The New Mexico Data Breach Notification Act (H.B. 15) went into effect and applies to any business that owns or licenses personal identifying information of a New Mexico resident.
If your business has personal information on a New Mexico resident, this law applies to you!
The Data Breach Notification law in New Mexico lists specific requirements for businesses to report a breach of personal information, but it also mandates certain security controls as well. Among these new requirements is the “reasonable security procedures and practices” that must be implemented, maintained, and is designed to protect the personally identifiable information from unauthorized access, destruction, use, modification or disclosure.
Is your company prepared for these regulatory mandates?
American Document Services is helping small-medium size businesses comply with these laws by providing a solution. The CSR Readiness Pro Edition will help your business reduce the risk of a data breach, and in the event of an actual or suspected breach, CSR takes the headache and hassle out of the legal requirements to report the loss or breach of PII to an ever-increasing number of authorities, as well as mandated notification to your customers.
CSR Readiness helps your business improve the way it handles personal information and will identify potential privacy or security deficiencies. It then provides a prioritized remediation schedule to fill the gaps in your privacy policies and practices. This is critical should you ever come up in any sort of investigation or legal process related to a breach.
The Breach Reporting Service (BRS) fulfills your legal requirements to report a breach and notify your customers. This service is provided by Certified Information Privacy Professionals and will help protect your reputation and mitigate fines.
Breach Reporting Service (BRS) number: 888.301.6449
Readiness URL: https://adslcnm.csrreadiness.com/
PII is any information that can identify an individual and possibly lead to identity theft or fraud. All businesses have PII, it comes from customers, employees, and vendors and is usually found in every department. It can be as obvious as a social security number or just an email address or phone number.
Many laws cover the retention and/or destruction of PII, breach and consumer notification protocol. Your responsibility for data protection encompasses all paper records and electronic files containing PII.
The Data Vault Readiness Pro Edition, powered by CSR, will help your business reduce the risk of a data breach, and in the event of an actual or suspected breach, CSR takes the headache and hassle out of the legal requirements to report the loss or breach of PII to an ever-increasing number of authorities, as well as mandated notification to your customers.
1. READINESS PROGRAM TECHNICAL
1.1 How do I begin?
To begin, simply go to https://adslcnm.csrreadiness.com/ to register and create credentials to begin the process. You will have 24/7 access to your account.
1.2 I forgot my username
Your ‘username’ is the email address you registered with when signing up for Readiness. If you change your original registration email address using My Account in Readiness, this updated email address is your ‘username’.
1.3 I forgot my password
To retrieve your password, you will need the email address you entered during registration or the updated email address you associated with your account using My Account in Readiness. Click on the Forgot Password link on the Log In screen. Enter in your email address and click the Email Link button. A reset password link will be sent to that email address. Click on that link to reset your password. If you do not receive that email or have any problems resetting your password, please contact email@example.com for further assistance.
1.4 I skipped some questions and want to go back to them, how do I do that?
To navigate back to questions previously skipped, you can use the Next and/or Back buttons located at the bottom of your questionnaire. You can also click on the Show Progress tab and click directly onto the domain of the question you would like to go back to. Before submitting your questionnaire, you will also be prompted to complete any required questions that have not been answered.
1.5 I don’t know an answer to a question – can I just skip it?
You can skip questions and come back to them later. You will want to ensure all questions are answered prior to submitting your questionnaire, as not answering a question will affect your score, generate suggested remediation tasks and associated policy and procedure offerings.
1.6 How long will it take to complete this assessment?
It is estimated that it will take one hour to complete the assessment. The entire evaluation and remediation process may take longer should consultation or research be required to answer to some of the questions. Progress within the assessment is saved as questions are answered. You can leave the assessment and come back to it at a later time to finish. Your answers up to that point will be saved.
1.7 What is the completion seal?
This digital seal is a stamp that you can place on your website, which informs your customers, affiliates, potential clients, corporate insurers, etc., that your organization has performed a thorough self-assessment of your organization’s processes to protect personally identifiable information, indicating that you have policies in place to maintain a high level of vigilance, audit, and association education with regards to the protection of personally identifiable information within your organization.
1.8 How do I put the completion seal on my web page?
Once the self-assessment has been taken and the recommended remediation tasks have been completed, an email will be sent to the associated account’s registered email address with the certification seal with instructions for its publication and directions to embed it on your web page. If there are any issues regarding the implementation of the completion seal, please contact firstname.lastname@example.org for further assistance.
2. SECURING PERSONAL DATA AND PREPARING FOR A BREACH ARE CRITICAL
2.1 What is the CSR Readiness® Pro Edition?
The Readiness Pro Edition comprises the patent-pending risk assessment program CSR Readiness® and the award winning CSR Breach Reporting Service™.
2.2 How does CSR Readiness® Program work?
CSR Readiness® Program is an online self-assessment tool that helps you review, revise and revisit your business processes for handling the personally identifiable information (PII) of your customers, employees and vendors as required by a host of legislation and regulations.
CSR Readiness® 3 Step Process:
1) Review – Take a Self-Assessment Evaluation
Detect location of personally identifiable information (PII) in an organization
Determine how PII is:
Acquired, Accessed, Handled, Transmitted, Stored, Destroyed
2) Revise – Implement Readiness Policies and Remediation Instructions
Remediate weaknesses and train employees on system-generated policies and procedures
3) Revisit – Continually Improve Risk Score
Routinely monitor and audit performance to meet legal, regulatory and other compliance requirements
A dashboard will show progress and generate tasks to improve compliance. You can improve your business risk scores by remediation and implementation of further program offerings. Upon successful completion of the analysis and remediation, your business will earn a Certificate of Completion and the ID Stay Safe Digital Seal that you can use on your website and advertising.
2.3 What does the Certificate of Completion signify?
Once you have completed in the self-assessment evaluation and implemented the remediation tasks, you will be awarded the Certificate of Completion. This can be placed on your website and is valid for one year from date of issue. By annually revisiting your self-assessment, you can maintain this Certificate of Completion.
2.4 What does CSR Breach Reporting Service do for me?
In the event of the actual or suspected breach of PII, the CSR Breach Reporting Service reports to authorities and notifies consumers, as required. Your call to the in-house CSR team of privacy professionals initiates a custom evaluation of your incident to determine if authorities and consumers must be notified. CSR files the necessary breach reports on your behalf, and consumer notification can be prepared with your input.
2.5 Why do businesses need Readiness Pro Edition?
Various state, federal and international laws require businesses to protect the personally identifiable information of employees, vendors and customers. Penalties for noncompliance can include fines, prosecution and even jail time. Massachusetts and Connecticut are just two examples of many jurisdictions that require businesses that deal with their residents maintain comprehensive risk assessment, remediation and monitoring programs related to their handling of legally protected personal information, known as PII.
2.6 If organizations don’t have these programs, what could happen?
While it’s impossible to completely avoid a breach due to uncontrollable circumstances, 97% could have been prevented. Accidents, errors and theft are just a few ways that information is compromised. Smart devices and wireless services compound the problem. Proactive detection and correction can go a long way to prevent loss and further fallout due to reputational damage, lost sales, fines, lawsuits and prosecution.
The Department of Homeland Security, the FTC, Visa and the BBB encourage businesses to protect consumer data and plan ahead to reduce risk. All states have laws that protect their residents who might be your customers, employees or vendors. Many laws specifically require creation and maintenance of information security programs. These laws include penalties for noncompliance.
For example, the civil penalty for violating the Connecticut Act No. 08-167, which requires the safeguarding of personal data, is $500 per violation, up to $500,000 for a single event. Lost trust means lost sales. The fallout of data breaches has caused businesses to close their doors. According to Visa, businesses should “Consider a breach likely and plan accordingly.
2.7 Does Breach Reporting Service only cover items stored with The Data Vault?
No, the Breach Reporting Service covers the location contracted with American Document Services and handles reporting and notification as needed for the breach of ALL PII data your business may have, whether it is stored in your office, an employee takes a file home, or your business laptop is stolen while you are away on vacation.
3.1 What is personally identifiable information (PII)?
The simple answer is that it’s anything that can be used to identify you. The loss of this information leads to identity theft.
Types of personal information include: name, address, phone, email, birthdates, Social Security numbers, driver’s license, bank account and credit card information. The list continues to grow with new and revised legislation and court rulings.
Other personal information includes health information, medical records, Vehicle Identification Numbers, license plate numbers, login credentials and passwords, school records as well as voice recognition files. Fingerprints, retina scans, and handprints are also considered personal information.
3.2 What is the difference between PCI and personal information?
PCI data is just one type of personally identifiable information. The PCI Data Security Standard protects credit cardholder data such as debit or credit card number, expiration date and card security code.
3.3 What is a breach of personally identifiable information?
The unauthorized access, loss, use or disclosure of information by either accident or criminal intent which can identify an individual.
3.4 What is data breach reporting?
When a breach occurs, the clock starts ticking to comply with federal, state and other laws. Reporting involves the where, when and how of the incident.
3.5 What is consumer notification?
Almost every state has enacted a data breach notification statute. These laws generally require businesses that have personal information about residents within a state to notify those residents when that data is compromised.
3.6 Is this insurance?
No. The CSR Breach Reporting Service reports to authorities and notifies consumers, as required In the event of the actual or suspected breach of PII.
3.7 What are some examples of a breach?
A breach can occur in many ways, including through lost laptops or smart phones, loss or improper disposal of paper records, intrusion into your network or PC by hackers and theft. The definition continues to expand.
4. REQUIREMENTS TO PROTECT DATA
4.1 Who do you need to report a breach to?
Who you need to report to in the event of a particular breach may depend on multiple factors including where you are located, what kind of PII was involved in the breach, and the location of the individuals that may have compromised PII. Over 100 countries have data protection laws, as well as 300+ federal, state and local authorities in the U.S. and Canada.
4.2 Does CSR determine whether a breach occurred?
No. Based upon our interview with you, our Privacy Professionals determine whether reporting to authorities or notification to consumers is necessary. If reporting is required, our Privacy Professionals will do so on your behalf. If consumer notification is necessary, we will work with you to do so.
4.3 What laws govern personally identifiable information?
Here are a few examples of the hundreds of laws and regulations that relate to the protection of personally identifiable information (PII) and requirements to report suspected or real loss.
Gramm-Leach-Bliley Act (GLBA)
Fair Credit Reporting Act (FCRA)
Drivers Privacy Protection Act (DPPA)
Health Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic Clinical Health (HITECH) Act
Payment Card Industry Data Security Standard (PCI-DSS)
Family Educational Rights and Privacy Act (FERPA)
50 state data breach laws
Data security laws requiring comprehensive information security programs to safeguard personal information, i.e. Massachusetts’ 201 CMR 17.00
4.4 Who are the enforcement agencies and others who might be involved after a breach?
Enforcement officials include various federal and state agencies as well as attorneys general,
commissioners and others. Here are a few examples:
Federal Trade Commission (FTC)
Consumer Financial Protection Bureau (CFPB)
Card brands like Visa, MasterCard, etc.
State Attorneys General
Federal Bureau of Investigation (FBI)
US Secret Service
Dept. of Health and Human Services/Office of Civil Rights
4.5 What if personally Identifiable information received from another organization is compromised?
If your business is a third-party provider with personally identifiable information of customers, employees, or vendors of another business, then, depending upon circumstances, you very likely are required to protect that data.
4.6 What if personally Identifiable information under my care is encrypted, redacted, or masked?
Even if the material is encrypted, redacted or masked, various regulations still require your protection. For example, encryption keys must be secured.
4.7 How can I limit the threat of a data breach?
Almost everyone can do more to protect personally identifiable information. CSR Readiness® helps you assess your risk in handling PII, remediate your processes, implement policies, train staff and continue to monitor and audit, as required by laws and regulations.
5. ABOUT CSR
5.1 Who is CSR?
CSR Professional Services, Inc. is a leading provider of award-winning data life cycle management and expert services for businesses domestically and around the globe, including the patented, award winning CSR Breach Reporting Service™.
CSR enables compliance with personally identifiable information requirements, while facilitating best practices to reduce the business risk and financial liability associated with the acquisition, handling, storage, sharing and disposal of data. For more information visit: http://www.csrps.com/
5.2 How many companies use this service?
Hundreds of thousands of businesses have enrolled in CSR data management and breach services.