Original Press Release
Data Privacy Day Highlights Security of Personal Information in a Digital World
Press release date: January 28, 2010
Standards community provides multiple safeguards to protect the privacy of consumers
January 28 is Data Privacy Day, an international event that focuses on the importance of security and privacy for personal information that is stored or transmitted online. Thanks to the work of the standards and conformity assessment community, processes and practices are in place to assure data security and to protect personal information from falling into the wrong hands.
With the ubiquity of electronic banking, it's critical that key information such as account numbers and personal identification numbers (PINs) remain private. One American National Standard (ANS) offers protection techniques for financial transactions in an online environment and a standard means of interchanging PIN data. ANSI X9.8-1:2003, Banking - Personal Identification Number Management and Security - Part 1: PIN protection principles and techniques for online PIN verification in ATM & POS systems, was developed by the International Organization for Standardization (ISO) and adopted as an ANS by Accredited Standards Committee (ASC) X9, an accredited standards developer of the American National Standards Institute (ANSI).
As consumers complete online transactions, the information they enter is encrypted with the retailer's public key. The retailer then decrypts the information with a private key, assuring that no outside sources have access to that information. Public key techniques are covered by a number of standards, including an ANS developed by IEEE, an ANSI member and accredited standards developer. IEEE 1363-2000, Standard Specifications for Public Key Cryptography, includes mathematical primitives for secret value (key) derivation, public key encryption, digital signatures, and cryptographic schemes based on those primitives.
The U.S. standards community is also involved in data privacy standards on the international level. The focal point for this work is the ISO/International Electrotechnical Commission (IEC) Joint Technical Committee (JTC) 1, Information Technology (IT), Subcommittee (SC) 27, IT Security Techniques, Working Group (WG) 5, Identity management and privacy technologies. SC 27 has developed the documents in the ISO/IEC Electrotechnical Commission (IEC) 27001 and 27002 IT Security Techniques Package, available on ANSI's electronic standards store. These standards provide the requirements and code of practice to initiate, implement, maintain and improve an information security management system in any size organization. This package helps to identify an organization's security requirements, risks and selecting controls for the requirements and risks using the "Plan-Do-Check-Act" model.
The U.S. leads JTC 1, with ANSI holding the secretariat and Karen Higginbottom acting as chairperson. The InterNational Committee for Information Technology Standards (INCITS) serves as the administrator of the ANSI-accredited U.S. Technical Advisory Group (TAG) to SC 27. INCITS is an ANSI member and accredited standards developer.
Various other ISO committees deal with some aspect of data privacy in their work programs. ISO TC 247, Fraud countermeasures and controls, was proposed last year by ANSI in conjunction with the North American Security Products Organization (NASPO), an ANSI member and accredited standards developer. The U.S. holds the secretariat to the TC through NASPO. Committee efforts are focused on the development of standards in the areas of brand and intellectual property protection, identity management, and financial fraud.
TC 247's efforts complement the initiatives of ISO Project Committee (PC) 246, Performance requirements for purpose built anti-counterfeiting tools. NASPO is the ANSI-accredited U.S. TAG administrator for both TC 247 and PC 246.
ANSI also administers a virtual U.S. TAG for a Privacy Steering Committee (PSC) that reports to ISO's Technical Management Board (TMB). The PSC aims to hold a conference to facilitate information sharing and coordination among TCs involved in privacy-related work; to develop a common terminology document on privacy; and to create a live inventory of privacy-related work. Mark MacCarthy, an adjunct professor at Georgetown University's Communication, Culture, and Technology Program and former senior vice president of global public policy for Visa Inc., will serve as the U.S. expert to the PSC.
An ongoing ANSI initiative that supports data privacy is the Identity Theft Prevention and Identity Management Standards Panel (IDSP). IDSP is a cross-sector coordinating body whose objective is to facilitate the timely development, promulgation and use of voluntary consensus standards and guidelines that equip and assist the private sector, government, and consumers in minimizing the scope and scale of identity theft and fraud.
With a number of national and international standards, committees, and panels, the standards community provides active contributions to the objectives highlighted by Data Privacy Day, assuring protection in the many ways that personal information is collected, stored, used, and shared.
Three Decades of Privacy Guidelines
The Organisation for Economic Co-operation and Development (OECD) announced today several activities planned to mark the 30th anniversary of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Adopted in 1980, these guidelines represent international consensus on the collection and management of personal information. They have played a major role in assisting governments, business, and consumer representatives in their efforts to protect privacy and personal data, and in obviating unnecessary restrictions to trans-border data flow.