In the Internet age, sensitive personal data remains constantly at risk due to malicious actions and human error. According to the Identity Theft Resource Center (ITRC), a consumer becomes a victim of identity theft every two seconds. The costs to consumers, businesses and society as a whole are mind-boggling.

To combat this threat, various states and the federal government have enacted a wide range of regulations requiring covered organizations to protect sensitive data. For example, the Health Insurance Portability and Accountability Act (HIPAA) regulates how covered entities use and disclose certain individually identifiable health information. The Fair and Accurate Credit Transactions Act (FACTA) of 2003 requires that organizations take steps to prevent identity theft and improve the accuracy of consumer credit information.

FACTA includes the so-called Red Flag Rules requiring credit-granting entities to help detect, prevent and mitigate identity theft. The Red Flag Rules apply to a wide range of businesses, including utility companies, telecommunications firms, mortgage brokers, automobile dealers and other organizations that provide transaction accounts or extend credit to consumers. The rules go into effect Aug. 1, 2009.

“Financial institutions” must also comply with the Safeguards Rule issued by the FTC in conjunction with the Gramm-Leach-Bliley Act (GLBA), which covers businesses ranging from check-cashing and payday loan operations to property appraisal and tax preparation services. Covered entities must identify sensitive data, control physical and network access to such data, encrypt data transmitted over networks, and train employees to maintain these and other security measures.

In addition, more than 40 states, as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands, have passed laws requiring organizations to notify consumers of a data security breach. A new Massachusetts privacy regulation goes beyond that, establishing minimum standards for protecting of non-public personal information contained in both paper and electronic records. That law goes into effect Jan. 1, 2010.

Making Sense of It All

Entities covered by one or more of these regulations are justifiably confused as to how to meet data protection mandates. Inconsistencies in state rules make compliance difficult, and many of the federal rules offer only generalized guidelines. The key is to create a sustainable framework that addresses all applicable regulatory requirements globally. A piecemeal solution will only drive up costs and sap IT performance, while an integrated framework leveraging industry-standard IT controls can be designed to address multiple regulatory requirements.

Organizations should begin with a privacy assessment based upon an industry-standard framework such as Control Objectives for Information and related Technology (COBIT), a set of best practices created by the Information Systems Audit and Control Association (ISACA). Certified auditors can review policies, interview staff and observe procedures in order to understand the organization and the types of data it processes. The next step is to prioritize the highest risks to be remediated by updating policies and procedures and implementing risk-mitigation solutions.

Although much of the focus is on policies and procedures, it’s important to take a close look at the data involved. All types of data within the organizations must be classified somewhere on the continuum between public and private. As the privacy requirements increase so do the security requirements.

Ensuring Compliance

Once data has been classified and security gaps have been closed, organizations should conduct privacy training for the entire staff. This training can be conducted onsite, online or both. Regardless of the medium, the training should be integrated with company policies and conducted on a regular basis.

Ongoing monitoring of all facets of the program is also essential. Organizations should continually evaluate new threats and update policies, procedures and training to improve data security and keep pace with changes to IT and the business. Data privacy and security is never a “set and forget” operation. Organizations must keep their policies and procedures current in order to combat emerging threats while keeping the business agile.

Regulatory compliance is challenging, but the costs of non-compliance are high. HIPAA authorizes criminal penalties of up to $250,000 and/or 10 years imprisonment per violation of security standards for patient health information. The Gramm-Leach-Bliley Act imposes penalties of up to $100,000 per violation of financial institution standards for safeguarding customer information. A comprehensive IT governance solution, built upon best practices and continual process improvement, will create a sustainable regulatory compliance strategy that protects organizations from the cost, embarrassment and potential legal penalties of a data security breach.