ANSI - X9.141-1
Financial and Personal Data Protection and Breach Notification Standard Part 1: Data Protection
|Publication Date:||12 October 2021|
Data security breaches continue to put millions of consumers at risk. Protecting consumer information is a shared responsibility for all parties involved including legacy and cloud service providers, organizations that store, transmit, or process consumer information, financial institutions, and individual consumers. This standard provides requirements, recommendations, and information regarding consumer information, business data, general data protection, and breach notification. This standard is organized into two parts.
X9.141 Financial Service Data Security Breach
- Part 1: Data Protection
- Part 2: Breach Notification
The data protection requirements addressed in this standard are organized using the NIST Special Publication 800-53 Framework [3.31] Security and Privacy Controls for Information Systems and Organizations. The functional requirements are further organized by the framework categories and subcategories. Requirements within this standard are defined or described using the following standardization rules:
a) Where existing cybersecurity requirements are defined in other recognized standards, these standards are included as normative references.
b) Where cybersecurity requirements are undefined or require additional description, these requirements are included in this standard.
c) Where requirements are not directly cybersecurity related, no stipulations are provided.
Topics addressed within the scope of this standard Part 1: Data Protection include the following.
• NIST Security and Privacy Controls
• Cryptography and Key Management
• Device Management and Security
Topics considered outside the scope of this standard Part 1: Data Protection are the following.
• International laws and regulations pertaining to data protection or breach notification.
• Federal laws and regulations pertaining to data protection or breach notification.
• State laws and regulations pertaining to data protection or breach notification.
• Contractual obligations pertaining to data protection or breach notification.
While the data protection requirements and recommendations provided in this standard are for the financial services industry, this standard can be applied to other industries.
Data stolen in data breach compromise events varies widely and includes not only information specifically related to payments (e.g., payment card numbers, expiry dates) but also a wide variety of non-financial personal data (e.g., social security numbers, healthcare information, passwords). Criminals use the stolen data to commit fraud and re-sell the stolen data to other criminals. In addition to fraud losses, these events cause consumers and businesses significant additional expense and inconvenience.
Key drivers of data breach compromise events include, but are not limited to: (1) the growth of remote commerce; (2) the vast amounts of sensitive personal data that is being electronically shared and stored; (3) the wide variety of entities that handle and store such data; (4) the increased sophistication of hacking tools available to criminals; (5) the complex interconnections among internet-enabled systems that provide criminals with myriad ways to break into data storage units; and (6) the vulnerabilities of data protection tools and practices (used by businesses and individuals) to keep up with criminal attack vectors.
The increase in data compromise events has resulted in a commensurate increase in the need to notify individuals about such events, so they can take appropriate action. The need for breach notification has been recognized by governments in all 50 US states and additional US territories, where laws have been passed mandating the terms of notice to individuals about the unauthorized access to their personal information. However, the approaches taken are not uniform. There is considerable variation among the many jurisdictions in the legally required terms, conditions and time limits for breach notification.
The variations in legal requirements may cause several different problems. Consumers in different jurisdictions may be treated unequally and some may be disadvantaged. Companies that must comply with multiple different legal requirements face added costs. The additional complexity of differing legal requirements is likely to cause confusion or errors that compromise the notification process. Criminals may target acquisition of personal information by focusing efforts on entities in jurisdictions with relatively weak notification requirements, to improve their chances of using stolen data to commit fraud before the victims take protective action.
This standard presents a model for data compromise notification (and related definitions of terms) that reflects the best practices based upon a review and analysis of current laws in all US jurisdictions. Its purpose is to provide all stakeholders with requirements and guidance on how to best handle the complex issues surrounding breach notification, as well as to inform legislators nationwide about how to optimize and rationalize their collective approach to data breach notification. Moreover, the purpose of this standard is to improve public well-being by providing all consumers and businesses with a single timely, clear, and effective process for notification of data compromise events. Finally, the standard is intended to improve the efficiency of commerce by facilitating alignment and consolidation of differing data breach notification requirements.
The objective of this standard is to provide a template for optimal data breach notification terms, procedures, and timelines that should be adopted and implemented.
The goal can be achieved by encouraging widespread distribution and implementation of this standard throughout the population of primary stakeholders. In the broadest view, everyone is a potential stakeholder because each individual has personal data stored by public and private entities, and therefore everyone is at risk of having (and perhaps in the long term are likely to have) personal data compromised. However, as a practical matter, the primary stakeholders for this standard include but are not limited to:
• Banks, credit unions, and other financial services providers, including acquirers, issuers, processors, and payment gateways;
• Trade associations that represent financial services providers;
• Communications networks including but not limited to payment networks;
• Data storage entities;
• Non-bank financial technology companies;
• Public interest groups focused on consumer protection;
• Security solution providers; and
• Social media companies.
The purpose of this standard is to provide a common set of cybersecurity requirements as they pertain to data protection and breach notification for the financial services industry. However, it is recognized that other industries might apply these same cybersecurity requirements within their own market segments.