Are You Really Secure?
Network Security and Compliance
Inconsistent and vague laws
can make it really tough for IT managers to comply
even when they truly want to.
Companies working hard to
comply with fast-changing state, federal, international
and industry-specific privacy rules are finding
some practical problems. Rising concerns over
personal privacy and data-sharing practices have
focused on increased liability risks relating
to how personal data is handled.
The sheer number of privacy
regulations and new mandates coming down the pike
make privacy compliance a huge challenge. Privacy
experts say it's often better to try to comply
with the requirements of the most stringent laws
where possible, instead of trying to craft policies
for every single law.
Some of the biggest drivers
include the Health Insurance Portability and Accountability
Act (HIPA), the Gramm-Leach-Bliley Act, the Sarbanes-Oxley
Act and California's SB 1386 identity protection
bill. Several states have their own privacy laws
and international rules, such as those covering
European Union nations and Canada, are also in
the mix for U.S. companies.
Privacy notices, which are
required in every state, spell out a company's
policies for handling personal data. Several laws
require companies to clearly articulate what they
can or can't do with confidential information.
But it's not enough to say
what you'll do. You also need to do what you say.
And that means putting in place the technology
and processes to monitor and ensure compliance
with stated privacy policies. Technology advancements
have made it easier for companies to use and manipulate
customer data, but that also makes it imperative
to monitor and ensure privacy compliance.
The lack of legal precedent
and implementation guidelines poses a problem
for companies trying to figure out the best way
to mitigate exposure to legal risk. For example,
California's SB 1386 requires companies to "encrypt"
data, but it doesn't specify the level of encryption
required. The key is to take the high road. The
best way to demonstrate due diligence is to comply
with the requirements of the most stringent law
that's applicable to you.
Programs for monitoring
the privacy habits of your vendors, business partners
and supply chain companies are also needed. It's
crucial to realize that a company owning the data
is responsible for it even if a security breach
is associated with a partner.
Consider these five key
privacy principles as defined by the Federal Trade
Commission:
- Notice/Awareness:
Consumers should be given notice of an entity's
information practices before any personal information
is collected from them.
- Choice/Consent:
This relates to secondary uses of information
such as internal, placing the consumer on the
company's mailing list in order to market additional
products or promotions, or external, such as
the transfer of information to third parties.
- Access/Participation:
The point is to let people about whom you have
information find out what that information is,
and contest its accuracy and completeness if
they believe it is wrong
.
- Integrity/Security:
Data must be accurate and secure. Security involves
both managerial and technical measures to protect
against loss and the unauthorized access, destruction,
use or disclosure of the data.
- Enforcement/Redress:
The core principles of privacy protection can
only be effective if there is a mechanism in
place to enforce them.
Although the principles
are aimed at protecting consumer rights, businesses
will benefit enormously by ultimately reducing
errors in customer databases and eliminating the
wasteful use of marketing resources.
Technology is a small part
of the security solution. People are the big part.
Printer
Friendly Article
Compiled from a variety of Internet Sources |
