or Be Governed: How CRA's Can Secure Personally Identifiable Information
By Dave Malmstedt, CEO, Vincera, Inc.
In our last article, we described how, in the name of privacy, the
United States' Federal and State governmental bodies are approaching
HIPAA-type legislation for Consumer Reporting Agencies (CRA's),
placing the legal responsibility for Personally Identifiable Information
(PII) security squarely on the shoulders of information aggregators
and providers. Under the law, even data obtained from public record
sources will likely be required to be secured from illicit use,
theft, and tampering during data transfer and storage.
What can you do to self-govern before you get governed? This article
details how you can secure your background screening business by
discerning which software features will secure the integrity of
the PII you must transmit.
Bringing Distribution of Personally Identifiable Information Within
To avoid legal sanctions, CRA's must control access to systems and
documents containing PII, i.e. employment data, education, driving
records, etc. Fortunately, just as technology has created the capability
to disseminate sensitive information, so it has enabled the protection
of PII. Today, software exists that eases compliance with all elements
of current and impending legislation.
Specifically, CRA's must identify and apply a software solution
that will accomplish four key objectives: to protect,
monitor, measure, and manage the distribution of all PII.
Protecting PII: Authorization and encryption for all?
Protecting PII begins with authentication, such that only authorized
individuals gain access to sensitive data. Programs that protect
offer secure access procedures with logins and passwords, electronic
and traditional physical protection, and data encryption during
non-trusted data transfer. The Federal Information Processing Standards
(FIPS) specify requirements for the use of encryption, including
the use of a recognized algorithm (ARC4 cipher/MD5 hash/Salt/Entropy)
and symmetric keys of at least 128 bit.
It is worth noting that all PII should be protected; the European
Union Safe Harbor Rule provides an example of legislation disallowing
profiling to decide whose PII is protected, instead defining all
persons as rightful recipients of privacy and protection. Your compliance
with European standards allows you to exceed current American standards
now and to comply with the standards that are coming. Simultaneously,
complying with Safe Harbor will drastically ease your ability to
do business in the European Union.
Protecting all PII in these ways inhibits the sensitive information
from becoming a "run-away" report where most anyone can
access the data. The best programs accomplish this by enabling you
to customize your desired level of protection for your maximum flexibility,
based on your business scenario.
Monitoring PII: Who goes there?
Some software allows you to select, from the outset, specifically
who may use the files. However, this inflexible design becomes cumbersome
as you need or desire to add new, legitimate, persons and machines
to your file-sharing network.
Far more logical for most CRA's is the monitoring feature available
on some software. This feature allows you to track what is actually
happening with the PII your business is currently transferring.
Effective monitoring software alerts you that the PII is being viewed,
tracks the distribution of documents containing sensitive information,
and enables audit trails that rely on document watermarking and
We recommend monitoring both within and beyond corporate firewalls.
Data sources such as courthouses, universities, credit bureaus,
employers, and state agencies report to CRA's, who then report to
requestors such as PII end-users, Human Resource departments, Security
departments and others. Firewalls exist on either side of the transaction--between
the data sources and CRA's, and between the CRA's and requestors--,
yet PII can be shared outside the firewalls on both sides, too.
If all this monitoring sounds cumbersome, it need not be. Software
with business friendly distribution indicates minimal impact on
current business process and IT environments, end-users, and vendors.
Measuring: Where are the breaches likely to occur?
Monitoring software yields reports on activity and enables behavioral
reporting, such that the next step--measurement-- can efficiently
and accurately identify where the distribution breach potential
lies in your network, based on activity and distribution of documents
per machine fingerprint. With customized profiles and attributes
you select, intelligent analytics will automatically alert you regarding
which machines and users are liable to break with approved distribution
Measurement is designed to report PII exceeding the distribution
metric you choose. Again, maximum flexibility is key, because it
allows you, and not the software, to define thresholds for business
For example, with appropriate software, you can determine how many
machines "should" access a given report as distributed
by a given individual, versus how many actually do. If we assume
that Joseph Taylor typically distributes to 10 machines, but your
measurement software observes his distribution to 20 machines within
a few hours of the report's initiation, perhaps a breach has occurred
or is impending. With measurement data, you are free to determine
the potential for a run-away report, and to then manage that report
as you see fit.
Managing: What shall you do about impending security breaches?
Based on your measurements, it seems that Joseph Taylor may be prone
to the inappropriate sharing of PII. Management tools available
in some software allow you maximum flexibility in making decisions
based on this information.
Using a rules engine for custom solutions for access and denial
scenarios, you have several options once a breach has been detected.
For example, you may apply prevention to read a document, also known
as lock-down. Your options also include proactively preventing a
report's distribution to specific machines and users based on your
measurement intelligence. Alternatively, you can elect to continue
observing where the information is sent.
Here are a few management options software can offer to give you
maximum flexibility in protecting your files containing PII: Convert
non-secure formats such as HTML to encapsulated, encrypted, and
secure formats such as PDF; enable content owners to define access
privileges, and to expire document access; use watermarks to deter
distribution and to identify a breach's original source; utilize
a detailed audit trail to track document behavior; and detect unauthorized
access attempts to raise alerts.
Moreover, because the law requires that you secure not only the
files themselves, but also where they are stored, management software
is available that encrypts the storage as well. Good management
of your sensitive data implies encryption-based storage.
Conclusion: Today's Software Eases Legal Compliance and Allows
In conclusion, by locating and applying the proper software for
your needs, you are in a perfect position to protect yourself as
regards current and coming laws affecting CRA's and PII. By selecting
software that allows you the flexibility to protect, monitor, measure,
and manage access to files containing PII, you will self-govern
rather than be governed. Securing personally identifiable information,
and hence your own background screening business, has never been
About Vincera, Inc.
Vincera, Inc. is the business process improvement company whose
software monitors businesses' end-user web-based behavior, subsequently
delivering predictive analytics that enable businesses to retain
and upsell existing customers. Uniquely, Vincera's software also
allows their clients to track and manage the distribution of intellectual
property and content that contains personally identifiable information
in a process Vincera labels "business friendly distribution,"
because businesses are in charge of how they use the resulting information.
Vincera is the only software company that combines three vital business
process improvement services-- behavioral monitoring, predictive
analytics, and information distribution technology--in one software
tool. Vincera's clients include research publications, background
screeners, healthcare industries, and other businesses that use
web-based technology. Vincera's clients share a need to track and
predict how their own customers are using their licensed software
products or other intellectual property, as a revenue-generating
sales tool for acquiring, retaining, and upselling customers; and/or
to guard intellectual property and personally identifiable information.
For more information go to: www.Vincera.com