CSR Readiness®ProFrequently Asked Questions

What is CSR Readiness Pro?

The CSR Readiness Pro comprises the risk assessment program CSR Readinessand the award-winningCSR Breach Reporting Service™ (BRS).

How does the CSR ReadinessProgram work?

CSR Readiness Program is an online self-assessment tool that helps you review, revise and revisit your business processes for handling the personally identifiable information (PII) of your customers, employees and vendors, as required by a host of legislation and regulations

What does the Certificate of Completion signify?

Once your business has completed all the questions in the self-assessment evaluation and implemented the remediation tasks, you will receive the Certificate of Completion. This can be placed on your website and is valid for one year from date of issue. By annually revisiting your self-assessment, you can maintain this Certificate of Completion.

What does CSR Breach Reporting Service do for me?

In the event of an actual or suspected breach of PII, the CSR Breach Reporting Service reports to authorities and notifies consumers, as required.Your call to the in-house CSR team of privacy professionals initiates a custom evaluation of your incident to determine if authorities and consumers must be notified. CSR files the necessary breach reports on your behalf, and consumer notification can be prepared with your input.

Why do businesses need Readiness Pro?

Various state, federal and international laws require businesses to protect PII of employees, vendors and customers. Penalties for noncompliance can include fines, prosecution and even jail time. Massachusetts and Connecticut are just two examples of many jurisdictions that require businesses that deal with their residents to maintain comprehensive risk assessment, remediation and monitoring programs related to their handling of PII.

If organizations don't have this service, what could happen?

While it's impossible to completely avoid a breach due to uncontrollable circumstances, 97% could have been prevented.

Accidents, errors and theft are just a few ways that information is compromised. Smart devices and wireless services compound the problem. Proactive detection and correction can go a long way to prevent loss andfurther fallout due to reputational damage, lost sales, fines, lawsuits and prosecution.The Department of Homeland Security, the FTC, Visa and the BBB encourage businesses to protect consumer data and plan ahead to reduce risk. All states have laws that protect their residents who might be your customers, employees or vendors. Many laws specifically require creation and maintenance of information security programs by businesses that employ or have customers who are residents of those states. These laws include penalties for noncompliance.For example, the civil penalty for violating the Connecticut Act No. 08-167, requiring safeguarding of personal data, is $500 per violation, up to $500,000 for a single event.

Lost trust means lost sales. The fallout of data breaches has caused businesses to close their doors. According to Visa, businesses should “Consider a breach likely and plan accordingly.”

Definitions

What is personally identifiable information or PII?

The simple answer is it’s anything that can be used to identify you. The loss of this information leads to identity theft. 

Types of personal information include: name, address, phone, email, birth date, Social Security number, driver’s license, bank account and credit card information. The list continues to grow with new and revised legislation and court rulings. 

Other personal information includes health information, medical records, Vehicle Identification Numbers, license plate numbers, login credentials and passwords, school records and even voice recognition files. Fingerprints, retinal scans, and handprints are also considered personal information. 

What is the difference between PCI and PII?

PCI data is just one type of PII. The PCI Data Security Standard protects credit cardholder data such as debit or credit card number, expiration date and card security code. 

What is a breach of personally identifiable information?

A breach is unauthorized access, loss, use or disclosure of information by either accident or criminal intent which can identify an individual. 

What is data breach reporting?

When a breach occurs, the clock starts ticking to comply with federal, state and other laws. Reporting involves the where, when and how of the incident. 

What is consumer notification?

Almost every state has enacted a data breach notification statute. These laws generally require businesses that have personal information about residents within a state to notify those residents when that data is compromised. 

hat are some examples of a breach?

A breach can occur in many ways, including through lost laptops or smart phones, improper disposal of paper records, or intrusion into your network or PC by hackers. The definition continues to expand. 

What is ID Stay Safe?

Upon successful completion of the Readiness Program, users earn a Certificate of Completion along with an ID Stay Safe digital seal to display on their company website. The seal remains valid for one year, at which time they will Revisit to ensure their business has sufficiently addressed any all changes that may have occurred throughout the year. 

Requirements to Protect Data

What laws govern management of PII?

Here are a few of the hundreds of laws and regulations that relate to the protection of PII and requirements to report suspected or real loss: 

  • • Gramm-Leach-Bliley Act (GLBA) 
  • • Fair Credit Reporting Act (FCRA) 
  • • Drivers Privacy Protection Act (DPPA) 
  • • Drivers Privacy Protection Act (DPPA) 
  • • Health Insurance Portability and Accountability Act (HIPAA) 
  • • Health Information Technology for Economic Clinical Health (HITECH) Act 
  • • Payment Card Industry Data Security Standard (PCI-DSS) 
  • • Family Educational Rights and Privacy Act (FERPA) 
  • • 50 state data breach laws 

Who are the enforcement agencies and others who might be involved after a breach?

Enforcement officials include various federal and state agencies as well as attorneys general, commissioners and others. Here are a few examples: 

  • • Federal Trade Commission (FTC) 
  • • Consumer Financial Protection Bureau (CFPB) 
  • • Card brands like Visa, MasterCard, etc. 
  • • State Attorneys General 
  • • Federal Bureau of Investigation (FBI) 
  • • US Secret Service 
  • • Dept. of Health and Human Services/Office of Civil Rights 

What if PII shared and/or received from another organization is compromised?

If your business is a third-party provider and has personally identifiable information on customers, employees, or vendors, then you may be required to notify authorities and/or consumers and others that a breach has or may have occurred. 

What if PII under my care is encrypted, redacted, or masked?

Even if the material is encrypted, redacted or masked, various regulations still require you to report a suspected breach. If the data is encrypted, and the encryption key may have been compromised, reporting and/or notification is required. 

How can I limit the threat of a data breach?

Almost everyone can do more to protect PII. CSR Readiness helps you assess your risk in handling PII, remediate your processes, implement policies, train staff and continue to monitor and audit, as required by laws and regulations. 

Justifications

Why can’t I do it myself?

You can try. However, liability rests entirely with you, as well as civil and criminal sanctions, on both state and federal levels. Trained, certified privacy professionals have developed a proprietary system to help you evaluate your circumstances against hundreds of rules and regulations to determine what remediation must be done and what policies must be implemented, and to provide you with the tools to train your employees as required by law. 

What if I don’t have any PII?

Many organizations do not realize the PII that they hold. If you have customers, employees or vendors, you have personal information related to them that needs to be protected. 

We don’t deal with customers directly. I don’t think my business needs this service.

If your business has PII on customers, employees, or vendors, then you are required to safeguard that personal information. 

I’ll never get breached or hacked

Employees alone cause 75% of data breaches, whether intended or unintended. It’s very likely that, at some point, data in your care, containing personal information of employees, customers or vendors, will be lost, stolen or compromised. You are legally responsible and liable to implement and maintain a security program to safeguard PII data. 

Technical

CSR’s support team will handle all technical questions. These FAQs are included in the event you choose to provide quick answers when your customers call.

How do I begin?

To begin, go to <<Readiness URL>> to register and create credentials. You will have 24/7 access to your account. 

I forgot my user name.

Your 'username' is the email address you registered with when signing up for Readiness. If you change your original registration email address using My Account in Readiness, this updated email address becomes your 'username'. 

I forgot my password.

To retrieve your password, you will need the email address you entered during registration or the updated email address you associated with your account using My Account in Readiness. Click the Forgot Password link on the Log In screen. Enter your email address and click the Email Link button. A reset password link will be sent to that email address. Click that link to reset your password. If you do not receive that email or have any problems resetting your password, contact support@csrps.com for further assistance. 

How do I go back to answer questions I skipped?

To navigate to questions previously skipped, use the Next and Back buttons at the bottom of your questionnaire. You can also click on the Show Progress tab and click directly onto the domain of the question you would like to go back to. Before submitting your questionnaire, you will also be prompted to complete any required questions that have not been answered. At that point you can still choose to not answer them and submit your questionnaire. 

I don’t know an answer to a question – can I just skip it?

You can skip questions and come back to them later. You must answer all required questions to proceed to the remediation phase of Readiness. 

How long will it take to complete this assessment?

It should take about one hour to complete the assessment, although it may take longer should consultation or research be required to answer to some of the questions. Progress within the assessment is saved as questions are answered. Therefore, you can leave the assessment and come back to it at a later time to finish. Your answers up to that point will be saved. 

What is the ID Stay Safe seal?

This digital seal is a stamp that you can place on your website to alert your customers, affiliates, potential clients, corporate insurers, and other site visitors that your organization has performed a thorough self-assessment of how you protect PII, and ensures you have policies in place to maintain a high level of vigilance, audit, and association education with regards to the protection of PII data within your organization. 

How do I put the completion seal on my website?

Once the self-assessment has been taken and the recommended remediation tasks have been completed, an email will be sent to the associated account's registered email address with the certification seal and instructions on how to use it in materials and embed it on your web page. If there are any issues regarding the implementation of the completion seal, contact support@csrps.com for further assistance.