In the Internet age, sensitive personal data remains constantly at risk due to malicious actions and human error. According to the Identity Theft Resource Center (ITRC), a consumer becomes a victim of identity theft every two seconds. The costs to consumers, businesses and society as a whole are astronomical.

To combat this threat, various states and the federal government have enacted a wide range of regulations requiring covered organizations to protect sensitive data. The following are some examples:

• The Health Insurance Portability and Accountability Act (HIPAA) regulates how covered entities use and disclose certain individually identifiable health information.
  
  
• The Fair and Accurate Credit Transactions Act (FACTA) of 2003 requires that organizations take steps to prevent identity theft and improve the accuracy of consumer credit information.

• FACTA includes the so-called Red Flag Rules, which go into effect August 1, 2009, requiring credit-granting entities to help detect, prevent and mitigate identity theft.
  
  
• The Safeguards Rule issued by the FTC in conjunction with the Gramm-Leach-Bliley Act (GLBA), which requires all financial organizations to identify sensitive data, control physical and network access to such data, encrypt data transmitted over networks, and train employees to maintain these and other security measures.
  
  
• More than 40 states, as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands, have passed laws requiring organizations to notify consumers of a data security breach.
  
  
• Massachusetts General Law (MGL) 93H mandates that security precautions be taken and notice be provided in the event of any unauthorized access to, or use of, personal information. Chapter 93I imposes certain destruction requirements for any records, paper or electronic, containing such information.
  
  
• A new Massachusetts privacy regulation (MA 201 CMR 17), which goes into effect January 1, 2010, requires businesses that serve consumers in Massachusetts to proactively avoid data compromises by, among other things, encrypting personal information.

Organizations covered by one or more of these regulations are justifiably confused as to how to meet data protection mandates. Inconsistencies in state rules make compliance difficult, and many of the federal rules offer only generalized guidelines. The key is to create a sustainable framework that addresses all applicable regulatory requirements globally. A piecemeal solution will only drive up costs and sap IT performance.

Lighthouse can help ensure that your organization is compliant with the myriad of current and emerging regulations concerning the privacy of your customers’ information.

Lighthouse solves your data privacy challenges by designing an integrated framework that leverages industry-standard IT controls to address multiple regulatory requirements. The Lighthouse IT Audit and Compliance Group utilizes the Generally Accepted Privacy Principles (GAPP) developed by the American Institute of Certified Public Accountants (AICPA) to help customers develop a global privacy framework. With GAPP as a guide, the Lighthouse IT Governance team can help organizations develop effective policies and procedures for safeguarding sensitive information.

To ensure that you meet regulatory requirements, Lighthouse follows a strict step-by-step process:

Step 1
Perform a Privacy Assessment, which typically includes the use of Data Leakage tools.

Step 2
Classify data types that an organization processes.

Step 3
Prioritize the highest risks to be remediated by updating policies and procedures and implementing risk-mitigation solutions. Lighthouse ensures all security gaps are closed.

Step 4
Conduct privacy training for the entire staff. The training should be integrated with company policies and conducted on a regular basis.

Step 5
Ongoing monitoring to evaluate new threats and update policies, procedures and training to improve data security and keep pace with changes to IT and the business.

A comprehensive IT compliance solution from Lighthouse, built upon best practices and continual process improvement, creates a sustainable regulatory compliance strategy.