The United States is now almost one year into its COVID Pandemic Response that shifted a large percentage of its workforces to a remote office scenario. While every organization works to maintain appropriate security and privacy safeguards in this new milieu, the stakes are higher for those companies that are obligated by the HIPAA Privacy and Safeguard Rules. While you cannot understate the importance of awareness training for a remote work force, there are several steps that companies can implement to support continue compliance, even outside the office.
- Secure Wireless– All employees should ensure that the wireless networks to which they are connected are secured. This seems straightforward and generally, people are aware that they should be requiring passwords to join the network, but secure wireless networks take a little bit more than that. Protection of the networking equipment itself is often overlooked, as more attention is focused on the workstation itself. Users should ensure that they have changed the default administrative credentials on their networking equipment. Setting the SSID (network name) to private can also help secure the network, making it more difficult for criminals to find. Firmware on the access point or router should be updated and patches maintained. Securing network equipment and devices is critical to securely working in a remote environment.
- VPN Connections – When accessing corporate resources, employees should be sure to do so through secure VPN connections. VPNs establish a secure connection between the workstation and the network resource being accessed. Data traffic is exchanged through an encrypted tunnel, offering protections against theft of data in transit. It also obscures the IP address of the workstation by using a proxy. It’s also important to remind employees to disconnect from the network when they are done with work.
- Two Factor Authentication – An additional of security can be added by requiring two factor authentication for logging into corporate assets that may have sensitive or regulated data, such as PHI. This requires users to provide not just a name and password to log-in, but also an additional identifying criterion. Most often, this is a randomized number provided by an authentication tool, such as Google Authenticator or RSA SecurID. This means that even if someone does compromise username and password, they will be unable to log in to those sensitive assets.
- Printing Restrictions – In talking about securing the work environment at home, printing is often overlooked. Printing hard copies of reports or file that contain PHI represents a potential exposure. If employees must print documents with sensitive information, it should be stored in a locked drawer or filing cabinet. When the document is no longer needed it should be shredded.
- Policies and Procedures – While well-documented policies and procedures are a must for the protection of PHI, they are only successful if employees understand them and know how to apply them to their job roles. Not only is it helpful to have the policies regarding the treatment of PHI readily available, but companies may also consider conducting ongoing training about the role their employees play in ensuring the security and confidentiality of PHI. Ongoing communications through email, SharePoint or company messaging systems can act as helpful reminders and assist in creating a culture of security and privacy awareness.
While everyone is managing the seemingly continuous change necessary to maintain healthy communities amidst the pandemic, one thing that remains constant is the need to ensure the protection of sensitive patient data. For that reason, we must ensure that the policies, processes, and pratices that we enforce to secure patient data apply equally in the office and at home.
By Dr. Heather Mark, CCEP
Privacy data leaks can cause long term damage to an organization. This is why it is vitally important for organizations of all sizes to understand their relationship to toxic data, their need for it, and to develop protocols for dealing with it appropriately. Here are 5 questions to get you started.
The subject of data privacy and consumer rights has been a hot topic over the last several years. Beginning with the implementation of the General Data Protection Regulation (GDPR) in the EU, continuing with the passage of privacy laws in California, Massachusetts, Nevada, and continuing with the proposal of almost a dozen more state level consumer privacy laws, businesses are have to sit up and take notice. While these laws certainly aim to protect consumers from businesses that might intentionally misuse data, it also means that organizations must be cognizant of the ways that such sensitive data might “leak” into, or out of, their business ecosystems and the potential damage that can be done by such “contamination.”
I use the term toxic data here to describe data that is protected by regulation (Personally Identifiable Information or PII, Financial Information, Protected Health Information, etc). This data carries with it responsibilities and has to be handled appropriately to avoid serious negative consequences. Not to overdo the analogy, but for small businesses particularly, leaks of such data can prove fatal. This is why it is vitally important for organizations of all sizes to understand their relationship to toxic data, their need for it, and to develop protocols for dealing with it appropriately.
Here are five straightforward questions that organizations can ask to start getting a feel for their own practices.
- What data do we collect?
Surprisingly, the answer to this question for many companies is, ”I’m not sure.” If a organization has been in operation for some time (5 years or more), it may be the case that data collection began simply, with a contact or payment form or cookies and web beacons. Some organizations may have relied on third parties to help with forms and websites and may not have a complete list of data that is collected. In other cases, data collection protocols that were purposely set up may not have evolved with the organization’s needs over time. Doing a data inventory (finding out what data you collect and where that data is stored) is a critical component in protecting that toxic data. You can’t protect it if you don’t know that you have it.
- Why do we collect that data?
Once you’ve determined what data is being collected by the organization, the next step is to answer the “why?” This is where the rubber meets the road. If there is no specific business purpose to collecting the data (i.e., it is considered a “nice to have” or no one can really identify its purpose) then the organization should really examine whether it should change their practice. The more toxic data a company stores, the higher the liability exposure if the data is compromised or, in the case of GDPR, CCPA and similar laws, if the data is used inappropriately. The general guideline for data – if the data is not needed, it should not be collected.
- How does data flow through and out of our organization?
This one might seem obvious, but data has a habit of migrating through organizations if it is not carefully constrained. Understanding how different departments interact with the data, helps to develop appropriate controls in departments handle the toxic data. For example, if the “contact” form for your support group also provides information to your product group or your account management group, understanding where that data goes allows the organization to focus its resources on protecting those data flows and data stores. Additionally, it might bring to light data uses that were not widely known in the organization, allowing for a discussion of risk and appropriate data uses. Understanding the data flow allows the organization to use maximize the positive aspects of data use without “infecting” departments that have no need to access or use it.
As important as how the data flows through the organization is how the data flows out of it. What third parties are being used to support the business operation, and how do those organizations access and use data? Do they need the data to fulfill their obligations? Sitting down and going through these relationships can be extremely helpful in identifying critical vendors and helping to manage third party risk.
- How do we dispose of data when it is no longer needed, or a deletion request is received?
The issue of data disposal, “deletion” or “erasure” is certainly complex and worth speaking with counsel about when drafting and implementing policies and practices. For the purposes of this discussion, the question is how an organization can ensure that such toxic data is appropriately removed from the network or systems. CCPA allows for anonymization or de-identification of data. This means that identifying information is removed so that the data element cannot be tied to an individual. Organizations must also balance their regulatory obligations to maintain records against the consumer request. While the regulatory obligation will supercede the deletion request, it is possible for organizations to meet the spirit of a deletion request while maintaining its legal obligation for record keeping. Doing so requires careful planning and execution and a clear understanding of privacy requirements.
- How do we disclose our data privacy practices?
The central tenet of all privacy laws, and the fair information principles on which they are based, is providing the consumer with ability to make a clear, informed decision about how their personal information is collected and used. To further that objective, organizations must disclose clearly and explicitly the ways in which data is collected and used. Further, consumers must have easily identifiable mechanisms to make privacy-related requests of the organization. And the notice must be provided PRIOR to the collection of data. If data is shared with third parties, that, too, must be disclosed. This allows the consumer the ability to really understand why certain data elements are being collected and they are being used before they consent to share it.
Designing, implementing, and maintaining a privacy program is an “all hands on deck” operation. Every department must be bought it to get a comprehensive picture of the organization’s privacy prognosis and create a “treatment plan” for the toxic data. This also assists in obtaining organization-wide buy in on the program.
Personal information is the currency of this age. Consumers will trade privacy for convenience. The Center for Data Innovation found that 58% of Americans are willing to trade their personal data for a greater level personal convenience. That gives organizations a great deal of power, but also a great deal of responsibility. In order to ensure that companies are mindful of that obligation, states are taking the lead in establishing consumer rights with respect to how data is collected and used. Understanding your organizations relationship with potentially toxic data can help keep everyone, business and consumer, safer.
By Dr. Heather Mark, CCEP
In the wake of the COVID-19 pandemic, fraudulent activity and scams have been on the rise. As a result, scammers are looking for ways to test their stolen card information. One way they do that is to find portals or e-commerce sites that have payment forms and use those forms to “test” cards. This is done by running hundreds or thousands of small transactions to see if they will be authorized. If these small transactions are authorized, the criminals assume the card is “good.” Meanwhile, the merchant may not know that this has happened until an expensive invoice is received for those “auths.”
In order to combat these types of scams, here are three ways merchants with an internet presence can mitigate their risk proactively:
- Implement CAPTCHA – CAPTCHA is an easy test that users take on web-based forms to prove that they are not a “bot.” These may include simple math questions or identifying pictures from an array. This simple step allows merchants to filter out bad actors and helps to ensure that their payment site is not being misused.
- Use TC CrediGuard – TC CrediGuard is a product offered by Sphere that allows merchants to set parameters for certain transaction patterns. Merchants can set TC CrediGuard to deny transactions based on a set of predetermined criteria. For example, a merchant may set parameters to deny transactions after five attempts from the same IP address within 7 minutes. Or, if the IP address of a bad actor is known, a merchant may block that specific IP address.
- Add a Log-in Screen – Payment forms that reside in front of a log-in page may be more convenient for your customers, patients, or donors, but it can also make it easier for criminals to use that payment screen as a tool for testing card numbers. By adding a log in screen, you create a barrier that may protect your business from becoming a target for these types of schemes.
By implementing these recommendations, merchants can take significant steps towards mitigating the likelihood of a Primary Account Number (PAN) or Card Testing event.
To learn more about secure online payment solutions and fraud reduction tools, please contact a Solutions Consultant at 800.915.1680, option 2 or firstname.lastname@example.org.
By Dr. Heather Mark, CCEP
Over the course of the last seven weeks, the business world has undergone a seismic shift. Remote work, which had its advocates and detractors over the last two decades, has become a necessity. The technology exists to make this happen, and while it hasn’t been without its obstacles, we’re living a real-time experiment in how connected we can be in isolation. Transitions and adjustments are being made to workflows and business operations to account for this new environment. With all these changes being made so rapidly, it can be easy to lose sight of the fact that our compliance and security obligations have not changed, particularly around the protection of sensitive data (PII, PHI, etc.). That can sound daunting, but there are steps that we can all take in our remote offices to help ensure support the continued security of patient and payment related data.
- Use a secured WiFi network and VPN – a secure WiFi network uses a password and encryption to protect access to the network and the data that travels over the network. WPA2, or WiFi Protected Access 2, is the currently accepted security protocol for wireless networks. VPN will provide a secure connection between your computer and the company’s network.
- Change default passwords on home networks – when setting up your home network, make sure that you change the default passwords set up for routers, access points, and similar devices. These are often set by vendors and are easily guessable (e.g. admin, password, default).
- Make sure devices used for remote work have secure configurations – any devices used for working at home should have personal firewalls installed and operational. Antivirus should be installed and current and all the appropriate security patches should be installed. These applications should be configured in such a way that they cannot be disabled by the user.
- Keep your work and home life separate – make sure that you’re not using personal devices for work activities and vice versa. If you do use a personal device, for example a phone, for work, make sure that you keep a separation between work information and personal activities.
- Maintain vigilance about malicious emails and information security – particularly during these unsettling times, hackers are looking for the easiest way into a network. That means getting people to give them access (by clicking links or opening attachments) instead of having to “break in.” All of the same security and compliance processes and practices that apply in the office must also apply in the remote office.
It’s also important to work with partners that can support secure payments anyway you need to take them – via virtual terminal, IVR or, e-commerce. Restricting access to payment data by using tokenization and token vaults for stored payments, and requiring multi-factor authentication for access to payment applications and data can all help to ensure that we all remain committed to securing payment data, even in non-traditional environments.
By Dr. Heather Mark, CCEP
The complex puzzle of PCI DSS compliance can be made more challenging for merchants when they introduce the wide variety of service providers that they use in order to service their customers. Increasingly, Independent Software Vendors (ISVs) are working to simplifying their merchants’ burdens by introducing integrated payment functionality. In essence, the ISV is presenting a one-stop opportunity for merchants to support their business management objectives – be it through back office support, inventory management or billing – while also enabling payment functionality. In doing so, the ISV may inadvertently become the de facto resource for merchants on all things PCI DSS related. So, what are some things that ISVs can do to help support their merchants in achieving and maintaining PCI DSS compliance.
#1 – Understand your own PCI DSS compliance obligations and status
It isn’t uncommon for an ISV to be new to the payments ecosystem. Even for those companies that are deeply ingrained in the payments chain, the compliance and security obligations facing payments companies can sometimes get confusing. As an ISV, it is important to understand whether your integration of payment functionality renders you a Payment Service Provider, as defined by the PCI SSC. A Payment Service Provider is an entity that stores, processes, or transmits cardholder data on behalf of another entity, or can impact the security of the transaction. If the ISV integrates payments in such a way as to fall into that scope, then the ISV must validate compliance with the PCI DSS. Merchants must use PCI DSS compliant service providers, so it’s important that ISVs are prepared to provide their Attestation of Compliance (AOC) to their merchants.
If the ISV is able to offer payments functionality without falling into the Payment Service Provider scope, then the entity must be able to clearly articulate how they are able to maintain that status. For example, if the ISV has partnered with another PCI-compliant service provider to offer a hosted payment page, and the ISV does not host, nor does it redirect to that page, then it may be possible to remain out of scope. This is dependent on the ISV integration and the current guidance from the PCI SSC and the card brands.
#2 – Implement Industry Best Practice Even if You’re Not in Scope
Even if an ISV is able to maintain a posture that keeps it out of scope for PCI DSS, it is important to maintain industry best practice for data security and privacy. Having good security practice is not just necessary for those companies that are obligated to PCI DSS. Most states have data breach notification laws that offer safe harbor for encryption of sensitive data, as long as the encryption keys are not also exposed. Additionally, states are rapidly moving towards the adoption of privacy laws, most of which have data protection requirements. Maintain compliance with industry standards such as PCI DSS, even in the absence of card scheme requirements, can put an ISV, and by extension their clients, in good stead with respect to existing and forthcoming regulatory requirements.
#3 – Explain the Payment Integration Options that You Offer and their PCI Implications for Your Merchants
For ISVs that are looking to add payments functionality, it’s important to understand how that choices you make about the payment solutions you integrate cascade down to merchants. For instance, if an ISV integrates a hosted payment page the likelihood that the merchant will be able validate their own compliance using the SAQ-A is fairly high. However, if an ISV integrates and offers a redirected page, the merchant is more likely to be required to validate using an SAQ A-EP, which is a much longer questionnaire. Both may be valid choices for a variety of reasons, but ISVs should understand the implications on their merchants
#4 – Clearly Communicate Who Owns What Responsibilities
The interplay between merchants and service providers can be complex, particularly if merchants are able to select services and features a la carte. This can lead to uncertainty as to which entity might own responsibility for various security controls. ISVs can demonstrate partnership with their merchants by providing a “shared responsibility” matrix. The matrix doesn’t need to be very complicated, but it should clearly delineate which PCI responsibilities belong the ISV and which belong to the client. Since all merchants must comply, and any business with a Merchant Identifier (MID) must validation compliance, this documentation can significantly simplify their own process of PCI compliance management.
PCI DSS compliance is a fact of life for any participant in the payment system. Understanding how your decisions as an ISV can impact the compliance standing of your client portfolio can help you make more informed decisions about the solutions that you implement and may simplify the compliance and validation process for your merchants.
Solution enables health systems to meet consumer expectations for mobile payments while complementing EMR functionality.
Nashville, TN, February 27, 2020—Sphere, Powered By TrustCommerce, a leading provider of end-to-end integrated payments and security software, today announced a new collaboration with VisitPay, the leader in patient financial engagement. Together, they have launched a mobile payments solution called Text to Pay, which offers healthcare providers the ability to securely offer and accept patient payments through text messages. This innovative solution complements existing payment channels already in place to give patients an additional, convenient way to pay their healthcare bills.
Offering mobile-enabled tools for patients to manage and self-service their medical expenses is essential for healthcare providers. With the rise of high-deductible health plans and co-pays, patients today are responsible for a greater percentage of their healthcare bills. Further, consumers’ perceptions of their healthcare experience are heavily influenced by the level of transparency and convenience provided by the billing experience. People manage their lives through their mobile devices and healthcare is no different. Consumers expect to manage their healthcare needs anywhere, anytime.
Consumers are already demonstrating their preference for mobile channels. Up to 60 percent of VisitPay platform logins are now made through a mobile device, and rapid adoption of this new Text to Pay solution is expected. “Our patients are looking for mobile payment solutions,” commented Mike Weed, senior vice president of financial operations at INTEGRIS Health. “It is important that healthcare financial leaders meet consumer expectations for a contemporary financial experience.”
To meet this demand, Text to Pay combines Sphere’s leading secure payments platform with VisitPay’s patient-centric expertise in a first of a kind solution to enable health systems to take payments over SMS without exposing any sensitive card or patient information, and utilizing a card token already collected from the patient. Without needing to download another app, consumers can pay single visits or multiple visits at a time, using credit, debit, or ACH. Payments are posted automatically to the corresponding visit in the billing system, ensuring convenience and efficiency for the provider revenue cycle team.
“Through our partnership with Sphere we can help health systems offer convenient and secure payment channels to their patients,” said Kent Ivanoff, chief executive officer of VisitPay. “Mobile access to the VisitPay platform already exceeds traditional desktop usage in some regions of the US. Text to Pay is an important solution for health systems looking to meet consumers where they are, without disrupting the core EMR environment.”
“As the payments ecosystem continues to expand and extend to new frontiers, security has to be first and foremost,” said Anthony Lucatuorto, chief revenue officer of Sphere. “We have deep experience working within EHRs like Epic and are excited to offer this complementary solution that will help our clients by integrating with their existing platform in a secure and compliant way.”
Sphere and VisitPay serve many of the most recognized large, integrated health systems composed of acute facilities, ambulatory service, and every physician specialty. VisitPay’s clients represent a total of $60 billion in annual net patient revenue.
Visit booth #2488 to see the Text to Pay demo during HIMSS Global Health Conference & Exhibition, March 9-13, 2020 in Orlando.
Sphere, powered by TrustCommerce, is a software and financial technology company providing integrated solutions that reduce friction and facilitate better and more secure commercial interactions with customers in specialized vertical markets, primarily healthcare, non-profit, transportation and education. Sphere’s integrated payments technology and security software enable its clients to process payments in a way that is highly secure and compliant, integrated with their core business software, omnichannel, and processor-neutral. Sphere’s partner-centric focused payments solutions serve small, midsize and enterprise level businesses and software companies in the U.S., Canada, and Australia. Follow us on Twitter and LinkedIn. For news and thought leadership, visit the Sphere Blog.
Founded in 2010, VisitPay is the leader in patient financial engagement. The company’s cloud-based platform is used by the nation’s largest and most innovative health systems to deliver transparency, choice and control to patients managing healthcare payments and transactions. Through VisitPay, patients can access a comprehensive accounting of their financial obligations, as well as critical health plan and healthcare information, via a health system-branded portal. VisitPay’s proprietary analytics tailor consistent and fully compliant financing options that meet the unique needs of patients and their families, creating a simplified billing experience that drives both higher payment rates and improved patient satisfaction scores. VisitPay’s investors include Norwest Venture Partners, Flare Capital Partners and Ascension Ventures. For more information about VisitPay, visit www.visitpay.com. Follow us on Twitter and LinkedIn. Visit our Company Blog to access case studies, thought leadership and news.
By Dr. Heather Mark, CCEP
The data economy has become so pervasive in today’s business that it sometimes is necessary to pause and think about where we’d be without the explosion of data that businesses have at their disposal. Cloud software firm, Domo, releases an annual report each year on the astronomical growth of data. Their report, Data Never Sleeps, provides a fascinating example of just how people are using the internet, leaving digital trails to be followed. According to Data Never Sleeps 7.0, more than 511,200 tweets, 18, 100,00 texts, and 188,000,000 emails are sent PER MINUTE. And that doesn’t include our unintentional data creation – the Internet of Things, or our browsing history, or geolocation data. Our world runs on data, which means that as consumers, we need to be able to trust that our data won’t be misused by the companies with which we do business.
A PwC survey conducted in 2017, tells us that consumers are becoming more cynical about how companies handle data. Just 25% of survey respondents believe that companies handle data responsibly and less than 15% believe that the data will be used to improve lives. Further, 87% of those respondents have said that they will take their business elsewhere if they don’t trust the data handling practices of a company.
In Francis Fukuyama’s book, Trust: The Social Virtues and the Creation of Prosperity, he proposed the idea that trust and ethics was central to economic well-being. “If people who have to work together in an enterprise trust one another because they are all operating according to a common set of ethical norms, doing business costs less…” It costs less because we know that our colleagues and our partners will behave in ways that we expect, and that serve the good of the organization. Similarly, as consumers, we are more likely to do business with organizations that we trust.
An essential element of trust is transparency. Again, referencing the PwC survey, 71% of consumers find the privacy policies posted by companies to be difficult to understand. If a consumer believes that an organization is intentionally obfuscating its practices, trust erodes. When trust erodes, consumers say they will take their business elsewhere.
The moral of the story here is that as we move more fully into the data economy, we must also move more fully into being trustworthy stewards of personal data. We do that, by adhering to the letter and the spirit of the data protection laws and establishing strong information practices. Some of those practices include:
- Data Flow and Categorization – It sounds cliché, but you can’t protect what you don’t know you have. So, the first step that is typically suggested is doing a data flow or data mapping. This helps you to determine where the date is coming from, how it’s being used, and who you might be sharing it with. You may find that you’re collecting more data than you need, or that you’re sharing it with vendors that don’t need it.
- Limit Collection of Data – Another old axiom in the data security and privacy business is “don’t collect what you don’t need.” To put it simply, it’s difficult to disclose or inappropriately use data that you don’t have. Once you’ve done a data mapping exercise, you can review this with your team to determine which data is strictly needed as opposed to “nice to have.” Moreover, many of the fair information practices are built on the notion of only collecting the data that you need to complete transaction with the individual.
- Disclosures – Transparency with your constituency about what data you’re collecting and when, and how it’s being used is one of the simplest, but most important, steps that can be taken with respect to privacy. Visitors to your site, and consumers of your product or services, can’t make informed decisions about sharing their data if they don’t understand how that data might be used. Providing clear and concise information about your information practices helps to engender trust and stands you in good stead with legislative privacy regimes.
- Awareness and Training – In today’s economy, most of our businesses and non-profits run on data. Whether we intend to or not, we become dependent on data transmission, data analysis, data storage, and data collection. That means that everyone in our organization is going to encounter personal data at some point. Given that fact, it’s important that your team knows what data is considered sensitive, and how that data is to be treated. An important part of training, that can be easy to overlook, is how to report a potential incident. For example, what should be done if someone has emailed a payment account number?
The dilemma facing businesses today is encapsulated nicely in the January 2019 issue of the Frontier Technology Quarterly:
On one hand, the data economy is radically transforming many economic activities and creating new levels of prosperity. On the other, it presents the possibility of a perilous dystopia … A market economy cannot function without trust, and the data economy is no exception. Trust deficits can unravel the data market and undermine social cohesion, stability and peace.
By Dr. Heather Mark, CCEP
Aristotle wrote that ethics is the habituation of right action. Essentially, we don’t know what’s right out of the starting gate. The virtue of ethical behavior is one that we acquire through example and guidelines. We become ethical, or as Aristotle would have it, virtuous, through practice. The more we practice right action, the more innate it seems to become. It’s not an inherent knowledge, it’s a learned trait. This discussion from Aristotle’s classic work Nicomachean Ethics is a great description of the important interrelatedness of compliance and ethics, particularly in the Payments industry.
The payments industry is highly complex and highly regulated. It’s unlikely that a person new to the industry would walk in and be able to identify right from wrong, speaking in regulatory sense. The lattice of regulation created by the card brand rules, state and local laws, as well as federal regulation, and potentially international laws, can cause confusion even among well-entrenched payments professionals. If you were to overlay that with the development of new business models, such as payment facilitators and marketplaces, the landscape quickly becomes treacherous. This is where a robust Compliance and Ethics program comes into play.
As Aristotle says, a good government will attempt to legislate virtuous behavior to help its citizens learn to act “virtuously.” Eventually, its citizens learn to extrapolate that virtuous behavior beyond those circumstances contemplated by law, and simply behave in a “right” manner. Leaving behind for the moment arguments about legislating morality, let’s focus on the notion that laws act as a guideline for behavior in the absence of an inherent understanding. The compliance program acts as that guideline for the uninitiated. Without long experience or an inherent understanding of the potential pitfalls of non-compliance in the payments space, the compliance program acts as the framework for what’s right and wrong, in a regulatory context.
Virtue, or to use the word that is more familiar to us, ethics is, according to Aristotle, what makes something perform well. So it follow suit then, that an ethical company would perform well. It’s in the best interest of the company, then, to ensure that its team members are inclined to act in a way that is ethical. That means enabling merchant, service providers, and partners to conduct their business in a way that complies card brand rules. That also means recognizing that simply because we can do something, it doesn’t mean we should. We’ve seen this play out in the rise of Fintech.
Fintech is an exciting wave of innovation that has been transforming the payments space over the course of the last ten years. Agile, creative companies have been developing new ways for merchants to engage with their customers. Things that we already take for granted, such depositing paper checks from our phones, or paying our friends back for lunch through text messages, are just some of the examples of the innovations borne of the Fintech revolution. But there were some downsides to that rush to the payments space, too. While the vast majority of new Fintech players took the time to learn the payments space, to understand the regulatory environment, and to play according to those rules, there were a few players that saw an opportunity to cash in on the changing industry. Software developers without an understanding of the complexities of the space made decisions, which in retrospect, were not founded on a complete understanding of the risk involved, or of the impact it might have on the end user. With a robust and mature compliance program in place, it’s possible that those companies may have avoided those missteps.
In organizations with a mature program in place, compliance is “business as usual,” baked into product development. The compliance team scopes out potential regulatory roadblocks so that the product and development teams can design with those regulatory requirements in mind. Additionally, it serves as a learning opportunity, as those teams begin to acclimate to the regulatory environment in which they operate. They incorporate those requirements as they evolve that product set or the feature set for particular verticals. They learn the questions to ask when a new project comes along. The regulatory requirements become just a fact of life, doing things the right way. In Aristotle’s words, they become habituated to it. Compliance serves as the touchstone on which companies and organizations can build an ethical culture.
Ethics, then, derives from the repeated practice of doing the right thing, such that when a specific guideline doesn’t exist, one can still determine the right course of action. Eventually, Aristotle says, people will reach a state in which they do the right thing because it is the right thing, not because the law mandates it. Ethics programs are natural extensions of compliance programs, as companies should empower their staff and contractors to do the right thing, even when it’s difficult. Ethics programs are designed to allow employees to report, without fear of retribution, actions that they genuinely feel violate the organization’s Code of Conduct or Compliance policies.
The importance of having an ethical culture can’t be overstated. It is what keeps employees invested in the organization and what maintains relationships with clients and partners. As a side benefit, it helps companies to avoid potential violations of regulatory mandates. Those violations can result in monetary fines and penalties, compensation to affected parties, and government oversight. Ethical and compliance violations also lead to lost revenue as a result of reputational damage. Clients and prospective clients will be reluctant to sign a contract with a company with a demonstrable track record of ethical issues.
What does all this mean to the payments industry? The industry is predicated on what can be a quickly shifting foundation of the intersection of technology and regulation. Maintaining an operational understanding of the relationship between the two is a vital requirement in any partner or service provider in the industry. That means that companies that aren’t willing or able to make an investment in maturing their Compliance and Ethics programs are at a competitive disadvantage. Between card brand regulations, state laws on money transmission, data security and privacy, and federal laws, it quickly becomes imperative for companies to choose a service provider that can help them navigate the compliance landscape, while staying on the forefront of payment technology. It’s a delicate balance. What’s more, it’s important to work with a company that can practice some foresight with respect to the potential impact of forthcoming legislation. Again, this is something that ethics can help accomplish – often doing what’s right to start with can help head off potential issues with future legislation. An example can be found in the use of mobile payment applications.
Installing an application on a mobile device can provide the software manufacturer with a wealth of information – contacts, geolocation, app and device usage. All of this data is incredibly useful for marketing purposes, but collecting that data without the express consent of the end-user is problematic, to put it mildly. A number of mobile payment providers were collecting this information and using “big data analytics” and sharing it with third parties. In fact, that practice led to a number of Congressional hearings on the matter. This is why users now have the option to turn off location services and apps now disclose what they track. This same issue is still playing out in the Cambridge Analytics issue with Facebook. These issues could have been avoided with the adoption of a mindset that says, “Just because we have the technology to do something, that doesn’t mean that we should do it.” This, again, derives from ethical culture and transparency to both end-users and partners.
Sphere is dedicated to the proposition that a payments company cannot be successful without a strong Compliance and Ethics program. Since its inception, Sphere recognized the unique position and responsibility that it has to maintain an environment that fosters ethical behavior. To do so, it is necessary to develop and maintain a Compliance program that serves, not just Sphere, but its clients and partners, as well. At the end of the day, developing such a program is just another way that we serve our clients.
 For the purposes of this discussion, I include security requirements in the compliance discussion.
Dr. Heather Mark, CCEP
In May of this year, South Carolina became the first state to officially adopt the National Association of Insurance Commissioners (NAIC)’s Model Law on CyberSecurity. While the law is a first in that it’s specific to the insurance industry, many organizations that have already adopted controls for SOX, PCI DSS, and HIPAA, to name few, may find its implementation less onerous that it might appear at first glance. As the deadline for implementation (January 1, 2019[i]).fast approaches, it is worth looking at the requirements of the Model Law and the impact the Law will have on the industry as a whole.
The Act requires persons licensed to operate under the insurance laws of the state to enact a minimum level of data security controls be implemented to protect non-public information. Interestingly the law takes a broader definition of non-public information than may state data security or data breach notification laws. For the purposes of this law, not only is the personal information of the consumer to be protected, but the law also specifically calls for protection for “business-related information of a licensee the tampering with which[sic], or unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee.” It is unusual in data protection or data privacy law to see a requirement to protect the information of businesses, but in this instance, it is an obvious broadening of protections. Licensees may in fact be individual agents, so the protection of their information is akin to the protection of employee information, such as those protections included in California’s Consumer Privacy Act. (As a side note, a wonderful analysis of the CCPA is available on the International Association of Privacy Professionals website).
As I stated, those organizations that already have experience with SOX, PCI DSS, or HIPPA may recognize quite of few of the requirements of the South Carolina Insurance Data Security Act. Many of the elements are considered by security professionals to be “table stakes,” minimum requirements for doing business securely in today’s environment. These controls include:
- A risk assessment;
- A written information security policy that is commensurate with the size and complexity of the licensee’s organization and is based on the risk assessment;
- One or more employees that are designated as being responsible for the licensee’s information security program;
- A vendor management program;
- An Incident Response Plan, which includes a data breach notification process; and
- An annual attestation submitted to the Director of the Department of Insurance.
What’s interesting to note here, and is a position that I’ll often profess, is that in many cases compliance can be a byproduct of good Governance, Risk, and Compliance (GRC) programs. Companies that are well-versed in GRC and information security may already have these measures in place, irrespective of any regulatory obligation to do so. Those organizations are well-positioned when a state then adopts new security rules. In those cases, the organization may be required to make some changes to its processes, but may avoid the total overhaul that a company less familiar with GRC practices may find themselves undertaking.
The South Carolina law is very similar to the New York Data Security Act, which was passed in 2015. In addition, as alluded to in the introductory paragraph, the law is essentially an adoption by South Carolina of the NAIC’s Model Law. NAIC is actively encouraging states to adopt the laws and has even “recommended that Congress should consider preempting the states if it is not adopted in 5 years.” More information can be found on the Model Law at NAIC’s website. Over the coming years, it will be interesting to observe the trend at the state level in terms of adoption of the Model Law. This might just prove to be a good time for a forward-thinking compliance officer to begin crafting a program to incorporate some of the clauses in the Model Law.