Privacy Support That Works !™

• Contact Us
• Sitemap
• Sign In

> Home > Strategic Alliances > US Privacy Solution Reviews > Test Data Privacy

Compuware - Test Data Privacy Review
		Nymity's Independent Privacy Solutions Review provides an unbiased assessment of the legal and privacy benefits of Compuware's Test Data Privacy solution by detailing how this service will help your organization comply with privacy laws.

Privacy Compliance: Test Data Privacy

Federal and state laws and other regulatory frameworks include requirements for security and protection of personally-identifiable information ("PII"). These requirements require that organizations implement appropriate administrative, technical and physical measures to prevent unauthorized access to PII. A study by the Ponemon Institute found that 62% of the companies surveyed use actual customer data instead of disguised data when testing applications during the application development process. Of those companies, 89% used customer files, while 74% used customer lists (The Insecurity of Test Data: The Unseen Crisis). Since non-production/testing environments are generally less secure than production environments this represents a potential source of risk for many organizations.

Legislative Requirements

The Health Insurance Portability and Accountability Act ("HIPAA") Security and Privacy rule requires covered entities to ensure the confidentiality and integrity of protected health information ("PHI"), to protect against reasonably anticipated threats and hazards to the security of PHI, and to ensure compliance with the Security and Privacy rule by its workforce (45 C.F.R. § 164.306). The HIPAA definition of a security incident includes the attempted or unauthorized access, use, disclosure or modification of PII. Unauthorized access by employees for purposes not required for the purposes of their job performance would trigger the definition of a security incident. The HIPAA Security and Privacy rule (45 C.F.R. § 164.308) requires entities to establish workforce security standards, which includes the implementation of procedures to supervise workforce members who work with electronic PHI and procedures to determine that the access of workforce member to electronic PHI is appropriate. The HITECH Act in Section 13402(a) creates breach notification obligations when an organization discovers a breach of PHI.

The Safe Harbor Act provides that organizations must take reasonable precautions to protect personal information ("PI") from loss, misuse and unauthorized access, disclosure, alteration and destruction. The Enforcement Principle in Safe Harbor provides that effective privacy protection includes mechanisms for assuring compliance with the Safe Harbor Principles. The FTC standards for safeguarding customer information (16 C.F.R. § 314) issued pursuant to the Gramm-Leach-Bliley Act ("GLBA") require that organizations develop a security program based on a risk assessment that includes considerations relating to information systems, including network and software design (16 C.F.R. § 314.4). The security program must protect against unauthorized access to or use of personal information that could result in harm or inconvenience to a customer (16 C.F.R. § 314.3).

Many states, forty-five (45) as of July 2009, as well as the District of Columbia, New York City, Puerto Rico and the U.S. Virgin Islands, have passed laws requiring notification to affected parties in the event of a breach of the security of a system.

Industry Regulations

In addition to legislated requirements industry regulations relating to security of PII have also been created.

The Payment Card Industry - Data Security Standard ("PCI-DSS") notes in Requirement 6 that unscrupulous individuals use security vulnerabilities to gain privileged access to systems and requires that all critical systems have the most recently released patches to protect against exploitation and compromise of cardholder data. Further, Requirement 6.3 requires that when developing systems organizations must develop processes that include separate development/test and production environments (Requirement 6.3.2), separation of duties between development/test and production environments (Requirement. 6.3.3), production data (live PANs) are not used for testing or development (Requirement 6.3.4), removal of test data and accounts before production systems become active (Requirement 6.3.5) and r emoval of custom application accounts, user IDs, and passwords before applications become active or are released to customers (Requirement 6.3.6).

The Generally Accepted Privacy Principles ("GAPP"), developed by the American Institute of Certified Public Accountants ("AICPA") and the Canadian Institute of Chartered Accountants ("CICA"), requires in Principle 1.2.4 that organizations must have in place procedures to test changes to systems components, and that all test data used in is such testing be anonymized.

Regulatory and/or Legal Actions

Unauthorized access by employees has resulted in a number of regulatory actions. In July 2009 the California Department of Public Health fined the Kaiser Permanente Bellflower Hospital $187,500 for its failure to prevent unauthorized access to patient's medical information as required by s. 1280.15 of the California Health and Safety Code. This administrative penalty was in addition to a prior fine of $250,000 when employees also viewed a patient's medical information when they did not need access to this information for work-related reasons.

The U.S. Commodity Futures Trading Commission ordered a company to pay a $200,000 civil penalty when an IT employee placed files containing confidential personal information of approximately 13, 000 customers on a personal website that was accessible on the internet. The IT employee was working on a prototype software application and used 'live' data from the production server to run reports.

How Does Compuware's Test Data Privacy Solution Enable Compliance? Implement and Maintain Compliance Privacy laws apply to personally identifiable information (PII), therefore data that is not PII cannot be subject to a data breach or unauthorized access. Most state laws exempt organizations from providing notification if the data breached is not PII, for example if the data is encrypted, redacted or otherwise rendered unreadable. The Test Data Privacy Solution enables an organization to scramble, translate, generate, age, analyze and validate test data thus reducing the need for notification. Compuware's Test Data Privacy solution helps ensure compliance with privacy laws as protecting production data in test, while maintaining the integrity, the consistency, and the usability of the data. Test Data Privacy solution enables compliance with requirements to protect sensitive data through: data disguise - provides meaningful, anonymous test data which protects PI while making efficient and accurate testing possible; translation - an effective way to replace values with fictitious, readable values; data aging - to maintain data integrity and protect sensitive birth date information; and encryption - use of key format preserving encryption routine ensures additional security, so only selected individuals can perform encryption or decryption of key fields. The Test Data Privacy solution reduces the risk of a privacy breach that is present when sharing real PII with internal staff, outsourcers and contractors. It also helps guard against the need to provide notice and/or obtain consent for the purpose disclosing the data to outsourcers or contractors as the data provided is not PII.

Compuware's Test Data Privacy solution includes: Process - the solution provides easily definable, proven industry best practices that can be used over and over again to automate the test data privacy process, validate privacy specifications and generate auditable proof. Technology - disguises test data through encryption, masking, aging, data generation and translation - the automated tools simplify the entire process. Easy and robust tool integration lets IT teams maintain relationships existing between the data in various test files and applications - whether it resides in a distributed, z/OS or mixed environment. Expertise - Compuware's IT security personnel leverage the 30-plus years of experience Compuware has in software testing to help you effectively manage the process and technology of implementing our data privacy solution.   Case Studies Client No. 1 had testers sign non-disclosure agreements when working with production data, until a government agency said that was not enough. The Compuware Test Data Privacy solution provided the company with the people, the processes, and technology to meet the government requirements. By following Best Practices, and implementing a methodology, the company ended up with a fully documented, easily repeatable, Test Data Privacy solution.. Client No. 2 manages a database with over 11 million rows of data on identity theft victims. As the database grew with the addition of new information, the client wanted to test changes. Although standards were in place to protect production data, the client needed a process to protect test data. The client successfully implemented the Compuware solution on its own and safely tested all application changes. Client No. 3’s offshore testing facility unintentionally exposed the private information of 2 million customers. Without delay, the company analyzed data privacy solutions. The client liked how Compuware Test Data Privacy’s methodology and templates integrated with its project tracking and development process. The Compuware Test Data Privacy Solution solved their privacy needs. Additionally, the customer was able to improve both the quality and the quantity of its testing processes.

---

Compliance ROI (Privacy ROI) Compuware's Test Data Privacy solution provides a return on investment because it reduces the risk of a data breach. A 2008 study by the Ponemon Institute found that the average cost of a privacy breach incurred by organization was $202 per compromised record. This cost includes expenses related to investigations, notification to affected parties, fees related to services offered to affected individuals and lost revenue. Not reporting unauthorized access to test data where such reporting is mandatory (under state notification laws to the Attorney General, under California health security laws and under the federal HITECH Act) may result in financial penalties. Compuware's Test Data Privacy solution reduces the need for expensive and complex security measures to protect the information from unauthorized access as it is not PII - therefore the data is of no value to those who wish to steal sensitive information for purposes such as identity theft.

---

Next Steps

Compuware provides a Data Privacy Assessment service to provide IT organizations with the information needed to make more informed decisions regarding their test data privacy needs. This service offering includes:

• an assessment;
• on-site activities;
• off-site activities; and
• a Data Privacy Assessment Report.

See Compuware for information about these resources.

• Strategic Alliances
  • Research Contributors
  • IAPP
  • PrivaWorks Real Risk Study
  • USCIB
  • US Privacy Solution Reviews
    • Application Auditing
    • Test Data Privacy
    • Training Employees
    • Breach Response Services
  • Canadian Privacy Solution Reviews
  • Privacy by Design
  • The Future of Privacy
  • The Ponemon Institute
  • Carswell

• Free Privacy Maps
• Privacy Research Tools
• Visit Customer List

Copyright © 2002-2010 Nymity

Privacy Statement · Legal notice