Twenty-two states have recently enacted data privacy rules or laws, and more legislation and regulation appear inevitable, says a security vendor.

“The vast majority of states have specific rules and regulations related to breach,” says Ross Federgreen, founder of CSR, or Compliance Solutions and Resources. “What is new and appears to be ever more present are rules related to privacy, distinct from breach.”

The trend offers independent sales organizations and sales agents the opportunity to profit by promoting services that help their clients comply with the new laws, Federgreen says.

CSR is testing a “Privacy ToolKit” that ISOs could offer to merchants to help address the five common elements in state privacy laws, Federgreen says.

The five include naming a person or group to oversee data privacy, providing internal and external assessments to identify and remediate risk, creating risk policies and procedures, training employees to minimize risk, and monitoring progress to accommodate changes in laws and rules, he says.

Small merchants can seldom afford to meet the first requirement by devoting a full-time person to guarding data privacy, but the person working with the Privacy ToolKit would fill that role, Federgreen says.

To meet the second requirement, the product creates an internal risk assessment profile that analyzes a merchant’s risk. It also  sets up a remediation schedule and implementation plan, he notes.

It helps fulfill the third requirement by offering merchants a menu of policies and procedures that are modified based on the user’s answers to questions, Federgreen says.

An extensive training module and incident-response module meet the fourth requirement, he maintains.

By updating the program periodically, CSR takes responsibility for monitoring regulatory changes, thus fulfilling the fifth requirement, Federgreen say.

The Privacy ToolKit won’t address every single detail of the requirements in every jurisdiction, but it will address the vast majority of rules and regulations, he says.

“There are certain jurisdictions that have put in nuanced requirements that, frankly, are unique,” Federgreen notes.

Where those unusual requirements exist, CSR plans to customize the product to fit, he observes.

The company has been developing the Privacy Toolkit for 18 to 24 months and testing it for about a year, Federgreen says. He expects the general release in October.

ISOs set the product’s price, but the suggested retail comes to $5 to $7 a month for the basic offering. Companies with a large number of employees pay more, and additional modules also drive up the price.

“If you threw everything in, and you had a base of 20 to 25 employees, I could readily see it getting to $750-plus a year at the retail level,” Federgreen says.

“We bill the reseller monthly for the number of users,” he says. The 135 resellers of the company’s Breach Reporting ToolKit and PCI ToolKit tend to bill clients monthly or quarterly, he adds.

The Privacy ToolKit fees could protect businesses from harsh penalties, Federgreen suggests.

Texas, for example, has rescinded the licenses of “practitioners” who violated HIPAA and HITECH laws and regulations designed to protect patients’ private medical data, he says, noting that “practioners” could include accountants and attorneys as well as doctors and other medical services providers.

The Privacy ToolKit addresses HIPAA and HITECH, Federgreen points out. (HIPAA stands for the Health Insurance Portability and Accountability Act, and HITECH denotes the Health information Technology for Economic and Clinical Health.)

A number of other states have imposed civil and criminal penalties, and a few have prosecuted but only in the most egregious cases, he notes.

“The enforcement activities are becoming much more significant, and the penalties are becoming much greater,” Federgreen concludes.

And the laws and regulations appear likely to increase in number.

“It’s really ubiquitous,” Federgreen says of the concern for privacy. “It’s the major emphasis of regulatory control at this point.”

Taking a long view, privacy was expressed as a fundamental human right in the Universal Declaration of Human Rights adopted by the United Nation in 1948, he says.

The idea advanced in the mid-‘90s when the European Union enacted the Data Protection Directive, Federgreen says. Early next year, the EU appears likely to pass a regulation on the matter for its 28 member countries.

The old directive gave countries a goal and left them to pursue it as they chose, while the regulation allows for no variation, he notes.

“That’s a big change,” he adds.

The United States has taken a different path, rejecting the human rights approach in favor of a “sectoral” approach combining legislation, regulation and self-regulation, Federgreen says.

But the U.S. appears likely to fall in line with the EU’s stricter new regulation because exchange of data could otherwise shut down between the U.S. and the European nations, he warns.

“It’s been going on for a little bit of time in earnest, but it’s accelerating quite significantly now,” Federgreen says of privacy concerns.

In fact, Edward Snowden’s leaks of information on what some consider encroachments on privacy by the National Security Agency have made privacy issues “all the rage,”

“Privacy’s being talked about in a lot of circles where it may not have been in the past,” Federgreen says. “It’s now become a preeminent issue.”

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry