Retailers are liable for identity theft and can be subject to fines and criminal prosecution for breach. What consumer information is considered Personally Identifiable Information (PII)? What laws should retailers be aware of? What are the 6 General Mandates that affect every retailer? What can merchants do to secure their electronic payments systems and procedures?
5. PII Covers a wide range of data elements which can be tied back to or represent a given individual and can be used to cause harm to the individual if used without proper authorization.
35. Information and Data Breach Notification RequirementsOther bills introduced S 806 (Pryor) S 1202 (Sessions) S 1260 (Carper) S 1558 (Coleman) HR 516 (Davis), HR 836 (Smith), HR 958 (Rush), HR 1307 (Wilson) HR 1685 (Price), HR 2124 (Davis)
36. PII As of January 2008, 39 states have enacted data security laws requiring entities to notify persons affected by security breaches and in some cases, to implement security programs to protect the security, confidentiality and integrity of data. Six states have introduced bills or enacted legislation to strengthen merchant security and/or hold companies liable for third party companies cost arising from data breaches. California Connecticut Illinois Massachusetts Minnesota Texas
37. PII Federal Trade Commission (FTC): Identity theft is the most common complaint from consumers in all 50 states. Represents between 35% and 40% of all complaints for the years 2005, 2006 and 2007 In 2006 there were over 246,000 complaints filed.
38. PII Data Breaches Identity Theft Financial Crimes Credit Card Fraud Utilities Fraud Bank Fraud Mortgage Fraud Employment Related Fraud Government Documents Fraud Benefits Fraud Loan Fraud Health Care Fraud
39. PII Public concerns with Identity Theft: Security of sensitive information Security of computer systems Federal laws protecting Adequacy of enforcement
40. PII LIABILITY FOR Identity Theft: Retailers Credit Card Issuers Payment Processors Banks Data Processors
41. PII CRIMINAL PROSECUTION FAILURE TO REPORT UNAUTHORIZED POSSESSION UNAUTHORIZED ACCESS FAILURE TO SAFEGUARD
42. PII Federal Trade Commission CONSENT DECREE JANUARY 2008 LIFE IS GOOD.com Being embraced as a minimum standard for operating entities to comply with on a going forward basis
43. PII Federal Trade Commission CONSENT DECREE JANUARY 2008 “COMPREHENSIVE INFORMATION-SECURITY PROGRAM” Includes administrative, technical and physical safeguards tailored to the size of the commercial entity, the nature of its activities and the sensitivity of the personal information collected. SIX GENERAL MANDATES
44. PII Federal Trade Commission CONSENT DECREE JANUARY 2008 Mandates: Designation of an employee or employees to coordinate the information security program.
45. PII Federal Trade Commission CONSENT DECREE JANUARY 2008 Mandates: Identification of internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place.
46. PII Federal Trade Commission CONSENT DECREE JANUARY 2008 Mandates: Creation and implementation of safeguards to control the risks identified in the risk assessment.
47. PII Federal Trade Commission CONSENT DECREE JANUARY 2008 Mandates: Monitoring the safeguard effectiveness
48. PII Federal Trade Commission CONSENT DECREE JANUARY 2008 Mandates: Development of reasonable steps to select and oversee service providers that handle personal information
49. PII Federal Trade Commission CONSENT DECREE JANUARY 2008 Mandates: Evaluation and adjustment of the program to reflect results of monitoring, material changes to the companies operations or other circumstances that may affect program efficiency.
50. PII VISA CISP BULLETIN MAY 14, 2007 LEVEL 4 MERCHANT COMPLIANCE PROGRAM REQUIREMENTS TIMELINE OF CRITICAL EVENTS RISK-PROFILING STRATEGY MERCHANT EDUCATION STRATEGY COMPLIANCE STRATEGY COMPLIANCE REPORTING
51. PII CONCLUSION: PCI DSS IS A SUBSET OF PII REGULATION SIMPLY ASKING A MERCHANT TO ANSWER THE PCI DSS SAQ WITHOUT TRUE EDUCATON, RISK ANALYSIS AND FOLLOW-UP MONITORING FAILS TO MEET THE STANDARD REGULATION, RISK AND LIABILITY WILL ONLY INCREASE IN THE CURRENT ENVIRONMENT
52. Review Articles Federgreen, R; The facts on FACTA; The Green Sheet; 8:06:01; 2008 Federgreen, R; PCI DSS and HIPAA- The security standards share common ground. Transaction Trends; 2007 Federgreen, R; PCI Eye to eye with federal law; The Green Sheet; 7:07:02; 2007 VISA.COM/CISP