Self-Govern or Be Governed: How CRA's Can Secure Personally Identifiable Information

By Dave Malmstedt, CEO, Vincera, Inc.

In our last article, we described how, in the name of privacy, the United States' Federal and State governmental bodies are approaching HIPAA-type legislation for Consumer Reporting Agencies (CRA's), placing the legal responsibility for Personally Identifiable Information (PII) security squarely on the shoulders of information aggregators and providers. Under the law, even data obtained from public record sources will likely be required to be secured from illicit use, theft, and tampering during data transfer and storage.

What can you do to self-govern before you get governed? This article details how you can secure your background screening business by discerning which software features will secure the integrity of the PII you must transmit.

Bringing Distribution of Personally Identifiable Information Within Bounds

To avoid legal sanctions, CRA's must control access to systems and documents containing PII, i.e. employment data, education, driving records, etc. Fortunately, just as technology has created the capability to disseminate sensitive information, so it has enabled the protection of PII. Today, software exists that eases compliance with all elements of current and impending legislation.

Specifically, CRA's must identify and apply a software solution that will accomplish four key objectives: to protect, monitor, measure, and manage the distribution of all PII.

Protecting PII: Authorization and encryption for all?

Protecting PII begins with authentication, such that only authorized individuals gain access to sensitive data. Programs that protect offer secure access procedures with logins and passwords, electronic and traditional physical protection, and data encryption during non-trusted data transfer. The Federal Information Processing Standards (FIPS) specify requirements for the use of encryption, including the use of a recognized algorithm (ARC4 cipher/MD5 hash/Salt/Entropy) and symmetric keys of at least 128 bit.

It is worth noting that all PII should be protected; the European Union Safe Harbor Rule provides an example of legislation disallowing profiling to decide whose PII is protected, instead defining all persons as rightful recipients of privacy and protection. Your compliance with European standards allows you to exceed current American standards now and to comply with the standards that are coming. Simultaneously, complying with Safe Harbor will drastically ease your ability to do business in the European Union.

Protecting all PII in these ways inhibits the sensitive information from becoming a "run-away" report where most anyone can access the data. The best programs accomplish this by enabling you to customize your desired level of protection for your maximum flexibility, based on your business scenario.

Monitoring PII: Who goes there?

Some software allows you to select, from the outset, specifically who may use the files. However, this inflexible design becomes cumbersome as you need or desire to add new, legitimate, persons and machines to your file-sharing network.

Far more logical for most CRA's is the monitoring feature available on some software. This feature allows you to track what is actually happening with the PII your business is currently transferring. Effective monitoring software alerts you that the PII is being viewed, tracks the distribution of documents containing sensitive information, and enables audit trails that rely on document watermarking and machine fingerprinting.

We recommend monitoring both within and beyond corporate firewalls. Data sources such as courthouses, universities, credit bureaus, employers, and state agencies report to CRA's, who then report to requestors such as PII end-users, Human Resource departments, Security departments and others. Firewalls exist on either side of the transaction--between the data sources and CRA's, and between the CRA's and requestors--, yet PII can be shared outside the firewalls on both sides, too.

If all this monitoring sounds cumbersome, it need not be. Software with business friendly distribution indicates minimal impact on current business process and IT environments, end-users, and vendors.

Measuring: Where are the breaches likely to occur?

Monitoring software yields reports on activity and enables behavioral reporting, such that the next step--measurement-- can efficiently and accurately identify where the distribution breach potential lies in your network, based on activity and distribution of documents per machine fingerprint. With customized profiles and attributes you select, intelligent analytics will automatically alert you regarding which machines and users are liable to break with approved distribution of PII.

Measurement is designed to report PII exceeding the distribution metric you choose. Again, maximum flexibility is key, because it allows you, and not the software, to define thresholds for business rules-based assessments.

For example, with appropriate software, you can determine how many machines "should" access a given report as distributed by a given individual, versus how many actually do. If we assume that Joseph Taylor typically distributes to 10 machines, but your measurement software observes his distribution to 20 machines within a few hours of the report's initiation, perhaps a breach has occurred or is impending. With measurement data, you are free to determine the potential for a run-away report, and to then manage that report as you see fit.

Managing: What shall you do about impending security breaches?

Based on your measurements, it seems that Joseph Taylor may be prone to the inappropriate sharing of PII. Management tools available in some software allow you maximum flexibility in making decisions based on this information.

Using a rules engine for custom solutions for access and denial scenarios, you have several options once a breach has been detected. For example, you may apply prevention to read a document, also known as lock-down. Your options also include proactively preventing a report's distribution to specific machines and users based on your measurement intelligence. Alternatively, you can elect to continue observing where the information is sent.

Here are a few management options software can offer to give you maximum flexibility in protecting your files containing PII: Convert non-secure formats such as HTML to encapsulated, encrypted, and secure formats such as PDF; enable content owners to define access privileges, and to expire document access; use watermarks to deter distribution and to identify a breach's original source; utilize a detailed audit trail to track document behavior; and detect unauthorized access attempts to raise alerts.

Moreover, because the law requires that you secure not only the files themselves, but also where they are stored, management software is available that encrypts the storage as well. Good management of your sensitive data implies encryption-based storage.

Conclusion: Today's Software Eases Legal Compliance and Allows Self-Governance

In conclusion, by locating and applying the proper software for your needs, you are in a perfect position to protect yourself as regards current and coming laws affecting CRA's and PII. By selecting software that allows you the flexibility to protect, monitor, measure, and manage access to files containing PII, you will self-govern rather than be governed. Securing personally identifiable information, and hence your own background screening business, has never been easier.

About Vincera, Inc.

Vincera, Inc. is the business process improvement company whose software monitors businesses' end-user web-based behavior, subsequently delivering predictive analytics that enable businesses to retain and upsell existing customers. Uniquely, Vincera's software also allows their clients to track and manage the distribution of intellectual property and content that contains personally identifiable information in a process Vincera labels "business friendly distribution," because businesses are in charge of how they use the resulting information. Vincera is the only software company that combines three vital business process improvement services-- behavioral monitoring, predictive analytics, and information distribution technology--in one software tool. Vincera's clients include research publications, background screeners, healthcare industries, and other businesses that use web-based technology. Vincera's clients share a need to track and predict how their own customers are using their licensed software products or other intellectual property, as a revenue-generating sales tool for acquiring, retaining, and upselling customers; and/or to guard intellectual property and personally identifiable information.

For more information go to: