Personally Identifiable Information(PII)<br />Presentation by: Ross Federgreen*<br />*Founder, CSRSI® THE PAYMENT ADVISORS...
PII <br />Covers a wide range of data elements which can be tied back to or represent a given individual and can be used t...
PII <br /><ul><li>Individual Name
Address
Telephone number
Social Security number
Driver License number
Date of Birth
Bank Account number
Credit and Debit card number
State Identification number
Passwords</li></li></ul><li>PII <br /><ul><li>Regulation
 ALL States
 Federal
 Civil and Criminal</li></li></ul><li>PII <br />Federal Information Security Laws<br />Federal Trade Commission Act of 191...
PII <br />Federal Information Security Laws<br /><ul><li> Federal Privacy Act
 Federal Information Security Management Act
 OMB Security Act
 Veterans Affairs Information Security Act
 Gramm-Leach-Bliley Act
 Federal Trade Commission Act (FTC ACT)
 Fair Credit Reporting Act
 Hospital Insurance Portability and Accountability Act (HIPAA)
 Public Company Accounting Reform and Investor Protection Act (Sarbanes-Oaxley)
 Family Educational Rights and Privacy Act (FERPA)
 Drivers Advocacy Protection Act (DPPA)
 Fair and Accurate Transaction Act (FACTA)
 USA Patriot Act</li></li></ul><li>PII <br />Federal Information Security Laws<br />Customer Identification Program Rules ...
Upcoming SlideShare
Loading in...5
×

Personally Identifiable Information – FTC: Identity theft is the most common consumer complaint

3,082
-1

Published on

Retailers are liable for identity theft and can be subject to fines and criminal prosecution for breach. What consumer information is considered Personally Identifiable Information (PII)? What laws should retailers be aware of? What are the 6 General Mandates that affect every retailer? What can merchants do to secure their electronic payments systems and procedures?

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,082
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
46
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Personally Identifiable Information – FTC: Identity theft is the most common consumer complaint

  1. 1. Personally Identifiable Information(PII)<br />Presentation by: Ross Federgreen*<br />*Founder, CSRSI® THE PAYMENT ADVISORS<br />
  2. 2.
  3. 3.
  4. 4.
  5. 5. PII <br />Covers a wide range of data elements which can be tied back to or represent a given individual and can be used to cause harm to the individual if used without proper authorization.<br />
  6. 6. PII <br /><ul><li>Individual Name
  7. 7. Address
  8. 8. Telephone number
  9. 9. Social Security number
  10. 10. Driver License number
  11. 11. Date of Birth
  12. 12. Bank Account number
  13. 13. Credit and Debit card number
  14. 14. State Identification number
  15. 15. Passwords</li></li></ul><li>PII <br /><ul><li>Regulation
  16. 16. ALL States
  17. 17. Federal
  18. 18. Civil and Criminal</li></li></ul><li>PII <br />Federal Information Security Laws<br />Federal Trade Commission Act of 1914 (FTC Act) and FTC Standards for Safeguarding Customer Information (FTC Safeguards Rule) enacted in 2003.<br />
  19. 19. PII <br />Federal Information Security Laws<br /><ul><li> Federal Privacy Act
  20. 20. Federal Information Security Management Act
  21. 21. OMB Security Act
  22. 22. Veterans Affairs Information Security Act
  23. 23. Gramm-Leach-Bliley Act
  24. 24. Federal Trade Commission Act (FTC ACT)
  25. 25. Fair Credit Reporting Act
  26. 26. Hospital Insurance Portability and Accountability Act (HIPAA)
  27. 27. Public Company Accounting Reform and Investor Protection Act (Sarbanes-Oaxley)
  28. 28. Family Educational Rights and Privacy Act (FERPA)
  29. 29. Drivers Advocacy Protection Act (DPPA)
  30. 30. Fair and Accurate Transaction Act (FACTA)
  31. 31. USA Patriot Act</li></li></ul><li>PII <br />Federal Information Security Laws<br />Customer Identification Program Rules implementing Section 326 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act)<br />
  32. 32. PII <br />110th Congress-Data Security Bills<br />Three bills were reported favorably out of Senate committees:<br /><ul><li>S.239 (Feinstein)
  33. 33. S.495 (Leahy)
  34. 34. S.1178 (Inouye)
  35. 35. Information and Data Breach Notification Requirements</li></ul>Other bills introduced<br />S 806 (Pryor) S 1202 (Sessions) S 1260 (Carper) S 1558 (Coleman)<br />HR 516 (Davis), HR 836 (Smith), HR 958 (Rush), HR 1307 (Wilson)<br />HR 1685 (Price), HR 2124 (Davis)<br />
  36. 36. PII <br />As of January 2008, 39 states have enacted data security laws requiring entities to notify persons affected by security breaches and in some cases, to implement security programs to protect the security, confidentiality and integrity of data.<br />Six states have introduced bills or enacted legislation to strengthen merchant security and/or hold companies liable for third party companies cost arising from data breaches.<br />California<br />Connecticut<br />Illinois<br />Massachusetts<br />Minnesota<br />Texas<br />
  37. 37. PII <br />Federal Trade Commission (FTC):<br /> Identity theft is the most common complaint from consumers in all 50 states.<br /> Represents between 35% and 40% of all complaints for the years 2005, 2006 and 2007<br /> In 2006 there were over 246,000 complaints filed.<br />
  38. 38. PII <br />Data Breaches<br />Identity Theft<br />Financial Crimes<br />Credit Card Fraud<br />Utilities Fraud<br />Bank Fraud<br />Mortgage Fraud<br />Employment Related Fraud<br />Government Documents Fraud<br />Benefits Fraud<br />Loan Fraud<br />Health Care Fraud<br />
  39. 39. PII <br />Public concerns with Identity Theft:<br />Security of sensitive information<br /> Security of computer systems<br /> Federal laws protecting<br />Adequacy of enforcement<br />
  40. 40. PII <br />LIABILITY FOR Identity Theft:<br /> Retailers<br /> Credit Card Issuers<br /> Payment Processors<br /> Banks<br /> Data Processors<br />
  41. 41. PII <br />CRIMINAL PROSECUTION <br />FAILURE TO REPORT<br /> UNAUTHORIZED POSSESSION UNAUTHORIZED ACCESS<br />FAILURE TO SAFEGUARD <br />
  42. 42. PII <br />Federal Trade Commission<br />CONSENT DECREE JANUARY 2008<br />LIFE IS GOOD.com<br />Being embraced as a minimum standard for operating entities to comply with on a going forward basis<br />
  43. 43. PII <br />Federal Trade Commission<br />CONSENT DECREE JANUARY 2008<br />“COMPREHENSIVE INFORMATION-SECURITY PROGRAM” <br />Includes administrative, technical and physical safeguards tailored to the size of the commercial entity, the nature of its activities and the sensitivity of the personal information collected.<br />SIX GENERAL MANDATES<br />
  44. 44. PII <br />Federal Trade Commission<br />CONSENT DECREE JANUARY 2008<br />Mandates:<br />Designation of an employee or employees to coordinate the information security program.<br />
  45. 45. PII <br />Federal Trade Commission<br />CONSENT DECREE JANUARY 2008<br />Mandates:<br />Identification of internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place.<br />
  46. 46. PII <br />Federal Trade Commission<br />CONSENT DECREE JANUARY 2008<br />Mandates:<br />Creation and implementation of safeguards to control the risks identified in the risk assessment.<br />
  47. 47. PII <br />Federal Trade Commission<br />CONSENT DECREE JANUARY 2008<br />Mandates:<br />Monitoring the safeguard effectiveness<br />
  48. 48. PII <br />Federal Trade Commission<br />CONSENT DECREE JANUARY 2008<br />Mandates:<br />Development of reasonable steps to select and oversee service providers that handle personal information<br />
  49. 49. PII <br />Federal Trade Commission<br />CONSENT DECREE JANUARY 2008<br />Mandates:<br />Evaluation and adjustment of the program to reflect results of monitoring, material changes to the companies operations or other circumstances that may affect program efficiency.<br />
  50. 50. PII <br />VISA CISP BULLETIN MAY 14, 2007<br />LEVEL 4 MERCHANT COMPLIANCE PROGRAM REQUIREMENTS<br />TIMELINE OF CRITICAL EVENTS<br />RISK-PROFILING STRATEGY<br />MERCHANT EDUCATION STRATEGY<br />COMPLIANCE STRATEGY<br />COMPLIANCE REPORTING<br />
  51. 51. PII <br />CONCLUSION:<br />PCI DSS IS A SUBSET OF PII REGULATION<br />SIMPLY ASKING A MERCHANT TO ANSWER THE PCI DSS SAQ WITHOUT TRUE EDUCATON, RISK ANALYSIS AND FOLLOW-UP MONITORING FAILS TO MEET THE STANDARD<br />REGULATION, RISK AND LIABILITY WILL ONLY INCREASE IN THE CURRENT ENVIRONMENT<br />
  52. 52. Review Articles<br />Federgreen, R; The facts on FACTA; The Green Sheet; 8:06:01; 2008<br />Federgreen, R; PCI DSS and HIPAA- The security standards share common ground. Transaction Trends; 2007<br />Federgreen, R; PCI Eye to eye with federal law; The Green Sheet; 7:07:02; 2007<br />VISA.COM/CISP<br />
  53. 53.
  54. 54.
  55. 55. QUESTIONS ?<br />CSRSI.COM<br />PCITOOLKIT.COM<br />Rfedergreen@csrsi.com<br />866 462 7774 ext 1<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×