Got PI or PII or PHI? - Some Personal Information (PI), Personally Identifiable Information (PII) and Protected Health Information (PHI) is held by nearly every organization. In fact, it takes very little to make PI: 1) first and last name or first initial and last name; PLUS 2) some identifying information such as a credit card number, a social security number, a drivers license ID number, a state-issued ID card, a credit/debit card number, a financial account number or similar identity information.
If your organization collects, owns, holds or even transmits certain types of personal or protected information, various state and federal laws require that it be protected. Data theft and identity theft is a growing concern. Not a week goes by without a report of another stunning batch of protected data lost or stolen.
Another source of information regarding data loss is published by HHS regarding HIPAA. Under section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
Data theft or loss triggers reporting duties, potential fines, possible legal liability and potential reputational damage. The laws protecting consumers against the harms of data loss are growing stricter. Massachusetts has the status as the state with the most far reaching protection for the PI of its residents, wherever that data is located. That means, if you have financial information such as a check or credit card from a Massachusetts' resident, you must comply with the law - 201 CMR 17.00 - even if you are located outside Massachusetts. Data loss need not be related to theft; simply losing a laptop computer with protected information triggers reporting duties.
The European Union has recently complicated this topic by imposing a very strict privacy regulation (#GDPR), which can reach U.S. organizations.
2018 also marks the passage of the California Consumer Privacy Act (#CaCPA), which will also apply broadly outside of California.
In the wake of the Facebook - Cambridge Analytica scandal the trend-line is moving toward the GDPR principle of "privacy by design".
Solutions to these challenges are both technical and legal. The Written Information Security Programs (WISPs) required to comply with the Massachusetts' law have requirements for employee discipline, employee policies and training. GDPR and CACPA push the requirements further. Legal issues are also implicated by the need to update or create retention and information governance policies for the organization. Regardless of where in the solutions process your organization is, we can help guide you toward appropriate solutions.