By: Lorie Schrameck, CIPM, CIPP/E/US, FIP – Sr. Director of Consulting at CSR Privacy Solutions, Inc.
If you are reading this article, then you already have a head start on the protection of Personal Information (PI). How? Because you are reading an article on data privacy! As a Privacy Professional working in a company whose sole purpose is the enlightenment and assistance in managing PI of other companies, I eat, breathe, and sleep data privacy management. When I was asked to write an article for Privacy Day 2020, I said, “Sure!” But what can I tell you that hasn’t already been described in countless other articles? How in-depth of an article can I write before you lose interest? Are you asleep yet?
At a minimum, everyone has seen a headline that a business had a PI data breach, and then a subsequent headline on the astronomical fine the business received from a Federal agency or state attorney general: “Doctor’s Office Fined 6.2 Million Dollars!” The headline, for many people, is all they read. Employees with tasks involving some type of privacy or security needs might read a few articles. Then there are privacy professionals, such as myself, who read the laws and work on compliancy, and actually enjoy reading privacy how-to’s and updates on privacy laws. (Proudly, I declare myself a Privacy Nerd). My counterpart, the IT geek, cringe at the very thought of reading laws and tell us so on a consistent basis. This train of thought set me to wondering how much people actually know about personal information or if they read enough to know the answers to basic data privacy questions.
I created a seven-question quiz. I posted it on numerous forums. On a professional forum, I only received one response – no one had the time or effort to answer. On a personal forum, the answers were “I don’t know” to almost every question, so I shortened the quiz to four questions. The response documented that for the average person, including business professionals, there is a lack of knowledge on the basics of PI and protection. These were the questions:
- Did you know that each state defines what PI is?
Responders in the privacy field answered yes. All other responders answered no.
- Do you expect to be notified when a business has a breach of your PI?
Responders in the privacy field answered yes. The other responses were mixed, with one stating businesses might rather pay a fine than make the effort or make it public.
- Are all businesses required to protect your PI?
I believe many responders read the first word of the question as “Should” instead of “Are” because even responders in the privacy field answered yes. The answer is No. While all states have laws requiring data breach notification, less than half have laws that require businesses to specifically protect personal information. If you’ve read our other articles, you will know that this is quickly changing.
What I learned is that there is a substantial need for a Basic 101 in Data Privacy. So, (and to the horror of English teachers everywhere), I finally give you the topic of my article: A Basic 101 on Data Privacy.
Data Privacy 101:
- Personal Information (PI):
- Overall, PI is ANY information that relates to you, identifies you, or can give other people an opinion about you. It is more than just the information that could lead to identify theft. It could be information that is embarrassing if it is found out, that could put you into a specific profiled category, or that may set you apart from others, even an opinion.
- The above description seems obvious, but you should know that under most laws in the United States, only your full name when combined with your social security number, driver’s license number, or financial numbers is considered Personal Information.
- Data Breach:
- I think everyone knows what a data breach is. Pretty much, someone steals the personal information from a business. Ancient astronaut theorists say yes, that’s what it is. (Just making sure you are still awake.) But did you know?? A breach can happen when a business loses data or records by mistake, including PI on physical paper, and even from an errant email.
- Each state and country have their own laws regarding what needs to happen if a business has a data breach. Some states require reporting, some don’t. All states require customer notification, IF the incident meets their minimum description of a breach.
- In the US, businesses must use the laws of each of the states that their customers reside in, NOT the state that their business is in. Each state has different laws that indicate when a breach is reportable to the state attorney general, consumer reporting agencies, and to you. If the breached information does not match what the state has in its laws, the business won’t need to report it to you. For example, if your social security number was breached and only your last name (meaning without your first name) was involved, they most likely will not notify you.
- Businesses Protecting PI:
- Less than half of the US states require businesses to specifically protect personal information. SHOULD businesses protect it, yes. ARE they? Well, you’ve seen the headlines. Businesses related to health, education, and finance are regulated Federally, but they are breached too. It’s really not a matter of “if” anymore, just “when.”
- However, more than half of the states do have laws regarding certain industries, specific information, specific laws related to retention and destruction, laws regarding vendors, and most are now passing laws that not only require protection of your PI, but also give you data access rights (explained later).
- CSR’s Privacy Nerds have been extremely busy, but very happy, tracking all the new bills introduced in state legislatures. Watch our news for passed bills and their explanation in laymen’s terms.
- Data Access Rights:
- Data Access Rights means you can ask a company what personal information they have on you, ask to update your information, and sometime ask to delete it. In a lot of places, companies must have your consent to use your PI and you have the right to withdraw that consent.
- This is a new concept for Americans, and old hat to countries in Europe. So far, only two states, California and Nevada, have passed anything close to full data access rights, but numerous states have bills in session right now. In those two states, businesses are required to let you know they want to sell your information and you can tell them no.
If you started with little to no knowledge, then this has hopefully been enlightening. My challenge to everyone is to share the information with others and help them achieve at least a basic understanding.
If you work at a company that needs to put data privacy practices in place – CSR is here to help!
CSR is about helping small to medium sized businesses – that are starting with little to no knowledge – and giving them easy to use tools to get started. We have lots of Privacy Nerds that can help determine what state privacy laws apply to you and explain them in a way you can understand.
Happy Privacy Day!