Four Main Areas of Change

There are certain aspects of the ARRA that make significant changes on the types and level of privacy and security requirements healthcare providers are required to follow. The ARRA imposes substantial modifications in the following four areas:

1. HIPAA (Health Insurance Portability and Accountability Act) statutory requirements
2. Increased enforcement of HIPAA
3. Provisions to address health information held by entities not covered by HIPAA
4. Other changes including administrative changes, studies, reports and educational initiatives

The modifications in each of these four areas are discussed in separate articles in this series.

Breach Notification

As discussed in an earlier article, the ARRA establishes new breach notification requirements. These requirements are extended to vendors of personal health records and other non-HIPAA covered entities. This means that breach notification requirements now apply to the following entities:

• Those that offer products or services through the website of a vendor of personal health records.
• Those that are not themselves HIPAA-covered entities, but that offer products or services through websites of covered entities with personal health records.
• Those that are not themselves HIPAA-covered, but access information, or sent information to a personal health record.

HHS & FTC Study

The ARRA also commissions the Department of Health and Human Services (HHS), in consultation with the Federal Trade Commission (FTC), to conduct a study and produce a report to Congress on privacy and security requirements for non-covered entities or business associates under the HIPAA. This study needs to include:

• Requirements relating to breach notifications that will be subject to the FTC’s new breach notification authority.
• Which federal government agency is best able to enforce recommended privacy and security protections.
• A workable timeframe for implementing regulations based on these findings.

Administration Changes

ARRA established the Office of the National Coordinator (ONC) for Health IT (HIT). It also created a new advisory committee infrastructure with a new HIT Policy Committee and a new HIT Standards Committee, both of which are governed by the Federal Advisory Committee Act (FACA).

The HIT Policy Committee is required to make recommendations regarding technologies that protect privacy and promote security in an electronic health record. This includes those that allow for the segregation of sensitive health information and the use of limited data sets.

ARRA also creates a position of Chief Privacy Officer (CPO) within the ONC framework. This individual is responsible for advising the National Coordinator on privacy, security and data stewardship of electronic health information. However, the CPO is not responsible for HIPAA oversight.

Studies, Reports & Educational Initiatives

The ARRA commissions a number of studies and reports from the Government Accountability Office (GAO), HHS and FTC. The ARRA also directs the HHS to develop and maintain a thorough national education initiative with the objective of enhancing public transparency regarding the uses of protected health information.

Summary

This article takes a look at the American Recovery and Reinvestment Act (ARRA) of 2009, which resulted in some significant changes to privacy and security regulations which were outlined in the Health Insurance Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act. The ARRA imposes substantial modifications in four main areas: 1) HIPAA statutory requirements; 2) Increased enforcement of HIPAA; 3) Provisions to address health information held by entities not covered by HIPAA; and 4) Other changes including administrative changes, studies, reports and educational initiatives. This article takes a look at the provisions for entities that are not currently covered by HIPAA, as well as other miscellaneous changes made by the ARRA.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

• Amendments under the American Recovery & Reinvestment Act of 2009 (I.B.a.i.3.)

On May 22, 2007 the Presidential Identity Theft Task Force issued Memorandum 07-16. It required all agencies to develop and implement data breach notification policies within 120 days, as outlined by the memorandum. M-07-16 included a number of new recommendations and requirements agencies must use in creating such policies.

What is Personally Identifiable Information (PII)?

M-07-16 expanded the definition of personally identifiable information to the following: “personally identifiable information refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as data and place of birth, mother’s maiden name, etc.”

The following are a number of requirements outlined by various attachments to M-07-16 in order to protect personally identifiable information:

Safeguarding Against the Breach of Personally Identifiable Information

Part A of Attachment I reiterated the privacy and security requirements for Federal agencies enforced under the Privacy Act, such as establishing safeguards, ensuring the integrity of data and establishing “rules of conduct” for individuals handling information. Furthermore, under the Privacy Act, agencies are require to assign risk levels to information systems according to NIST SP 800-37.

Attachment I also created the following new requirements:

Review and Reduce the Volume of Personally Identifiable Information

Agencies should conduct an initial review to identify records containing PII and ensure that the information is timely, accurate, relevant and complete. Only the information necessary for carrying out government activities should be maintained. After the initial review, the holdings of PII should be periodically review according to a public schedule

Reduce the Use of Social Security Numbers

All agencies were required to develop a plan within 120 days of the memorandum to eliminate any unnecessary collection of Social Security Numbers (SSN) within eighteen months. Furthermore agencies were also charged with the responsibility of working with other Federal agencies to create a Federal identifier separate from Social Security Numbers.

Security Requirements

Agencies must implement the following security features to protect all Federal information, not just data containing PII:

• Encryption
• Require two factor authentication using separate devices when accessing information remotely
• Implement a Time-Out function requiring re-authentication after a period of inactivity on remote access and mobile devices
• Log data extracts from data files containing sensitive information and verify each extract including the destruction of sensitive data after 90 days after it is no longer in use
• Educate all individuals handling PII and have them sign a document annually stating they understand their responsibilities.

Incident Reporting and Handling

Attachment 2 of M-07-16 reviewed FISMA guidelines for the reporting of data breaches and modified several requirements.

US-CERT Reporting

All agencies must report incidents involving PII to the United States Computer Emergency Readiness Team regardless of whether a threat may be potential or confirmed. Reporting must take place with one hour of its detection for Category 1 incidents. Examples of Category 1 incidents include:

• An individual gaining physical or logical access to a Federal agency’s network, information system, applications, or data without authorization
• Any confirmed or potential breach of personally identifiable information regardless of how the breach occurred

Develop and Publish a Routine Use

Routine use includes all uses of data which are in line with the purposes for which data was originally collected. Effectively taking countermeasures to reduce the threat to information due to a security breach may require Federal agencies to share PII with other agencies and law enforcement officials with whom no data sharing agreement exists. To respond adequately, agencies should establish routine use policies to allow the disclosure of information without the prior consent of the individual in situations involving data breach investigations.

External Breach Notification

Attachment 3 of M-07-16 addresses how and when data breaches should be reported to   affected individuals and/or the public. All agencies must develop data breach notification policies to guide officials and deciding when notification is necessary and how it should be undertaken.

Whether Breach Notification is Required

Agencies should assess the level of risk and the likelihood of the breach causing harm using the following five factors:

• Type of information compromised
• Number of affected individuals
• Accessibility and usability of the information
• Likelihood of harm occurring
• Ability of the agency to mitigate harm

Timelines of the Notification

If notification is to be undertaken, it should be carried out promptly upon discovery. Notification may be delayed, as authorized but a senior official, if notification may seriously affect law enforcement proceedings.

Source of the Notification

Notification to affected individuals should come from the head of the agency where the breach occurred. Notification for breaches affecting less than fifty people may also come from the Chief Information or Privacy Officer.

Contents of the Notification

Notice should be provide in writing and contain the following information

• Type of information compromised
• Whether the information was encrypted or similarly protected
• Steps the individual can take to mitigate harm
• Steps the agency is taking to investigate the breach, mitigate harm and protect against future incidents
• Contact information for the agency

Means of Providing Notification

Method of notification depends on the number of affected individuals and the urgency of the notification. Methods include:

• Telephone
• First-Class mail
• Email
• Existing Government wide services
• Newspapers and other media
• Any accommodations necessary for individuals with disabilities

Who Receives Notification

For every data breach, agencies must consider whether to provide notification to the affected individuals and/or the public. Notification to individuals should occur promptly after the need for notification has been determined. Notification to the public including the media should be carefully planned to avoid alarm or confusion. Notice should also be posted on the agencies web page when public notification occurs.

Rules and Consequences Policy:

Attachment 4 of M-07-16 set forth a new requirement. All agencies must develop and implement a Rules and Consequences policy for employees handling personally identifiable information.

The policy must outline the requirements of employees according to their level of responsibility and the type of information they handle. Employees must be aware of their responsibilities under Federal law as well as the consequences for any violations. Supervisors that fail to take disciplinary action when violations occur are also subject to penalties. The policy should address:

• The types of individuals that must comply, including employees, contractors and other individuals handling PII maintained by the Federal government
• The types of actions that constitute violations including
  • Failing to maintain or implement security controls
  • Accessing PII or disclosing PII to other individuals without authorization
  • Failing to report suspected data breaches or unauthorized disclosures
  • Failing to adequately instruct, train or supervise employees handling PII (for managers)

Summary

The Federal Government has a legal responsibility to protect the personally identifiable information is has collected from individuals. Memoranda such as M-07-16 ensure that the security of personally identifiable information remains an ongoing discussion and concern within the Federal Government.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• OMB Memorandum 07-16 (II.A.c.2.j)

Mr. Elefant, would you please tell me a little bit about your background?

I’ve been in and around payments for 20 plus years. I started a company called IC Verify which was the first PC payment software company in the 80’s doing credit cards, ATM / debit and check processing on personal computers. We rolled that out to 250K merchants in 21 countries with a half dozen languages. ICVerify was merged with CyberCash, and I became the vice chairman of CyberCash. After leaving CyberCash, I was involved in several other startups including a company called Price Radar in the online auction space, a digital content management and micro payments company called Yaga and then venture capital for the last five years before joining Heartland Payment Systems.

________________________________________

So the division you’re handling is the payment systems?
I am the executive director of end-to-end encryption. This position touches on many aspects of Heartland’s diverse business.

________________________________________

As far as the end-to-end encryption, first, what do you think of the media’s treatment of Heartland? From my perspective, with a little time in journalism, the story was ‘if it bleeds, it leads’… that seems to be the mantra and the announcements that went on with Heartland incident, the media absolutely had a field day. What was the actual severity of the breach, and was it as bad as the media portrayed?

We seem to be turning the tide. We’ve been proactive in leading industry change, sharing information and furthering the development of end-to-end encryption as a key element that will help the industry be more secure.
________________________________________

What do you think of the PCI DSS? Does it go far enough? Obviously, with Visa putting you guys and RBS on probation… What was the disconnect, and what do you think of the PCI DSS?

Heartland was PCI certified every year it was assessed. Yet our system was breached, showing that the standards did not fully protect data. It may well be that no set of standards ever could fully protect data in this environment — where motivated criminals develop ever more sophisticated ways to infiltrate systems. We are working on new approaches to enhance security.
_______________________________________

So it’s just the application itself has to be certified and you guys are going above and beyond that throwing in the end-to-end encryption to take care of everything that’s not currently called out in the PCI-DSS?

Yes. What we’re doing is from the time the digits leave the mag stripe, as they are read through that read head, they will be encrypted with very strong TRSM (Tamper Resistant Security Module) and AES encryption. Through the terminal, over the wires, through our hosts and through the card brands, the transaction will be encrypted – as long as the brands agree to do this.

________________________________________

As far as the price tag for a breach, what are we looking at as far as potential sanctions from the PCI, I’m not talking about specifically about Heartland, but in general terms if you can’t talk about Heartland, what are we looking at as a breach? We’re talking sanctions, breach notifications, brand harm – what do you see as the final price tag?

Breaches are expensive in all of those categories and more. The results of some past breaches are publicly available. I don’t’ know how to answer your question about a specific price tag. It’s still TBD.
________________________________________

A pretty consistent theme in my reading and at conferences is people saying, “The reason we’re doing all this security work is for compliance – we’re trying to comply with the governmental regulations rather than trying to do what’s in the best interest of protecting the customer.” Because there are risk tradeoffs, how do you weigh between the privacy of the user and the compliance with whatever regulation?

I think compliance and security go hand in hand. Compliance, though, is not enough in and of itself. That is why we are working to enhance the existing industry standards. We are also working with ANSI X9 F6 t to help create greater security around PAN’s as well as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Payments Processing Information Sharing Council (PPISC) to share threat information and protect the entire industry, business owners and consumers
________________________________________

So one of the reasons for the CIPP Guide website is to serve as a resource for the privacy professional certification. What do you think of certification programs, both in general as far as technology certifications go?

I think they’re very important. The education process that goes on within the industry has to be an ongoing one. It’s not a one-time thing. The industry changes and evolves, and the threat vectors change. This is a continuous process the industry needs to continue to support.
________________________________________

It definitely seems like you guys are moving in the right direction. As I said earlier, it’s unfortunate that the media gets a hold of these things, because, I seem to recall that the information that was lost was bad, but not so bad that it was going to bring about the end of the financial market.

We are trying to do things that benefit our business, the entire industry, merchants and consumers.

The complete interview with Mr. Steven Elefant, including more details on PCI and his thoughts on compliance is available in the CIPP Guide forums.

Ed. note:  Before the interview, Visa had revoked Heartland’s PCI compliant status as of March 13th, 2009.  According to Visa’s website, Heartland apparently regained their PCI compliant status as of April 30, 2009.  As of May 7, 2009, the Heartland breach reportedly cost over $12.5 Million.

Join the forum discussion on this post - (1) Posts

The Federal Trade Commission and State Attorneys General enforce federal and state laws of consumer privacy protection for Unfair or Deceptive Trade Practices (UDTP).  One recent example was the State of Maine’s consumer protections, which are more restrictive than the federal laws with respect to cigarette labeling.  The State brought suit against a tobacco manufacturer for violating the state’s deceptive trade law, which the manufacturer argued was out of line due to the Federal Cigarette Labeling Act.  The Supreme Court decision upheld the State’s right to pass more restrictive legislation, pointing out:  

Neither the Labeling Act’s pre-emption provision nor the Federal Trade Commission’s actions in this field pre-empt respondents’ state law fraud claim. Pp. 5–20. 

 (a) Congress may indicate pre-emptive intent through a statute’s express language or through its structure and purpose. See Jones v. Rath Packing Co., 430 U. S. 519, 525. When the text of an express pre-emption clause is susceptible of more than one plausible reading, courts ordinarily “accept the reading that disfavors pre-emption.” 

The rationale in (a) requires express language for a federal law to negate a State’s right to create more restrictive legislation.  The first citing by the high court becomes the contentious issue for House Bill H.R. 2221, proposed by Illinois Representative Bobby Rush.  The bill tackles several tough interstate commerce issues, placing the FTC in charge of disposal regulations for obsolete or abandoned paper records containing personal information, breach notifications and verification requirements for information brokers.  Section 6 of the so-called Data Accountability and Trust Act includes a provision reading:

 (a) …This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State, with respect to those entities covered by the regulations issued pursuant to this Act, that expressly–

1. requires information security practices and treatment of data in electronic form containing personal information similar to any of those required under section 2; and
2. requires notification to individuals of a breach of security resulting in unauthorized acquisition of data in electronic form containing personal information.

(b) Additional Preemption-

1. IN GENERAL- No person other than the Attorney General of a State may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act. 

This would strike several of the state privacy and notification laws (possibly including California’s SB 1386), stripping the State’s rights and growing Washington’s power.  It also bars the State Attorneys General from bringing suit, possibly in an effort to avoid a double jeopardy situation.  There are numerous case studies of the FTC and State Attorneys General working hand-in-hand for consumer protection; why this law tries to hamstring the situation is a bit of a mystery.

One more interesting note on Representative Rush’s proposal – the bill also places an encryption exemption on breach notification.  As we noted in a recent post on corporate disposal policies, hackers and researchers seem to notice protection missteps and use them to bypass security provisions just like encryption.

The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption has been or is reasonably likely to be compromised.

The law has a 10 year lifespan, which should be a decent requirement before the Advanced Encryption Standard (AES), currently the de-facto encryption standard (and as yet to be compromised), ages beyond its effectiveness.

Update: President Obama’s May 20th, 2009 Memorandum on the Subject of Preemption and State’s Rights quotes Justice Brandeis saying, ”[i]t is one of the happy incidents of the federal system that a single courageous state may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country.”

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:

• Regulatory Authorities (CIPP: I.A.c) including: The Federal Trade Commission
• Enforcement of U.S. Privacy and Security Laws (CIPP: II.B.d, I.A.c) including: Unfair and Deceptive Trade Practices (UDTP), and enforcement powers under the FTC Act section 5 
• Privacy and Data Protection Regulation (Foundations: I.F.a, I.F.b) including: Sectoral legal framework 
• National data protection regimes (Foundations: I.F.b) including: State’s Rights 
• Specific Privacy and Security laws (CIPP: I.B.g) including: Breach notification
• Information Security (Foundations: II.C) including: Encryption

Staggering Statistics

Types of Incidents resulting in Breach - all time from DataLossDB.org

Types of Incidents resulting in Breach - YTD 2009 from DataLossDB.org

All of this regulation and legislation covers day-to-day activities surrounding quarterly and annual reporting, personally identifiable information storage and protection, information security policies and appropriate retirement and disposal of files and data.  Much of the legislation was in response to rising problems with identity theft, corporate scandal or high profile private records breach.  The exposure numbers are staggering.  According to statistics collected by the Open Security Foundation, there was a 117 fold rise in data security breaches since 2000 and 400% escalation in breaches since 2005.  In 2005, the Federal Trade Commission estimated 3.7% of the US adult population were victims of a records breach.  By 2008, breach notifications affected 84 Million records, approximately 5.6% of the population.  17% of those breaches were based on paper losses, such as check stubs, account statements or other printed documents.  However, the other 83% of the breaches reported involved electronic records, accounting for over 98% of the total records lost.  The two graphs denote the source of the losses, with a consistent 36% breach rate because of theft or loss, but an interesting 9 point upswing this year (8% vs 17%) because of lost equipment or improper document disposal.  Some of the categories (like lost tapes) have been nearly eliminated in recent years by industry best practices and paradigm shifts.

Dumpster Diving for PII

So how is it that Mr. Steve Hunt happened across a treasure trove of private financial information lying in a dumpster behind what he describes as a “big bank in a big city”.  The bank hired Hunt’s company, Hunt Business Intelligence, and was surprised at the results, finding check stubs, bank statements, wire transfer information and even a computer from the “Chicago Board of Trade”.  There are obviously policies regarding file disposal, especially at any large banks to comply with the legislative requirements.  Checks, bank statements, files and other paper should be shredded.  Computer equipment should see more than simply file deletions – they at least require the digital equivalent of shredding and some regulations expect physical destruction of hard drives.  So how does a privacy professional work around this sort of data exposure problem when policy is absolutely ignored?

“There are so many physical security aspects to data protection it ought to never be considered merely an IT security issue,” Hunt said.  Mr. Hunt is referring to not only the lost bits in use on the device, which privacy and security professionals obsess over with technologies such as DLP (Data Loss/Leakage Prevention), but also losses where the data reside, be it paper bank statements, backup tapes, or used hardware disposal methods.  We see time and time again how smaller devices facilitate loss or theft, thereby impacting privacy, with examples ranging from memory stick losses at a prison,  a USB drive compromising major intelligence operations or stolen laptops and smartphones.  But most of the items Hunt calls out are not the ultra-portable electronics; they’re examples where companies apparently forget policy in the name of cleanliness - rejected Xerox copies, unclaimed faxes and a third party computer (which no one probably knew what to do with and someone finally grew tired of looking at).

Although Hunt called out pretty significant personal details uncovered on the papers retrieved, statistics, logistics and plain old physics consistently point to electronic records as the bigger picture.  You simply can’t compromise as much paper information without a tractor-trailer and physically being in a location.  It might only take Hunt 3 minutes to find items in the trash, but the planning and execution (and lingering odor) may encompasses hours.  The risk is also significantly more tangible to the perpetrator than a remote, network-based attack – instead of an air conditioned room and a laptop, a dumpster diver faces police and private surveillance, neighborhood watches, and the physical stigma of traipsing through the trash.  This likely deters all but the most determined adversary.  So don’t forget proper paper disposal: it’s well understood and it will place your company in the news 17% of the time, but realize that it amounts to 2% of the total disclosure problem.

An Inventory of Assets

Corporations should already have an inventory of assets in this age of eDiscovery.  A chart of who owns what equipment and what’s stored on it will allow you to meet court demands, quickly figure out what you should have at any moment of time and where to look when data are needed later.  At a minimum this includes such IT items as servers, desktops, laptops and smart phones, regardless of their owner, as well as any hardware off site.  This should help avoid mysterious losses of equipment like a laptop in the trash.

Information Lifecycle Mapping

Better still: enterprise information lifecycle mapping will go much further in defining what information may be at risk due to loss, theft or policy failure.  In dealing with privacy data, lifecycle mapping shows what data are being created during collection, for what use and purposes, in what formats the data are retained, and most importantly, delineate who has disclosure access to each piece of information.  This is especially useful in multi-sector corporations and third party / marketing vendor relationships, where management and administration of data flows must be reconciled across large population swaths.  Lifecycle controls also allow monitoring of customer opt-in and opt-out decisions and appropriate enforcement of policies.

Mitigating Data Recovery Risks

The recovered laptop’s battery was drained, but Hunt says, ”I know how to connect to a hard drive.” Would the laptop have been susceptible to recovery as Hunt suggested? Up until ten months ago in Indiana, the laptop wouldn’t require a breach notification, as long as the system had a password installed on the machine.  Anyone in the security industry will tell you how easy it is to circumvent or recover a user name and password, especially if that’s the best protection on the system.  My information security professor back in college regularly emphasized, “Once you get your hands on the hardware, all bets are off”.  So what may be done to manage this risk?

Cryptography eliminates disclosure risks?

Most states, including Indiana since their requirements change, expect encryption will provide adequate protection from information loss, and therefore do not require breach notifications for cryptographically secured equipment loss.  Cryptography is impressive, effectively eliminating data-at-rest risk in most instances where the equipment is turned off.  (There are plenty of cryptography protection examples for data-in-transit or data-in-use we’ll leave for another time.)    Encryption is not the disclosure panacea.  There are sometimes flaws in software code and, even when properly executed, eventually the mathematics behind encryption systems age.  Then there are security revelations, such as the Cold Boot presentation last year.  Security researchers at Princeton successfully circumvented military grade encryption, not by cracking the mathematics, but by taking notice of a peculiarity in how encrypted computer systems operate, and more importantly how users operated the computer systems.

Hard Disk Data Remanence

Everyone should be familiar with a computer’s “Recycle Bin”, the place where “deleted” files stay until the second stage deletion (empty recycle bin on Windows) removes the file.  Even that second stage doesn’t really delete the file.  The OS removes the file’s header information, and frees the occupied locations for writing.  Liken it to simply tearing off the top page of a fax and flipping the pages over to write on.  The short version: if you’re serious about deleting private information on decommissioned equipment, keep the encryption and ‘erase’ the disks following the old DoD policies, where drives are overwritten multiple times with a specific pattern.   That’s better than best practices and will easily avoid any sorts of negligence findings anywhere in the near future.  However, another security researcher named Peter Gutmann took notice of how the DoD drive erasure security process was actually implemented and determined that data were recoverable unless erasure was manufacturer and model specific – with rewrites of up to 35 times.  The DoD found the lengthy process of overwriting disks according to Gutmann’s studies too costly, and now most often uses NSA approved Degaussers to literally rip the bits off the drive.  A third alternative entails physically shredding the hard disks like paper records.

Third Party Equipment

The Chicago Board of Trade did well by labeling their equipment so it may be identified.  It appears they probably missed the mark by leaving off an easy to use contact method or shipping address.  Contracts for third party vendors must take into consideration loaned equipment installed on customer premises.  Mistakes made by third party vendors bring shame to their organization, but more than likely breach notifications will go out on your corporate stationary.  Regular compliance audits (including dumpster dives if you wish) and data lifecycle management are crucially important as the primary vendor.  All of these activities will help manage corporate risk.

Disposal Policy Conclusions

With each improvement in security technology, someone eventually notices a problem with how it’s implemented or nuances of actual usage, as evidenced specifically in the examples from both the Princeton folks and Gutmann.  Avoid complete technology reliance and prepare for the latest system’s failure.  Follow best practices relating to security & disposal, document the modifications into processes and write policies to manage the gaps.  Always be prepared to account for numb skulls in your organization – audit your processes and staff and you may be surprised at what you find.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:

• Privacy Regulations (Foundations:I.F.b, CIPP: I.B) and Compliance Requirements (Foundations:II.B),
• Managing Risk and compliance (Foundations:I.G.b) including: Privacy Policy Development, Risk Management (Data Recovery and Disposal Policy )and Compliance and Incident Management
• Policy (Foundations: I.C) including: Internal use and disclosure, Third Party Relationships
• Data Lifecycle (Foundations:I.E.vi) including: Collection, Use & Retention, Disclosure, Management & Administration and Monitoring & Enforcement
• Information Security (II.C) including: Encryption(data-at-rest and disk encryption), Asset Management (asset inventory & information classification), Threats & Vulnerabilities, (Data remanence and Dumpster diving)