for data collection and reporting and, indeed, is critical to the success of the organization. Thus, internal and external auditors refer to IT management “control objectives,” often with reference to the COBIT Framework published by ISACA.

IT control objectives may include items such as access controls, encryption, and data retention policies as required to comply with PII rules or to manage PII risks. In some companies, there is such a dependence on protected PII that management reporting expressly refers to relevant PII compliance requirements such as those imposed by HIPAA, GLBA, FRCA, PCI-DSS, PIPEDA, or national laws based on the EU Data Protection Directive. In those cases, PII compliance requirements are documented in specific control objectives with associated policies and procedures, assigned to responsible functions, and periodically audited and certified.

Apart from public company governance requirements, some laws and regulations specifically require that there is a designated person or department accountable for the security of covered PII, with an obligation to report to senior management. This is true of US federal health and financial privacy regulation, as it is of Canadian legislation incorporating the CSA’s Model Code for the Protection of Personal Information. In several EU countries and Switzerland, the organization may or must designate an internal data protection officer who reviews and maintains a “registry” of PII processing in the organization, renders a written opinion on proposals for handling sensitive categories of data, and reports directly to the highest level of management.

Increasingly, laws and regulations governing PII mandate a risk-based, written security policy. In the US, the HIPAA and GLBA privacy and security rules require written policies, as do the “Red Flag Rules” adopted by the Federal Trade Commission and the federal financial regulatory bodies to combat identity theft. The Massachusetts Personal Information Security Regulation requires a written information security policy (commonly called a “WISP”) covering the categories of data for which security breach notices are required. The Canadian CSA standard and several European countries similarly require or recommend written security policies, documented procedures, and approvals by the governing body of a company or agency.

E-government laws and executive policies in the US and Canada require agencies to designate a privacy officer, reporting to a senior agency executive, with oversight by an auditor or inspector general from outside the agency (or by the federal or provincial privacy commissioner, in Canada). US and Canadian federal agencies are also now generally required to prepare a privacy impact assessment (PIA), identifying PII needs and measures to mitigate privacy risks, before implementing a new or substantially modified information system that includes PII.

Some companies and nonprofits in North America and Europe follow a similar approach of requiring the responsible manager to prepare a PIA for review by a privacy officer and, if there are serious objections, by executive management. Some also undertake a baseline privacy audit to determine where the organization is already handling PII and where it might be at risk. Periodic security audits are common in many organizations, but the scope often needs to be adjusted to include protected categories of PII.

A variety of vendors offer “GRC” (governance, risk, and compliance) software tools and databases to help automate the task of identifying PII in the organization’s information systems and checklisting PII compliance requirements and actions. These can be helpful, although there is inevitably a need for knowledgable individuals to review the scope, methodology, and results.

As much PII processing is ultimately outsourced, and PII is often exchanged with business partners, a key aspect of compliance is contract management. HIPAA and GLBA, the Canadian CSA standards incorporated in PIPEDA and provincial laws, and the EU Data Protection Directive all require a measure of due diligence in contracting with vendors to handle PII. Contracts that refer to the confidentiality of proprietary information should also address the confidentiality and security of PII. The procurement function in the organization needs to be made aware of PII risks and requirements, and procurement and legal personnel should ensure that there are appropriate confidentiality and indemnification clauses, security schedules, and any required provisions to meet sectoral requirements or legal conditions for cross-border transfers of PII (e.g., from the EU to the US or India). In some cases, it is practical and appropriate to make contractual reference to established information security management and control standards such as ISO 27001 / 27002, PCI-DSS, or NIST 800 series guidelines. An aspect of information governance is setting policies for such contract requirements and monitoring procurement practices that involve PII, since accountability itself can rarely be outsourced.

Trends and Keys

The privacy and data protection laws and PII security and breach notification legislation have motivated organizations to better understand changing legal requirements, to inventory their collection, use, and sharing of PII, and to minimize the use or retention of sensitive PII throughout the organization. In some companies that means, for example, reducing the instances where SSNs and other official identifiers are recorded or communicated, encrypting PII, outsourcing payment card verification, and imposing stricter data destruction schedules on customer and employee records.

Organizations have also been driven to establish or update written policies and procedures for handling PII, and then include these in training and internal audits, as well as in contracts with third parties.

Another trend has been to raise information governance to a more centralized and higher level of management and reporting, with privacy officers and IT security managers reporting to senior executives rather than to middle managers. This is an understandable result of high-profile privacy and security lapses affecting the organization or its peers, as well as of SOX, security breach notice laws, FTC and state investigations, and pressure from privacy commissioners and sectoral regulators.

From our observation, and from reports by professional associations and conference participants, it appears that two elements are key to the success of organizations that have established effective information governance relating to PII: a high-level champion that the CEO, board, and business managers will listen to, and a liaison team to review PII issues and make recommendations to management. Depending on the structure and mission of the organization, the privacy liaison team might include representatives of several functions that deal with PII: IT, security, HR, customer relations, marketing, government relations, labor relations, legal, compliance, audit, procurement or contract management, product development, international subsidiaries (subject to different PII rules). It is not hard to imagine who should have a seat at the table (or more likely on the email list and occasional conference call), but it may be a challenge to identify who will convene and lead the team, unless the organization has already designated a chief privacy officer or equivalent position.

In the end, good information governance depends not only on procedures and tools but on the quality, drive, and authority of those who lead the effort.