Many states have recently passed legislation designed to prevent exploitation of an individual's private data. Following the path forged by
the Health Information Portability and Availability Act ("HIPAA"), private data has expanded from Personally Identifiable Information
containing health and medical information to information that points to any specific financial or demographic data that is not explicitly
publicized by the individual.
Data Privacy Compliance
The ITPMG Data Privacy Compliance offering provides a "Play Book" process that leverages its three phases to help clients develop and
execute strategies for effective, sustainable data compliance risk reduction. It should be noted that Phase One is applicable to small
organizations with relatively simple privacy requirements and is generally sufficient for their needs. Large and medium size organizations or
those with complex data or network requirements would typically need all three phases. The "Play Book" process and key deliverables are
CIO, COO, CEO, Board of Directors
Penalties for failure to secure private data range from substantial fines to criminal charges levied against senior management, officers
and directors. Response to the privacy regulations includes technology deployments, process management and education. Many
organizations are already doing the necessary things to be compliant, but have not benefited from an independent assessment of that
fact. Others need an effective prioritized roadmap to wisely and economically strengthen the security and privacy procedures so that
management can be assured that all the proper pieces are in place for full data privacy compliance.
These activities will accommodate the common requirements of the recent state laws. Obviously, to be truly compliant, senior management
must be uniformly committed to the principles of data privacy, and must be informed and support each of these activities.
As a result of these state laws and regulations, organizations are now charged with implementing procedures and deploying resources that
providing for protecting what has been termed private data at rest, in transit and during use. In some instances, these restrictions apply to
both physical (paper) data and electronic data elements.
In many cases, these state laws are punitive in that they define and assess fines, penalties and possibly criminal charges that may be
attributed to any failure to protect data privacy of individuals or organizations. The recent filings have also been prescriptive in that they
define what should be done to help protect this data privacy. These newer regulations can also specify fines, penalties and possible
criminal charges that can apply for organizations that do not comply even if no privacy breach occurs. This latter point is important
because it is not predicated on an event, but rather can be applied be virtue of an audit or review by the state or an independent
authority. In some cases, that may mean an individual (either placid or disgruntled) can bring about an investigation of an organization
that they believe may not comply. In short, you are being charged with "doing the right thing" regarding data privacy.
These prescriptive regulations often define very specifically what you must do. Recently passed laws expect organizations that have a
business presence in their states, or have customers, employees, contractors, or business partners who reside in their respective states
adhere to these regulations. That means that you don't need to have presence in the state to be subject to its laws. These specific
items often include:
• A person be appointed to manage the protection of data privacy
• Training for all employees and business partners regarding the policy
• A process for reporting and correcting violations
Some states go even farther in defining what you must do. Our Data Privacy Compliance offering can help you sort through these
regulations and do what is necessary to comply and therefore protect yourself from litigation or even criminal charges.
Obviously, each state law is applied differently, and as one would expect, each state has been cognizant of an organization's size and
financial position in applying the regulation. That doesn't excuse any organization from complying with the law, but it does imply the
company be at least as diligent as "common practices" would dictate.
Our experienced consultants have developed an effective, comprehensive approach to Data Privacy Compliance that will help companies
craft a program that can be judged compliant using the backdrop of these common practices based on the industry and organization size.
Phase One: Compliance Assessment
• Data Security Coordinator Job Description and Credentials
• Information Security and Protection Policy Template
• Identification of most likely data privacy repositories (electronic and paper)
• Assessment of existing data security policies
• Employee Training material and education plan
These activities can be completed once the Data Security Coordinator has been appointed and with help from the IT staff and other
department representatives from each area where private data may be housed or used.
Phase Two: Technology Plan and Test Exercise
• Risk assessment directed toward reduced attach surface
• Data privacy technology requirements
• Strategic roadmap for full data privacy protection
• Capital expense and three-year operating budget for data protection
• Documented incident management and response plan
With all components (technical and procedural) in place and key individuals performing at their expected level, these tasks will help confirm
the plan's operation and can serve as a significant tool in refining and improving the data protection strategy.
Phase Three: Incident Management Planning
• Results of privacy protection exercises
• Registration with selected certification resources if included in the strategy
• Drafts of marketing briefs to capitalize on successful data protection program
Security and Regulatory Compliance Strategy and Planning Service Offerings
Data Privacy Compliance
Gramm-Leach-Bliley Act Compliance Assessment
HIPPA Security Compliance Assessment
Business Continuity and Disaster Recovery Planning and Assessments
Security and Regulatory Compliance Assessment
Security and Compliance Strategy and Planning Assistance