E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: SC Magazine

Posted on April 10, 2011

Years ago, legally imposed data security requirements were rare and limited to those in specific industry niches. Those in the financial services industry had the Safeguards Rule under the Gramm-Leach-Bliley Act of 1999 (GLB) and members of the health care industry had the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Today, GLBA and HIPAA are just the tip of the iceberg when it comes to laws that require an organization to implement, maintain and document adequate security measures, regardless of its line of business. In fact, a company can find itself under such an obligation through multiple sources. Therefore, a prudent firm should not wait until a clear and direct obligation exists before taking steps to secure its systems and processes. A legal obligation to do so may be just around the corner, or one may already exist unbeknownst to the entity.

Contained within the American Recovery and Reinvestment Act of 2009 is the Health Information Technology for Economic and Clinical Health Act,or HITECH Act. One of the many changes brought on by the HITECH Act was the modification of HIPAA to significantly increase the obligations imposed on business associates. Business associates are those organizations that perform activities on behalf of a covered entity that involve protected health information.

The PCI Security Standards Council is continuously updating its data security standards (PCI DSS). PCI DSS was established by the credit card companies to ensure the security of cardholder data. Among the changes is a recognition of the various parties who may have access to cardholder data, and therefore, an assurance must be made that all such parties maintain adequate security over such data. Though this is a self-regulatory process, the PCI DSS has been incorporated into some state laws.

Perhaps overlooked are requirements that can be imposed on an organization merely by signing a contract with another business. Many business-to-business agreements contain data security requirements, sometimes buried within an exhibit to the contract.

How to respond? Companies should take numerous steps to mitigate potential risks, including: Maintain a written information security program, train employees, perform annual security assessments/audits, and use intrusion detection systems.

Despite a company's best efforts, breaches can still occur. When they do, a company should first gather internal resources to review what type of incident has occurred. A team of individuals should be in place from human resources, legal, public relations, information technology and top management. IT should review the data that was potentially exposed to determine what type is involved. The type of data will determine if notification is required under state law. Next, notification letters to affected data subjects may need to be drafted in compliance with applicable state breach notification laws. If credit card data is involved, the company may need to notify affected card brands.

Call centers should be set up if the breached company does not have internal resources to handle call volumes should the population exceed reasonable numbers. After the data breach is handled, the company should analyze the incident and outline potential areas of improvement to avoid future incidents.

Whether required by law, sound data security practices, and taking a proactive approach to these issues, is always advisable.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.