0003949
Rhode Island General Laws Title 6 Chapter 48.1, Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
Rhode Island General Assembly
Statutes (Bills or Acts)
Free
Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
Rhode Island General Laws Title 6 Chapter 48.1, Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
Not Defined
The document as a whole was last reviewed and released on 2024-10-24T00:00:00-0700.
0003949
Free
Rhode Island General Assembly
Statutes (Bills or Acts)
Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
Rhode Island General Laws Title 6 Chapter 48.1, Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
Not Defined
The document as a whole was last reviewed and released on 2024-10-24T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Rhode Island General Laws Title 6 Chapter 48.1, Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Rhode Island General Laws Title 6 Chapter 48.1, Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Acquisition or sale of facilities, technology, and services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
| Plan for selling facilities, technology, or services. CC ID 06893 | Acquisition/Sale of Assets or Services | Preventive | |
| Refrain from providing products and services, as necessary. CC ID 15580 [{shall not deny} No controller shall deny goods or services, charge different prices or rates for goods or services or provide a different level of quality of goods or services to the customer if the customer opts out to use of their data. However, if a customer opts out of data collection, the covered entity is not required to provide a service that requires this data collection. § 6-48.1-5.(c)] | Acquisition/Sale of Assets or Services | Preventive | |
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [A controller shall conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a customer. For the purposes of this section, processing that presents a heightened risk of harm to a customer includes: § 6-48.1-7.(e) {be similar} A single data protection assessment may address a comparable set of processing operations that include similar activities. § 6-48.1-7.(g) {be similar} If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be deemed to satisfy the requirements established in this section if such data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section. § 6-48.1-7.(h)] | Process or Activity | Preventive | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Establish/Maintain Documentation | Preventive | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Establish/Maintain Documentation | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Establish/Maintain Documentation | Preventive | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 [{make available} The attorney general may require a controller to disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available. The attorney general may evaluate the data protection assessment for compliance with responsibilities of this chapter. Data protection assessments shall be confidential and shall be exempt from disclosure pursuant to chapter 2 of title 38 ("access to public records"). To the extent any information contained in a data protection assessment disclosed to the attorney general includes information subject to attorney-client privilege or work product protection, such disclosure shall not constitute a waiver of such privilege or protection. § 6-48.1-7.(f)] | Communicate | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Establish/Maintain Documentation | Preventive | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Establish/Maintain Documentation | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources Management | Preventive | |
| Identify and define all critical roles. CC ID 00777 | Establish Roles | Preventive | |
| Define and assign the data controller's roles and responsibilities. CC ID 00471 [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: § 6-48.1-3.(a)] | Establish Roles | Preventive | |
| Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources Management | Preventive | |
| Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources Management | Preventive | |
| Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources Management | Preventive | |
| Assign the role of data controller to applicable controls. CC ID 00354 | Establish Roles | Preventive | |
| Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources Management | Preventive | |
| Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Establish Roles | Preventive | |
| Establish, implement, and maintain a legal support program. CC ID 13710 [This chapter shall not be construed to restrict a controller's or processor's ability to: Investigate, establish, exercise, prepare for or defend legal claims; § 6-48.1-7.(o)(4) This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Establish/Maintain Documentation | Preventive | |
| Provide security inspectors access to personnel files during site reviews. CC ID 12300 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain an ethics program. CC ID 11496 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Human Resources Management | Preventive | |
| Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Communicate | Preventive | |
| Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Behavior | Preventive | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Investigate | Preventive | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 | Behavior | Preventive | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Monitor and Evaluate Occurrences | Preventive | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Monitor and Evaluate Occurrences | Preventive | |
| Refrain from practicing false advertising. CC ID 14253 | Business Processes | Preventive | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Business Processes | Preventive | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Communicate | Preventive | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Establish/Maintain Documentation | Preventive | |
| Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Behavior | Preventive | |
| Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Behavior | Preventive | |
| Respond to ethics complaints of ethics violations. CC ID 11497 | Business Processes | Corrective | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Behavior | Preventive | |
| Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Human Resources Management | Preventive | |
| Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources Management | Preventive | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources Management | Preventive | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Establish Roles | Preventive | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Behavior | Preventive | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Behavior | Preventive | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Behavior | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
| Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Establish/Maintain Documentation | Preventive | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption. § 6-48.1-7.(t)] | Establish/Maintain Documentation | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Log Management | Detective | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitor and Evaluate Occurrences | Preventive | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Audits and Risk Management | Preventive | |
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Establish/Maintain Documentation | Preventive | |
| Implement a fraud detection system. CC ID 13081 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Business Processes | Preventive | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Process or Activity | Corrective | |
| Establish, implement, and maintain a system security plan. CC ID 01922 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Testing | Preventive | |
| Include a system description in the system security plan. CC ID 16467 | Establish/Maintain Documentation | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Establish/Maintain Documentation | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Establish/Maintain Documentation | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Establish/Maintain Documentation | Preventive | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Establish/Maintain Documentation | Preventive | |
| Include threats in the system security plan. CC ID 14693 | Establish/Maintain Documentation | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Establish/Maintain Documentation | Preventive | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 | Establish/Maintain Documentation | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Establish/Maintain Documentation | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Communicate | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Establish/Maintain Documentation | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Establish/Maintain Documentation | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Establish/Maintain Documentation | Preventive | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Process or Activity | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Establish/Maintain Documentation | Preventive | |
| Create specific test plans to test each system component. CC ID 00661 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Establish/Maintain Documentation | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Establish/Maintain Documentation | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Establish/Maintain Documentation | Preventive | |
| Approve the system security plan. CC ID 14241 | Business Processes | Preventive | |
| Adhere to the system security plan. CC ID 11640 | Testing | Detective | |
| Review the test plans for each system component. CC ID 00662 | Establish/Maintain Documentation | Preventive | |
| Validate all testing assumptions in the test plans. CC ID 00663 | Testing | Detective | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Establish/Maintain Documentation | Preventive | |
| Require testing procedures to be complete. CC ID 00664 | Testing | Detective | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Testing | Preventive | |
| Implement automated audit tools. CC ID 04882 | Acquisition/Sale of Assets or Services | Preventive | |
| Assign senior management to approve test plans. CC ID 13071 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Establish/Maintain Documentation | Preventive | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 6-48.1-7.(n)] | Monitor and Evaluate Occurrences | Detective | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Establish/Maintain Documentation | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Business Processes | Detective | |
| Determine the causes of compliance violations. CC ID 12401 | Investigate | Corrective | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Establish/Maintain Documentation | Preventive | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Investigate | Detective | |
| Correct compliance violations. CC ID 13515 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 6-48.1-7.(n)] | Process or Activity | Corrective | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Investigate | Detective | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Behavior | Corrective | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 | Human Resources Management | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Communicate | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
| Include physical safeguards in the information security program. CC ID 12375 [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Establish/Maintain Documentation | Preventive | |
| Include technical safeguards in the information security program. CC ID 12374 [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Establish/Maintain Documentation | Preventive | |
| Include administrative safeguards in the information security program. CC ID 12373 [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [This chapter shall not be construed to restrict a controller's or processor's ability to: Comply with federal, state or municipal ordinances or regulations; § 6-48.1-7.(o)(1)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Business Processes | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Establish/Maintain Documentation | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Business Processes | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Communicate | Preventive | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 | Human Resources Management | Preventive | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Establish/Maintain Documentation | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 | Establish/Maintain Documentation | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Establish/Maintain Documentation | Preventive | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Business Processes | Detective | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Establish/Maintain Documentation | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Technical Security | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Establish/Maintain Documentation | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Process or Activity | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Process or Activity | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Process or Activity | Detective | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Monitor and Evaluate Occurrences | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Monitor and Evaluate Occurrences | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Monitor and Evaluate Occurrences | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Investigate | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 | Monitor and Evaluate Occurrences | Detective | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Establish/Maintain Documentation | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Monitor and Evaluate Occurrences | Corrective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Process or Activity | Corrective | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Behavior | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Process or Activity | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Process or Activity | Corrective | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Technical Security | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Technical Security | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Technical Security | Corrective | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Log Management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Technical Security | Corrective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Investigate | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Establish/Maintain Documentation | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Establish/Maintain Documentation | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Establish/Maintain Documentation | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Establish/Maintain Documentation | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Testing | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Monitor and Evaluate Occurrences | Corrective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Investigate | Detective | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Data and Information Management | Corrective | |
| Share data loss event information with the media. CC ID 01759 | Behavior | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Establish/Maintain Documentation | Corrective | |
| Redact restricted data before sharing incident information. CC ID 16994 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Data and Information Management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
| Remediate security violations according to organizational standards. CC ID 12338 | Business Processes | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Behavior | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Behavior | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Behavior | Corrective | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
| Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Establish/Maintain Documentation | Preventive | |
| Avoid false positive incident response notifications. CC ID 04732 | Behavior | Detective | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Establish/Maintain Documentation | Corrective | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
| Include information required by law in incident response notifications. CC ID 00802 | Establish/Maintain Documentation | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Establish/Maintain Documentation | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Establish/Maintain Documentation | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Establish/Maintain Documentation | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Establish/Maintain Documentation | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Establish/Maintain Documentation | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Establish/Maintain Documentation | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Establish/Maintain Documentation | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Establish/Maintain Documentation | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Establish/Maintain Documentation | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Establish/Maintain Documentation | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Establish/Maintain Documentation | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Establish/Maintain Documentation | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Establish/Maintain Documentation | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Establish/Maintain Documentation | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Establish/Maintain Documentation | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Establish/Maintain Documentation | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Establish/Maintain Documentation | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Establish/Maintain Documentation | Detective | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
| Include contact information in incident response notifications. CC ID 04739 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Behavior | Corrective | |
| Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Behavior | Corrective | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Behavior | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Behavior | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Behavior | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Establish/Maintain Documentation | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Behavior | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Behavior | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Behavior | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Behavior | Corrective | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Establish/Maintain Documentation | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Establish/Maintain Documentation | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Establish/Maintain Documentation | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Establish/Maintain Documentation | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Technical Security | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Business Processes | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Establish/Maintain Documentation | Preventive | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Data and Information Management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Data and Information Management | Preventive | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Human Resources Management | Corrective | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Establish/Maintain Documentation | Preventive | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Monitor and Evaluate Occurrences | Detective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Technical Security | Corrective | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Establish/Maintain Documentation | Preventive | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Monitor and Evaluate Occurrences | Preventive | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Investigate | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Establish/Maintain Documentation | Preventive | |
| Test incident monitoring procedures. CC ID 13194 | Testing | Detective | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Establish/Maintain Documentation | Preventive | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Technical Security | Preventive | |
| Include incident management procedures in the Incident Management program. CC ID 12689 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Establish/Maintain Documentation | Corrective | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Establish/Maintain Documentation | Preventive | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Establish/Maintain Documentation | Preventive | |
| Conduct incident investigations, as necessary. CC ID 13826 | Process or Activity | Detective | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Investigate | Detective | |
| Identify the affected parties during incident investigations. CC ID 16781 | Investigate | Detective | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Investigate | Detective | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Investigate | Detective | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Establish/Maintain Documentation | Preventive | |
| Destroy investigative materials, as necessary. CC ID 17082 | Data and Information Management | Preventive | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Records Management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Establish/Maintain Documentation | Preventive | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Log Management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Log Management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Establish/Maintain Documentation | Preventive | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Log Management | Corrective | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Log Management | Preventive | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Establish/Maintain Documentation | Preventive | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Establish/Maintain Documentation | Preventive | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Establish/Maintain Documentation | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Communicate | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Establish/Maintain Documentation | Detective | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Establish/Maintain Documentation | Preventive | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Establish/Maintain Documentation | Preventive | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Technical Security | Corrective | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Technical Security | Corrective | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Technical Security | Corrective | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Data and Information Management | Preventive | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the privacy notice. CC ID 14432 [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller. § 6-48.1-3.(a)(3)] | Establish/Maintain Documentation | Preventive | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [{secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)] | Establish/Maintain Documentation | Preventive | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Establish/Maintain Documentation | Preventive | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify all third parties to whom the controller has sold or may sell customers' personally identifiable information; and § 6-48.1-3.(a)(2)] | Establish/Maintain Documentation | Preventive | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify all categories of personal data that the controller collects through the website or online service about customers; § 6-48.1-3.(a)(1)] | Establish/Maintain Documentation | Preventive | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 | Communicate | Preventive | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 6-48.1-7.(l)(1)] | Communicate | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A customer shall have the right to: Confirm whether or not a controller is processing the customer's personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret; § 6-48.1-5.(e)(1)] | Data and Information Management | Preventive | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Business Processes | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Business Processes | Preventive | |
| Notify the data subject of the right to data portability. CC ID 12603 | Process or Activity | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Process or Activity | Preventive | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing. § 6-48.1-3.(b) A customer shall have the right to: Confirm whether or not a controller is processing the customer's personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret; § 6-48.1-5.(e)(1)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data request procedures. CC ID 16546 [{secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)] | Establish/Maintain Documentation | Preventive | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [{may not discriminate} No controller shall discriminate against a customer for exercising their customer rights. § 6-48.1-5.(b) {shall not deny} No controller shall deny goods or services, charge different prices or rates for goods or services or provide a different level of quality of goods or services to the customer if the customer opts out to use of their data. However, if a customer opts out of data collection, the covered entity is not required to provide a service that requires this data collection. § 6-48.1-5.(c)] | Human Resources Management | Preventive | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 [{be different} {free of charge} Controllers may provide different prices and levels for goods and services if it is for a bona fide loyalty, rewards, premium features, discount or club card programs that customers voluntarily participate. § 6-48.1-5.(d)] | Business Processes | Preventive | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Business Processes | Preventive | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e) A customer shall have the right to: Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer. § 6-48.1-5.(e)(4)] | Data and Information Management | Preventive | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Business Processes | Preventive | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Business Processes | Preventive | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 | Technical Security | Preventive | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e) The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e) {opt out} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Opting the customer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of this chapter. § 6-48.1-6.(b)(5)(ii) A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A customer may designate another person to serve as the customer's authorized agent and act on such customer's behalf, to opt out of the processing of such customer's personal data. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify the identity of the customer and the authorized agent's authority to act on the customer's behalf. § 6-48.1-6.(b)(7)] | Business Processes | Preventive | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)] | Communicate | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
| Cooperate with Data Protection Authorities. CC ID 06870 [{scientific research} This chapter shall not be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine, whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification; § 6-48.1-7.(o)(10)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations of this chapter. § 6-48.1-7.(b) A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)] | Establish/Maintain Documentation | Preventive | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Establish/Maintain Documentation | Preventive | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; § 6-48.1-7.(c)(1)] | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Establish/Maintain Documentation | Preventive | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)] | Establish/Maintain Documentation | Preventive | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)] | Establish/Maintain Documentation | Preventive | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)] | Establish/Maintain Documentation | Preventive | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)] | Establish/Maintain Documentation | Preventive | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations of this chapter, using an appropriate and accepted control standard of framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request. § 6-48.1-7.(c)(5)] | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations of this chapter; § 6-48.1-7.(c)(3) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations of this chapter, using an appropriate and accepted control standard of framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request. § 6-48.1-7.(c)(5)] | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations of this chapter. § 6-48.1-7.(b) A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c) This chapter shall not be construed to restrict a controller's or processor's ability to: Assist another controller, processor or third party with any of the obligations of this chapter; or § 6-48.1-7.(o)(11)] | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and § 6-48.1-7.(c)(4)] | Human Resources Management | Preventive | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; § 6-48.1-7.(c)(2)] | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [{be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Establish/Maintain Documentation | Preventive | |
| Display or print the least amount of personal data necessary. CC ID 04643 | Data and Information Management | Preventive | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Data and Information Management | Preventive | |
| Notify the data subject of the collection purpose. CC ID 00095 | Behavior | Preventive | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Data and Information Management | Preventive | |
| Document the law that requires restricted data to be collected. CC ID 00103 | Establish/Maintain Documentation | Preventive | |
| Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Behavior | Preventive | |
| Notify the data subject of changes to personal data use. CC ID 00105 | Behavior | Preventive | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Establish/Maintain Documentation | Preventive | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Establish/Maintain Documentation | Preventive | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [This chapter shall not be construed to restrict a controller's or processor's ability to: Take immediate steps to protect an interest that is essential for the life or physical safety of the customer or another individual, and where the processing cannot be manifestly based on another legal basis; § 6-48.1-7.(o)(8)] | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Establish/Maintain Documentation | Preventive | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Establish/Maintain Documentation | Preventive | |
| Obtain the data subject's consent when the personal data use changes. CC ID 11832 | Behavior | Preventive | |
| Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Establish/Maintain Documentation | Preventive | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 | Data and Information Management | Preventive | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Records Management | Preventive | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Communicate | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [{refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)] | Establish/Maintain Documentation | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 | Process or Activity | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Data and Information Management | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Data and Information Management | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Data and Information Management | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Data and Information Management | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Data and Information Management | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Establish/Maintain Documentation | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Business Processes | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)] | Behavior | Preventive | |
| Respond to data access requests in an official language. CC ID 17176 | Communicate | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)] | Data and Information Management | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Data and Information Management | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)] | Behavior | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Behavior | Detective | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Business Processes | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Process or Activity | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Establish/Maintain Documentation | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Data and Information Management | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Data and Information Management | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Establish/Maintain Documentation | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Records Management | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Establish/Maintain Documentation | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Records Management | Corrective | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Establish/Maintain Documentation | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Process or Activity | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Establish/Maintain Documentation | Preventive | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)] | Behavior | Preventive | |
| Refrain from processing restricted data, as necessary. CC ID 12551 | Records Management | Preventive | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 6-48.1-7.(l)(1)] | Process or Activity | Preventive | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 [The controller shall not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against customers. § 6-48.1-4.(d)] | Data and Information Management | Preventive | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Data and Information Management | Preventive | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Business Processes | Preventive | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Business Processes | Preventive | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Business Processes | Preventive | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Business Processes | Preventive | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Business Processes | Preventive | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Business Processes | Preventive | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Business Processes | Preventive | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Process or Activity | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)] | Establish Roles | Preventive | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Investigate | Detective | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Technical Security | Preventive | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Data and Information Management | Preventive | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Communicate | Corrective | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Records Management | Preventive | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Establish/Maintain Documentation | Preventive | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Data and Information Management | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Records Management | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Process or Activity | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Records Management | Preventive | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Data and Information Management | Preventive | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Establish/Maintain Documentation | Preventive | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Establish/Maintain Documentation | Preventive | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Data and Information Management | Preventive | |
| Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 | Business Processes | Preventive | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Establish/Maintain Documentation | Preventive | |
| Define and implement valid authorization control requirements. CC ID 06258 | Establish/Maintain Documentation | Preventive | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Data and Information Management | Preventive | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Data and Information Management | Preventive | |
| Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 | Business Processes | Preventive | |
| Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 | Business Processes | Preventive | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Data and Information Management | Preventive | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 | Data and Information Management | Preventive | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Data and Information Management | Preventive | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Data and Information Management | Preventive | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Data and Information Management | Preventive | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Data and Information Management | Preventive | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Data and Information Management | Preventive | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: Subject to suitable and specific measures to safeguard the rights of the customer whose personal data is being processed, and § 6-48.1-7.(o)(12)(i) This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: Under the responsibility of a professional subject to confidentiality obligations under federal, state or local law. § 6-48.1-7.(o)(12)(ii) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4) {refrain from adversely affecting} Nothing in this chapter shall be construed to: Impose any obligation on a controller or processor that adversely affects the rights or freedoms of any person, including, but not limited to, the rights of any person to freedom of speech or freedom of the press guaranteed in the First Amendment to the United States Constitution; or § 6-48.1-7.(r)(1)] | Data and Information Management | Preventive | |
| Process traffic data in a controlled manner. CC ID 00130 | Data and Information Management | Preventive | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Data and Information Management | Preventive | |
| Process personal data when it is publicly accessible. CC ID 00187 | Data and Information Management | Preventive | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Data and Information Management | Preventive | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Business Processes | Preventive | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Communicate | Corrective | |
| Process personal data for the purposes of employment. CC ID 16527 | Data and Information Management | Preventive | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Data and Information Management | Preventive | |
| Process personal data for debt collection or benefit payments. CC ID 00190 | Data and Information Management | Preventive | |
| Process personal data in order to advance the public interest. CC ID 00191 [This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: § 6-48.1-7.(o)(12)] | Data and Information Management | Preventive | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 [{scientific research} This chapter shall not be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine, whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification; § 6-48.1-7.(o)(10) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1)] | Data and Information Management | Preventive | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Data and Information Management | Preventive | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Data and Information Management | Preventive | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Data and Information Management | Preventive | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Data and Information Management | Preventive | |
| Follow legal obligations while processing personal data. CC ID 04794 | Data and Information Management | Preventive | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Data and Information Management | Preventive | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Establish/Maintain Documentation | Preventive | |
| Define opt-out exceptions for disclosing restricted data. CC ID 00159 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i) {refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Establish/Maintain Documentation | Preventive | |
| Capture personal data removal requests. CC ID 13507 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i)] | Communicate | Preventive | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A customer shall have the right to: Correct inaccuracies in the customer's personal data and delete personal data provided by, or obtained about, the customer, taking into account the nature of the personal data and the purposes of the processing of the customer's personal data; § 6-48.1-5.(e)(2)] | Records Management | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Process or Activity | Preventive | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)] | Data and Information Management | Preventive | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)] | Data and Information Management | Preventive | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Data and Information Management | Preventive | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Data and Information Management | Preventive | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Data and Information Management | Preventive | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Behavior | Preventive | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Data and Information Management | Preventive | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Data and Information Management | Preventive | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Data and Information Management | Preventive | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Data and Information Management | Preventive | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Establish/Maintain Documentation | Preventive | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Data and Information Management | Preventive | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Data and Information Management | Preventive | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Data and Information Management | Preventive | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Data and Information Management | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Does not use the personal data to recognize or respond to the specific customer who is the subject of the personal data, or associate the personal data with the other personal data about the same specific customer; and § 6-48.1-7.(l)(2) {refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. § 6-48.1-7.(l)(3) {time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2) A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)] | Establish/Maintain Documentation | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)] | Data and Information Management | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)] | Data and Information Management | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Data and Information Management | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Data and Information Management | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Data and Information Management | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Data and Information Management | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Data and Information Management | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Process or Activity | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Data and Information Management | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Data and Information Management | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Data and Information Management | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Data and Information Management | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Data and Information Management | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Data and Information Management | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Data and Information Management | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Data and Information Management | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2) {vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)] | Data and Information Management | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Communicate | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Data and Information Management | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Process or Activity | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Data and Information Management | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Data and Information Management | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)] | Communicate | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 [{vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3) {vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)] | Data and Information Management | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 [A customer shall have the right to: Obtain a copy of the customer's personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the customer to transmit the data to another controller without undue delay, where the processing is carried out by automated means; provided such controller shall not be required to reveal any trade secret; and § 6-48.1-5.(e)(3)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Establish/Maintain Documentation | Preventive | |
| Refrain from collecting personal data, as necessary. CC ID 15269 [{refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Establish/Maintain Documentation | Preventive | |
| Use personal data for specified purposes. CC ID 11831 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Establish/Maintain Documentation | Preventive | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [Any controller in possession of de-identified data shall: Take reasonable measures to ensure that the data cannot be associated with an individual; § 6-48.1-7.(j)(1) Any controller in possession of de-identified data shall: Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and § 6-48.1-7.(j)(2) {refrain from requiring} Nothing in this chapter shall be construed to: Require a controller or processor to re-identify de-identified data or pseudonymous data; or § 6-48.1-7.(k)(1) {refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)] | Data and Information Management | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Data and Information Management | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 [The rights afforded under this section, and inclusive of § 6-48.1-5(f) shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the customer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 6-48.1-7.(m)] | Data and Information Management | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Data and Information Management | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Data and Information Management | Preventive | |
| Change or destroy any personal data that is incorrect. CC ID 00462 [A customer shall have the right to: Correct inaccuracies in the customer's personal data and delete personal data provided by, or obtained about, the customer, taking into account the nature of the personal data and the purposes of the processing of the customer's personal data; § 6-48.1-5.(e)(2)] | Data and Information Management | Corrective | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Behavior | Corrective | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Data and Information Management | Preventive | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Data and Information Management | Corrective | |
| Investigate privacy rights violation complaints. CC ID 00480 | Behavior | Detective | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 [This chapter shall not be construed to restrict a controller's or processor's ability to: Comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state, municipal or other governmental authorities; § 6-48.1-7.(o)(2) This chapter shall not be construed to restrict a controller's or processor's ability to: Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state or municipal ordinances or regulations; § 6-48.1-7.(o)(3)] | Business Processes | Corrective | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)] | Behavior | Preventive | |
| Define the organization's liability based on the applicable law. CC ID 00504 [{not relieve} {personal data} Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller's or processor's role in the processing relationship. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to an enforcement action under § 6-48.1-8. § 6-48.1-7.(d) {is not in violation} A controller or processor that discloses personal data to a processor or third-party controller shall not be deemed to have violated this chapter if the processor or third-party controller that receives and processes such personal data violates said sections; provided at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller or processor in compliance with this chapter is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data. § 6-48.1-7.(q)] | Establish/Maintain Documentation | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Establish/Maintain Documentation | Preventive | |
| Define the appeal process based on the applicable law. CC ID 00506 [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6) {be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)] | Establish/Maintain Documentation | Preventive | |
| Define the fee structure for the appeal process. CC ID 16532 | Process or Activity | Preventive | |
| Define the time requirements for the appeal process. CC ID 16531 | Process or Activity | Preventive | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [{time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2)] | Communicate | Preventive | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)] | Communicate | Preventive | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Data and Information Management | Preventive | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)] | Establish/Maintain Documentation | Preventive | |
| Check the accuracy of restricted data. CC ID 00088 | Data and Information Management | Preventive | |
| Record restricted data correctly. CC ID 00089 | Testing | Detective | |
| Check the data accuracy of new accounts. CC ID 04859 | Data and Information Management | Preventive | |
| Use documents for identification that do not appear altered or forged. CC ID 04860 | Establish/Maintain Documentation | Preventive | |
| Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 | Testing | Detective | |
| Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 | Data and Information Management | Preventive | |
| Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 | Data and Information Management | Preventive | |
| Correlate the applicant's social security number with their date of birth. CC ID 04864 | Data and Information Management | Preventive | |
| Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 | Data and Information Management | Preventive | |
| Compare the applicant's personal data against known fraudulent activities. CC ID 04865 | Data and Information Management | Preventive | |
| Compare the applicant's address against known suspicious addresses. CC ID 04866 | Data and Information Management | Preventive | |
| Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 | Data and Information Management | Preventive | |
| Provide additional personal data when the application is incomplete. CC ID 04869 | Data and Information Management | Preventive | |
| Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 | Data and Information Management | Detective | |
| Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 | Behavior | Detective | |
| Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 | Data and Information Management | Detective | |
| Interview appropriate parties to validate consumer information. CC ID 16902 | Process or Activity | Preventive | |
| Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 | Business Processes | Detective | |
| Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 | Business Processes | Preventive | |
| Use contact methods specified by the consumer for identity verification. CC ID 16878 | Process or Activity | Preventive | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A customer may designate another person to serve as the customer's authorized agent and act on such customer's behalf, to opt out of the processing of such customer's personal data. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify the identity of the customer and the authorized agent's authority to act on the customer's behalf. § 6-48.1-6.(b)(7) {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f) {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f) {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)] | Establish/Maintain Documentation | Preventive | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Establish/Maintain Documentation | Preventive | |
| Include termination procedures in the authorized representatives policy. CC ID 17226 | Establish/Maintain Documentation | Preventive | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Establish/Maintain Documentation | Preventive | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Establish/Maintain Documentation | Preventive | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Establish/Maintain Documentation | Preventive | |
| Control access rights to organizational assets. CC ID 00004 | Technical Security | Preventive | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Establish Roles | Preventive | |
| Enforce access restrictions for restricted data. CC ID 01921 [The rights afforded under this section, and inclusive of § 6-48.1-5(f) shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the customer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 6-48.1-7.(m)] | Data and Information Management | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [This chapter shall not be construed to restrict a controller's or processor's ability to: Perform under a contract to which a customer is a party, including fulfilling the terms of a written warranty; § 6-48.1-7.(o)(6) This chapter shall not be construed to restrict a controller's or processor's ability to: Take steps at the request of a customer prior to entering into a contract; § 6-48.1-7.(o)(7)] | Establish/Maintain Documentation | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Establish/Maintain Documentation | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 [Any controller in possession of de-identified data shall: Contractually obligate any recipients of the de-identified data to comply with all provisions of this chapter. § 6-48.1-7.(j)(3)] | Establish/Maintain Documentation | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Process or Activity | Detective | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [{is not in violation} A controller or processor that discloses personal data to a processor or third-party controller shall not be deemed to have violated this chapter if the processor or third-party controller that receives and processes such personal data violates said sections; provided at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller or processor in compliance with this chapter is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data. § 6-48.1-7.(q)] | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Communicate | Preventive | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Establish/Maintain Documentation | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Establish/Maintain Documentation | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Business Processes | Preventive | |
| Provide products or services per customer requests. CC ID 08893 [This chapter shall not be construed to restrict a controller's or processor's ability to: Provide a product or service specifically requested by a customer; § 6-48.1-7.(o)(5)] | Business Processes | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Preventive | |
| Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Preventive | |
| Plan for selling facilities, technology, or services. CC ID 06893 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Refrain from providing products and services, as necessary. CC ID 15580 [{shall not deny} No controller shall deny goods or services, charge different prices or rates for goods or services or provide a different level of quality of goods or services to the customer if the customer opts out to use of their data. However, if a customer opts out of data collection, the covered entity is not required to provide a service that requires this data collection. § 6-48.1-5.(c)] | Acquisition or sale of facilities, technology, and services | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Monitoring and measurement | Preventive | |
| Provide security inspectors access to personnel files during site reviews. CC ID 12300 | Human Resources management | Detective | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Human Resources management | Preventive | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 | Human Resources management | Preventive | |
| Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Human Resources management | Preventive | |
| Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Human Resources management | Preventive | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Human Resources management | Preventive | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Preventive | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Preventive | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Preventive | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Corrective | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Corrective | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Corrective | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Detective | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Corrective | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Corrective | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Corrective | |
| Notify the data subject of the collection purpose. CC ID 00095 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Privacy protection for information and data | Preventive | |
| Notify the data subject of changes to personal data use. CC ID 00105 | Privacy protection for information and data | Preventive | |
| Obtain the data subject's consent when the personal data use changes. CC ID 11832 | Privacy protection for information and data | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)] | Privacy protection for information and data | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)] | Privacy protection for information and data | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Detective | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)] | Privacy protection for information and data | Preventive | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Preventive | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Corrective | |
| Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Detective | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)] | Privacy protection for information and data | Preventive | |
| Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 | Privacy protection for information and data | Detective | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Implement a fraud detection system. CC ID 13081 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Monitoring and measurement | Preventive | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Detective | |
| Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Preventive | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Human Resources management | Preventive | |
| Respond to ethics complaints of ethics violations. CC ID 11497 | Human Resources management | Corrective | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Operational management | Preventive | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Detective | |
| Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Preventive | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Corrective | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Preventive | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 [{be different} {free of charge} Controllers may provide different prices and levels for goods and services if it is for a bona fide loyalty, rewards, premium features, discount or club card programs that customers voluntarily participate. § 6-48.1-5.(d)] | Privacy protection for information and data | Preventive | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Preventive | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Preventive | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Preventive | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e) The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e) {opt out} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Opting the customer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of this chapter. § 6-48.1-6.(b)(5)(ii) A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A customer may designate another person to serve as the customer's authorized agent and act on such customer's behalf, to opt out of the processing of such customer's personal data. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify the identity of the customer and the authorized agent's authority to act on the customer's behalf. § 6-48.1-6.(b)(7)] | Privacy protection for information and data | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Preventive | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 | Privacy protection for information and data | Preventive | |
| Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 | Privacy protection for information and data | Preventive | |
| Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Preventive | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 [This chapter shall not be construed to restrict a controller's or processor's ability to: Comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state, municipal or other governmental authorities; § 6-48.1-7.(o)(2) This chapter shall not be construed to restrict a controller's or processor's ability to: Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state or municipal ordinances or regulations; § 6-48.1-7.(o)(3)] | Privacy protection for information and data | Corrective | |
| Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 | Privacy protection for information and data | Detective | |
| Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 | Privacy protection for information and data | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Third Party and supply chain oversight | Preventive | |
| Provide products or services per customer requests. CC ID 08893 [This chapter shall not be construed to restrict a controller's or processor's ability to: Provide a product or service specifically requested by a customer; § 6-48.1-7.(o)(5)] | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 [{make available} The attorney general may require a controller to disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available. The attorney general may evaluate the data protection assessment for compliance with responsibilities of this chapter. Data protection assessments shall be confidential and shall be exempt from disclosure pursuant to chapter 2 of title 38 ("access to public records"). To the extent any information contained in a data protection assessment disclosed to the attorney general includes information subject to attorney-client privilege or work product protection, such disclosure shall not constitute a waiver of such privilege or protection. § 6-48.1-7.(f)] | Audits and risk management | Preventive | |
| Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Human Resources management | Preventive | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Preventive | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Operational management | Preventive | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 6-48.1-7.(l)(1)] | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)] | Privacy protection for information and data | Preventive | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Preventive | |
| Respond to data access requests in an official language. CC ID 17176 | Privacy protection for information and data | Preventive | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Corrective | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Corrective | |
| Capture personal data removal requests. CC ID 13507 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i)] | Privacy protection for information and data | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)] | Privacy protection for information and data | Preventive | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [{time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2)] | Privacy protection for information and data | Preventive | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)] | Privacy protection for information and data | Preventive | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Enforce access restrictions for restricted data. CC ID 01921 [The rights afforded under this section, and inclusive of § 6-48.1-5(f) shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the customer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 6-48.1-7.(m)] | Technical security | Preventive | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Preventive | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Corrective | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Preventive | |
| Destroy investigative materials, as necessary. CC ID 17082 | Operational management | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A customer shall have the right to: Confirm whether or not a controller is processing the customer's personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret; § 6-48.1-5.(e)(1)] | Privacy protection for information and data | Preventive | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e) A customer shall have the right to: Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer. § 6-48.1-5.(e)(4)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Privacy protection for information and data | Preventive | |
| Cooperate with Data Protection Authorities. CC ID 06870 [{scientific research} This chapter shall not be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine, whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification; § 6-48.1-7.(o)(10)] | Privacy protection for information and data | Preventive | |
| Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Preventive | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Preventive | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Preventive | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)] | Privacy protection for information and data | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 [The controller shall not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against customers. § 6-48.1-4.(d)] | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Preventive | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Preventive | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Preventive | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Preventive | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 | Privacy protection for information and data | Preventive | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Privacy protection for information and data | Preventive | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Preventive | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Preventive | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Preventive | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Preventive | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: Subject to suitable and specific measures to safeguard the rights of the customer whose personal data is being processed, and § 6-48.1-7.(o)(12)(i) This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: Under the responsibility of a professional subject to confidentiality obligations under federal, state or local law. § 6-48.1-7.(o)(12)(ii) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4) {refrain from adversely affecting} Nothing in this chapter shall be construed to: Impose any obligation on a controller or processor that adversely affects the rights or freedoms of any person, including, but not limited to, the rights of any person to freedom of speech or freedom of the press guaranteed in the First Amendment to the United States Constitution; or § 6-48.1-7.(r)(1)] | Privacy protection for information and data | Preventive | |
| Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Preventive | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Preventive | |
| Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Preventive | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Preventive | |
| Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Preventive | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Preventive | |
| Process personal data for debt collection or benefit payments. CC ID 00190 | Privacy protection for information and data | Preventive | |
| Process personal data in order to advance the public interest. CC ID 00191 [This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: § 6-48.1-7.(o)(12)] | Privacy protection for information and data | Preventive | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 [{scientific research} This chapter shall not be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine, whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification; § 6-48.1-7.(o)(10) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1)] | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Preventive | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Preventive | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Preventive | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Preventive | |
| Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Preventive | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)] | Privacy protection for information and data | Preventive | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)] | Privacy protection for information and data | Preventive | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Preventive | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Preventive | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Preventive | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Preventive | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)] | Privacy protection for information and data | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)] | Privacy protection for information and data | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2) {vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)] | Privacy protection for information and data | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Privacy protection for information and data | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 [{vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3) {vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)] | Privacy protection for information and data | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 [A customer shall have the right to: Obtain a copy of the customer's personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the customer to transmit the data to another controller without undue delay, where the processing is carried out by automated means; provided such controller shall not be required to reveal any trade secret; and § 6-48.1-5.(e)(3)] | Privacy protection for information and data | Preventive | |
| Refrain from collecting personal data, as necessary. CC ID 15269 [{refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)] | Privacy protection for information and data | Preventive | |
| Use personal data for specified purposes. CC ID 11831 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Privacy protection for information and data | Preventive | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [Any controller in possession of de-identified data shall: Take reasonable measures to ensure that the data cannot be associated with an individual; § 6-48.1-7.(j)(1) Any controller in possession of de-identified data shall: Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and § 6-48.1-7.(j)(2) {refrain from requiring} Nothing in this chapter shall be construed to: Require a controller or processor to re-identify de-identified data or pseudonymous data; or § 6-48.1-7.(k)(1) {refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)] | Privacy protection for information and data | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 [The rights afforded under this section, and inclusive of § 6-48.1-5(f) shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the customer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 6-48.1-7.(m)] | Privacy protection for information and data | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Preventive | |
| Change or destroy any personal data that is incorrect. CC ID 00462 [A customer shall have the right to: Correct inaccuracies in the customer's personal data and delete personal data provided by, or obtained about, the customer, taking into account the nature of the personal data and the purposes of the processing of the customer's personal data; § 6-48.1-5.(e)(2)] | Privacy protection for information and data | Corrective | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Preventive | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Corrective | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Preventive | |
| Check the accuracy of restricted data. CC ID 00088 | Privacy protection for information and data | Preventive | |
| Check the data accuracy of new accounts. CC ID 04859 | Privacy protection for information and data | Preventive | |
| Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 | Privacy protection for information and data | Preventive | |
| Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 | Privacy protection for information and data | Preventive | |
| Correlate the applicant's social security number with their date of birth. CC ID 04864 | Privacy protection for information and data | Preventive | |
| Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 | Privacy protection for information and data | Preventive | |
| Compare the applicant's personal data against known fraudulent activities. CC ID 04865 | Privacy protection for information and data | Preventive | |
| Compare the applicant's address against known suspicious addresses. CC ID 04866 | Privacy protection for information and data | Preventive | |
| Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 | Privacy protection for information and data | Preventive | |
| Provide additional personal data when the application is incomplete. CC ID 04869 | Privacy protection for information and data | Preventive | |
| Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 | Privacy protection for information and data | Detective | |
| Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 | Privacy protection for information and data | Detective | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Preventive | |
| Identify and define all critical roles. CC ID 00777 | Human Resources management | Preventive | |
| Define and assign the data controller's roles and responsibilities. CC ID 00471 [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: § 6-48.1-3.(a)] | Human Resources management | Preventive | |
| Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Preventive | |
| Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Preventive | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)] | Privacy protection for information and data | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Preventive | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption. § 6-48.1-7.(t)] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Monitoring and measurement | Preventive | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Preventive | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Preventive | |
| Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Preventive | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 | Monitoring and measurement | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Preventive | |
| Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Preventive | |
| Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Preventive | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Preventive | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Preventive | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Monitoring and measurement | Preventive | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Preventive | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Preventive | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Preventive | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Preventive | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Preventive | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Preventive | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Preventive | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A customer may designate another person to serve as the customer's authorized agent and act on such customer's behalf, to opt out of the processing of such customer's personal data. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify the identity of the customer and the authorized agent's authority to act on the customer's behalf. § 6-48.1-6.(b)(7) {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f) {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f) {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)] | Technical security | Preventive | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Preventive | |
| Include termination procedures in the authorized representatives policy. CC ID 17226 | Technical security | Preventive | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Preventive | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Technical security | Preventive | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Preventive | |
| Establish, implement, and maintain a legal support program. CC ID 13710 [This chapter shall not be construed to restrict a controller's or processor's ability to: Investigate, establish, exercise, prepare for or defend legal claims; § 6-48.1-7.(o)(4) This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Human Resources management | Preventive | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
| Include physical safeguards in the information security program. CC ID 12375 [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Operational management | Preventive | |
| Include technical safeguards in the information security program. CC ID 12374 [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Operational management | Preventive | |
| Include administrative safeguards in the information security program. CC ID 12373 [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [This chapter shall not be construed to restrict a controller's or processor's ability to: Comply with federal, state or municipal ordinances or regulations; § 6-48.1-7.(o)(1)] | Operational management | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Preventive | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Operational management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Preventive | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Operational management | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 | Operational management | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Operational management | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 | Operational management | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Preventive | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Operational management | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Operational management | Preventive | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Detective | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Corrective | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Preventive | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Corrective | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Detective | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Preventive | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Preventive | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Preventive | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Operational management | Preventive | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Operational management | Preventive | |
| Include incident management procedures in the Incident Management program. CC ID 12689 | Operational management | Preventive | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Corrective | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Preventive | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Operational management | Preventive | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Preventive | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Preventive | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Operational management | Preventive | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Operational management | Preventive | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Operational management | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Operational management | Detective | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Preventive | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Preventive | |
| Include contact information in the privacy notice. CC ID 14432 [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller. § 6-48.1-3.(a)(3)] | Privacy protection for information and data | Preventive | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [{secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)] | Privacy protection for information and data | Preventive | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Preventive | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify all third parties to whom the controller has sold or may sell customers' personally identifiable information; and § 6-48.1-3.(a)(2)] | Privacy protection for information and data | Preventive | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify all categories of personal data that the controller collects through the website or online service about customers; § 6-48.1-3.(a)(1)] | Privacy protection for information and data | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Preventive | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing. § 6-48.1-3.(b) A customer shall have the right to: Confirm whether or not a controller is processing the customer's personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret; § 6-48.1-5.(e)(1)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request procedures. CC ID 16546 [{secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations of this chapter. § 6-48.1-7.(b) A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)] | Privacy protection for information and data | Preventive | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Preventive | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; § 6-48.1-7.(c)(1)] | Privacy protection for information and data | Preventive | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Preventive | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)] | Privacy protection for information and data | Preventive | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)] | Privacy protection for information and data | Preventive | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)] | Privacy protection for information and data | Preventive | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)] | Privacy protection for information and data | Preventive | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Preventive | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations of this chapter, using an appropriate and accepted control standard of framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request. § 6-48.1-7.(c)(5)] | Privacy protection for information and data | Preventive | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations of this chapter; § 6-48.1-7.(c)(3) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations of this chapter, using an appropriate and accepted control standard of framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request. § 6-48.1-7.(c)(5)] | Privacy protection for information and data | Preventive | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations of this chapter. § 6-48.1-7.(b) A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c) This chapter shall not be construed to restrict a controller's or processor's ability to: Assist another controller, processor or third party with any of the obligations of this chapter; or § 6-48.1-7.(o)(11)] | Privacy protection for information and data | Preventive | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; § 6-48.1-7.(c)(2)] | Privacy protection for information and data | Preventive | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [{be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Privacy protection for information and data | Preventive | |
| Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Preventive | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Preventive | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [This chapter shall not be construed to restrict a controller's or processor's ability to: Take immediate steps to protect an interest that is essential for the life or physical safety of the customer or another individual, and where the processing cannot be manifestly based on another legal basis; § 6-48.1-7.(o)(8)] | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Preventive | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Preventive | |
| Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [{refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)] | Privacy protection for information and data | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Preventive | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Preventive | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Preventive | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Preventive | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Preventive | |
| Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Preventive | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Preventive | |
| Define opt-out exceptions for disclosing restricted data. CC ID 00159 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i) {refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Privacy protection for information and data | Preventive | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Does not use the personal data to recognize or respond to the specific customer who is the subject of the personal data, or associate the personal data with the other personal data about the same specific customer; and § 6-48.1-7.(l)(2) {refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. § 6-48.1-7.(l)(3) {time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2) A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Define the organization's liability based on the applicable law. CC ID 00504 [{not relieve} {personal data} Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller's or processor's role in the processing relationship. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to an enforcement action under § 6-48.1-8. § 6-48.1-7.(d) {is not in violation} A controller or processor that discloses personal data to a processor or third-party controller shall not be deemed to have violated this chapter if the processor or third-party controller that receives and processes such personal data violates said sections; provided at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller or processor in compliance with this chapter is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data. § 6-48.1-7.(q)] | Privacy protection for information and data | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Preventive | |
| Define the appeal process based on the applicable law. CC ID 00506 [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6) {be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)] | Privacy protection for information and data | Preventive | |
| Use documents for identification that do not appear altered or forged. CC ID 04860 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [This chapter shall not be construed to restrict a controller's or processor's ability to: Perform under a contract to which a customer is a party, including fulfilling the terms of a written warranty; § 6-48.1-7.(o)(6) This chapter shall not be construed to restrict a controller's or processor's ability to: Take steps at the request of a customer prior to entering into a contract; § 6-48.1-7.(o)(7)] | Third Party and supply chain oversight | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 [Any controller in possession of de-identified data shall: Contractually obligate any recipients of the de-identified data to comply with all provisions of this chapter. § 6-48.1-7.(j)(3)] | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [{is not in violation} A controller or processor that discloses personal data to a processor or third-party controller shall not be deemed to have violated this chapter if the processor or third-party controller that receives and processes such personal data violates said sections; provided at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller or processor in compliance with this chapter is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data. § 6-48.1-7.(q)] | Third Party and supply chain oversight | Detective | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Detective | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Preventive | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Preventive | |
| Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Preventive | |
| Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Preventive | |
| Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Preventive | |
| Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Preventive | |
| Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Preventive | |
| Establish, implement, and maintain an ethics program. CC ID 11496 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Human Resources management | Preventive | |
| Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Human Resources management | Preventive | |
| Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources management | Preventive | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources management | Preventive | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 | Operational management | Preventive | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Corrective | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [{may not discriminate} No controller shall discriminate against a customer for exercising their customer rights. § 6-48.1-5.(b) {shall not deny} No controller shall deny goods or services, charge different prices or rates for goods or services or provide a different level of quality of goods or services to the customer if the customer opts out to use of their data. However, if a customer opts out of data collection, the covered entity is not required to provide a service that requires this data collection. § 6-48.1-5.(c)] | Privacy protection for information and data | Preventive | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and § 6-48.1-7.(c)(4)] | Privacy protection for information and data | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Corrective | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Detective | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Human Resources management | Preventive | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Detective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Detective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Detective | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Preventive | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Detective | |
| Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Detective | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Detective | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Detective | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Detective | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Preventive | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Corrective | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Preventive | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 | Monitoring and measurement | Detective | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 6-48.1-7.(n)] | Monitoring and measurement | Detective | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Preventive | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Human Resources management | Preventive | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Corrective | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Detective | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Corrective | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Preventive | |
| Correct compliance violations. CC ID 13515 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 6-48.1-7.(n)] | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [A controller shall conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a customer. For the purposes of this section, processing that presents a heightened risk of harm to a customer includes: § 6-48.1-7.(e) {be similar} A single data protection assessment may address a comparable set of processing operations that include similar activities. § 6-48.1-7.(g) {be similar} If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be deemed to satisfy the requirements established in this section if such data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section. § 6-48.1-7.(h)] | Audits and risk management | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Operational management | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Operational management | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Operational management | Detective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Corrective | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
| Conduct incident investigations, as necessary. CC ID 13826 | Operational management | Detective | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 6-48.1-7.(l)(1)] | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Preventive | |
| Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Preventive | |
| Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Preventive | |
| Interview appropriate parties to validate consumer information. CC ID 16902 | Privacy protection for information and data | Preventive | |
| Use contact methods specified by the consumer for identity verification. CC ID 16878 | Privacy protection for information and data | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Operational management | Preventive | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Corrective | |
| Refrain from processing restricted data, as necessary. CC ID 12551 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Preventive | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A customer shall have the right to: Correct inaccuracies in the customer's personal data and delete personal data provided by, or obtained about, the customer, taking into account the nature of the personal data and the purposes of the processing of the customer's personal data; § 6-48.1-5.(e)(2)] | Privacy protection for information and data | Preventive | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Control access rights to organizational assets. CC ID 00004 | Technical security | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Preventive | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Corrective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Corrective | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Operational management | Preventive | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Corrective | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Corrective | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Corrective | |
| Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 | Privacy protection for information and data | Preventive | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a system security plan. CC ID 01922 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Monitoring and measurement | Preventive | |
| Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Detective | |
| Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Detective | |
| Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Detective | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Preventive | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Operational management | Corrective | |
| Test incident monitoring procedures. CC ID 13194 | Operational management | Detective | |
| Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Detective | |
| Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 | Privacy protection for information and data | Detective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Process or Activity | |
| Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Investigate | |
| Correct compliance violations. CC ID 13515 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 6-48.1-7.(n)] | Monitoring and measurement | Process or Activity | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Monitoring and measurement | Behavior | |
| Respond to ethics complaints of ethics violations. CC ID 11497 | Human Resources management | Business Processes | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Monitor and Evaluate Occurrences | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Monitor and Evaluate Occurrences | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Process or Activity | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Behavior | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Process or Activity | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Process or Activity | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Technical Security | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Technical Security | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Technical Security | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Log Management | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Technical Security | |
| Assess all incidents to determine what information was accessed. CC ID 01226 | Operational management | Testing | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Monitor and Evaluate Occurrences | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Data and Information Management | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Behavior | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Establish/Maintain Documentation | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Data and Information Management | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Behavior | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Behavior | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Establish/Maintain Documentation | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Behavior | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Behavior | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Behavior | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Behavior | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Behavior | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Establish/Maintain Documentation | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Technical Security | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Business Processes | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Human Resources Management | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Technical Security | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Establish/Maintain Documentation | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Log Management | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Technical Security | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Technical Security | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Technical Security | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Records Management | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Communicate | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Communicate | |
| Change or destroy any personal data that is incorrect. CC ID 00462 [A customer shall have the right to: Correct inaccuracies in the customer's personal data and delete personal data provided by, or obtained about, the customer, taking into account the nature of the personal data and the purposes of the processing of the customer's personal data; § 6-48.1-5.(e)(2)] | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Behavior | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Data and Information Management | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 [This chapter shall not be construed to restrict a controller's or processor's ability to: Comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state, municipal or other governmental authorities; § 6-48.1-7.(o)(2) This chapter shall not be construed to restrict a controller's or processor's ability to: Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state or municipal ordinances or regulations; § 6-48.1-7.(o)(3)] | Privacy protection for information and data | Business Processes | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Log Management | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Testing | |
| Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Testing | |
| Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Testing | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. § 6-48.1-7.(n)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Business Processes | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Investigate | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Investigate | |
| Provide security inspectors access to personnel files during site reviews. CC ID 12300 | Human Resources management | Audits and Risk Management | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Business Processes | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Operational management | Process or Activity | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 | Operational management | Process or Activity | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Operational management | Process or Activity | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Monitor and Evaluate Occurrences | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Monitor and Evaluate Occurrences | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Investigate | |
| Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Monitor and Evaluate Occurrences | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Establish/Maintain Documentation | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Investigate | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Establish/Maintain Documentation | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Establish/Maintain Documentation | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Investigate | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Behavior | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Behavior | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Establish/Maintain Documentation | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Establish/Maintain Documentation | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Monitor and Evaluate Occurrences | |
| Test incident monitoring procedures. CC ID 13194 | Operational management | Testing | |
| Conduct incident investigations, as necessary. CC ID 13826 | Operational management | Process or Activity | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Investigate | |
| Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Investigate | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Investigate | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Investigate | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Operational management | Establish/Maintain Documentation | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)] | Privacy protection for information and data | Behavior | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Behavior | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Investigate | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Data and Information Management | |
| Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Behavior | |
| Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Testing | |
| Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 | Privacy protection for information and data | Testing | |
| Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 | Privacy protection for information and data | Data and Information Management | |
| Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 | Privacy protection for information and data | Behavior | |
| Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 | Privacy protection for information and data | Data and Information Management | |
| Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 | Privacy protection for information and data | Business Processes | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Process or Activity | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 [{is not in violation} A controller or processor that discloses personal data to a processor or third-party controller shall not be deemed to have violated this chapter if the processor or third-party controller that receives and processes such personal data violates said sections; provided at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller or processor in compliance with this chapter is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data. § 6-48.1-7.(q)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption. § 6-48.1-7.(t)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an Identity Theft Prevention Program. CC ID 11634 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Monitoring and measurement | Audits and Risk Management | |
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 | Monitoring and measurement | Establish/Maintain Documentation | |
| Implement a fraud detection system. CC ID 13081 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a system security plan. CC ID 01922 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Monitoring and measurement | Testing | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Communicate | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Process or Activity | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Establish/Maintain Documentation | |
| Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Establish/Maintain Documentation | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Business Processes | |
| Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Establish/Maintain Documentation | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Establish/Maintain Documentation | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Testing | |
| Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
| Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Human Resources Management | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Human Resources Management | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Communicate | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [A controller shall conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a customer. For the purposes of this section, processing that presents a heightened risk of harm to a customer includes: § 6-48.1-7.(e) {be similar} A single data protection assessment may address a comparable set of processing operations that include similar activities. § 6-48.1-7.(g) {be similar} If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be deemed to satisfy the requirements established in this section if such data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section. § 6-48.1-7.(h)] | Audits and risk management | Process or Activity | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Establish/Maintain Documentation | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Establish/Maintain Documentation | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Establish/Maintain Documentation | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Establish/Maintain Documentation | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 [{make available} The attorney general may require a controller to disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available. The attorney general may evaluate the data protection assessment for compliance with responsibilities of this chapter. Data protection assessments shall be confidential and shall be exempt from disclosure pursuant to chapter 2 of title 38 ("access to public records"). To the extent any information contained in a data protection assessment disclosed to the attorney general includes information subject to attorney-client privilege or work product protection, such disclosure shall not constitute a waiver of such privilege or protection. § 6-48.1-7.(f)] | Audits and risk management | Communicate | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Establish/Maintain Documentation | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A customer may designate another person to serve as the customer's authorized agent and act on such customer's behalf, to opt out of the processing of such customer's personal data. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify the identity of the customer and the authorized agent's authority to act on the customer's behalf. § 6-48.1-6.(b)(7) {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f) {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f) {secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)] | Technical security | Establish/Maintain Documentation | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Establish/Maintain Documentation | |
| Include termination procedures in the authorized representatives policy. CC ID 17226 | Technical security | Establish/Maintain Documentation | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Establish/Maintain Documentation | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Technical security | Establish/Maintain Documentation | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Establish/Maintain Documentation | |
| Control access rights to organizational assets. CC ID 00004 | Technical security | Technical Security | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Establish Roles | |
| Enforce access restrictions for restricted data. CC ID 01921 [The rights afforded under this section, and inclusive of § 6-48.1-5(f) shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the customer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 6-48.1-7.(m)] | Technical security | Data and Information Management | |
| Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Human Resources Management | |
| Identify and define all critical roles. CC ID 00777 | Human Resources management | Establish Roles | |
| Define and assign the data controller's roles and responsibilities. CC ID 00471 [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: § 6-48.1-3.(a)] | Human Resources management | Establish Roles | |
| Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Human Resources Management | |
| Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Human Resources Management | |
| Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Human Resources Management | |
| Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Establish Roles | |
| Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Human Resources Management | |
| Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Establish Roles | |
| Establish, implement, and maintain a legal support program. CC ID 13710 [This chapter shall not be construed to restrict a controller's or processor's ability to: Investigate, establish, exercise, prepare for or defend legal claims; § 6-48.1-7.(o)(4) This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an ethics program. CC ID 11496 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Human Resources management | Human Resources Management | |
| Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Human Resources management | Communicate | |
| Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Human Resources management | Behavior | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Human Resources management | Investigate | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 | Human Resources management | Behavior | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Monitor and Evaluate Occurrences | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Human Resources management | Monitor and Evaluate Occurrences | |
| Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Business Processes | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Human Resources management | Business Processes | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Communicate | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Establish/Maintain Documentation | |
| Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Human Resources management | Behavior | |
| Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Human Resources management | Behavior | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Human Resources management | Behavior | |
| Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Human Resources management | Human Resources Management | |
| Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources management | Human Resources Management | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources management | Human Resources Management | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Establish Roles | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Behavior | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Behavior | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Behavior | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
| Include physical safeguards in the information security program. CC ID 12375 [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Operational management | Establish/Maintain Documentation | |
| Include technical safeguards in the information security program. CC ID 12374 [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Operational management | Establish/Maintain Documentation | |
| Include administrative safeguards in the information security program. CC ID 12373 [{administrative data security practice} {technical data security practice} The controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. § 6-48.1-4.(b) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [This chapter shall not be construed to restrict a controller's or processor's ability to: Comply with federal, state or municipal ordinances or regulations; § 6-48.1-7.(o)(1)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Business Processes | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Establish/Maintain Documentation | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Operational management | Business Processes | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the incident management policy to interested personnel and affected parties. CC ID 16885 | Operational management | Communicate | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 | Operational management | Human Resources Management | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Operational management | Establish/Maintain Documentation | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 | Operational management | Establish/Maintain Documentation | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Establish/Maintain Documentation | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Establish/Maintain Documentation | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Operational management | Establish/Maintain Documentation | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Technical Security | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 | Operational management | Establish/Maintain Documentation | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Establish/Maintain Documentation | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Establish/Maintain Documentation | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Establish/Maintain Documentation | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Establish/Maintain Documentation | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Data and Information Management | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Data and Information Management | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
| Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Business Processes | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Establish/Maintain Documentation | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Establish/Maintain Documentation | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Establish/Maintain Documentation | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Establish/Maintain Documentation | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Establish/Maintain Documentation | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Establish/Maintain Documentation | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Establish/Maintain Documentation | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Establish/Maintain Documentation | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Establish/Maintain Documentation | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Establish/Maintain Documentation | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Establish/Maintain Documentation | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Establish/Maintain Documentation | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Establish/Maintain Documentation | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Establish/Maintain Documentation | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Establish/Maintain Documentation | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Establish/Maintain Documentation | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Establish/Maintain Documentation | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Establish/Maintain Documentation | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Establish/Maintain Documentation | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Establish/Maintain Documentation | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Establish/Maintain Documentation | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Establish/Maintain Documentation | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Establish/Maintain Documentation | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Establish/Maintain Documentation | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Establish/Maintain Documentation | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Behavior | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Establish/Maintain Documentation | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Establish/Maintain Documentation | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Behavior | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Behavior | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Establish/Maintain Documentation | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Establish/Maintain Documentation | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Establish/Maintain Documentation | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Data and Information Management | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Data and Information Management | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Establish/Maintain Documentation | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Establish/Maintain Documentation | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 | Operational management | Monitor and Evaluate Occurrences | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Investigate | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Operational management | Establish/Maintain Documentation | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Operational management | Establish/Maintain Documentation | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Operational management | Technical Security | |
| Include incident management procedures in the Incident Management program. CC ID 12689 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Establish/Maintain Documentation | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Establish/Maintain Documentation | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Establish/Maintain Documentation | |
| Destroy investigative materials, as necessary. CC ID 17082 | Operational management | Data and Information Management | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Operational management | Records Management | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Establish/Maintain Documentation | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Log Management | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Log Management | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Establish/Maintain Documentation | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Log Management | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Operational management | Establish/Maintain Documentation | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Operational management | Establish/Maintain Documentation | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Operational management | Establish/Maintain Documentation | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [This chapter shall not be construed to restrict a controller's or processor's ability to: Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; § 6-48.1-7.(o)(9)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Operational management | Communicate | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Establish/Maintain Documentation | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Establish/Maintain Documentation | |
| Plan for selling facilities, technology, or services. CC ID 06893 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Refrain from providing products and services, as necessary. CC ID 15580 [{shall not deny} No controller shall deny goods or services, charge different prices or rates for goods or services or provide a different level of quality of goods or services to the customer if the customer opts out to use of their data. However, if a customer opts out of data collection, the covered entity is not required to provide a service that requires this data collection. § 6-48.1-5.(c)] | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Data and Information Management | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include contact information in the privacy notice. CC ID 14432 [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller. § 6-48.1-3.(a)(3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 [{secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify all third parties to whom the controller has sold or may sell customers' personally identifiable information; and § 6-48.1-3.(a)(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 [Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or Internet service provider collects, stores and sells customers' personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted: Identify all categories of personal data that the controller collects through the website or online service about customers; § 6-48.1-3.(a)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 6-48.1-7.(l)(1)] | Privacy protection for information and data | Communicate | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [A customer shall have the right to: Confirm whether or not a controller is processing the customer's personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret; § 6-48.1-5.(e)(1)] | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Business Processes | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Business Processes | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing. § 6-48.1-3.(b) A customer shall have the right to: Confirm whether or not a controller is processing the customer's personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret; § 6-48.1-5.(e)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data request procedures. CC ID 16546 [{secure method} A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller's privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child's behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer's behalf. § 6-48.1-5.(f)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [{may not discriminate} No controller shall discriminate against a customer for exercising their customer rights. § 6-48.1-5.(b) {shall not deny} No controller shall deny goods or services, charge different prices or rates for goods or services or provide a different level of quality of goods or services to the customer if the customer opts out to use of their data. However, if a customer opts out of data collection, the covered entity is not required to provide a service that requires this data collection. § 6-48.1-5.(c)] | Privacy protection for information and data | Human Resources Management | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 [{be different} {free of charge} Controllers may provide different prices and levels for goods and services if it is for a bona fide loyalty, rewards, premium features, discount or club card programs that customers voluntarily participate. § 6-48.1-5.(d)] | Privacy protection for information and data | Business Processes | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Business Processes | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e) A customer shall have the right to: Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer. § 6-48.1-5.(e)(4)] | Privacy protection for information and data | Data and Information Management | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Business Processes | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Business Processes | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 | Privacy protection for information and data | Technical Security | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e) The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation. § 6-48.1-4.(e) {opt out} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Opting the customer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of this chapter. § 6-48.1-6.(b)(5)(ii) A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A customer may designate another person to serve as the customer's authorized agent and act on such customer's behalf, to opt out of the processing of such customer's personal data. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify the identity of the customer and the authorized agent's authority to act on the customer's behalf. § 6-48.1-6.(b)(7)] | Privacy protection for information and data | Business Processes | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)] | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
| Cooperate with Data Protection Authorities. CC ID 06870 [{scientific research} This chapter shall not be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine, whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification; § 6-48.1-7.(o)(10)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations of this chapter. § 6-48.1-7.(b) A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; § 6-48.1-7.(c)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 [A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations of this chapter, using an appropriate and accepted control standard of framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request. § 6-48.1-7.(c)(5)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations of this chapter; § 6-48.1-7.(c)(3) {data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations of this chapter, using an appropriate and accepted control standard of framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request. § 6-48.1-7.(c)(5)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations of this chapter. § 6-48.1-7.(b) A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: § 6-48.1-7.(c) This chapter shall not be construed to restrict a controller's or processor's ability to: Assist another controller, processor or third party with any of the obligations of this chapter; or § 6-48.1-7.(o)(11)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and § 6-48.1-7.(c)(4)] | Privacy protection for information and data | Human Resources Management | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 [{data processing contract} A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; § 6-48.1-7.(c)(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [{be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Data and Information Management | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the collection purpose. CC ID 00095 | Privacy protection for information and data | Behavior | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Data and Information Management | |
| Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Privacy protection for information and data | Behavior | |
| Notify the data subject of changes to personal data use. CC ID 00105 | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 [This chapter shall not be construed to restrict a controller's or processor's ability to: Take immediate steps to protect an interest that is essential for the life or physical safety of the customer or another individual, and where the processing cannot be manifestly based on another legal basis; § 6-48.1-7.(o)(8)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain the data subject's consent when the personal data use changes. CC ID 11832 | Privacy protection for information and data | Behavior | |
| Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 | Privacy protection for information and data | Data and Information Management | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Records Management | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [{refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Process or Activity | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Data and Information Management | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Data and Information Management | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Data and Information Management | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Business Processes | |
| Respond to data access requests in a timely manner. CC ID 00421 [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)] | Privacy protection for information and data | Behavior | |
| Respond to data access requests in an official language. CC ID 17176 | Privacy protection for information and data | Communicate | |
| Delay responding to data access requests, as necessary. CC ID 15504 [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)] | Privacy protection for information and data | Data and Information Management | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Data and Information Management | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Business Processes | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Process or Activity | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Data and Information Management | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Records Management | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)] | Privacy protection for information and data | Behavior | |
| Refrain from processing restricted data, as necessary. CC ID 12551 | Privacy protection for information and data | Records Management | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; § 6-48.1-7.(l)(1)] | Privacy protection for information and data | Process or Activity | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 [The controller shall not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against customers. § 6-48.1-4.(d)] | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Process or Activity | |
| Process restricted data lawfully and carefully. CC ID 00086 [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)] | Privacy protection for information and data | Establish Roles | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Technical Security | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Data and Information Management | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Records Management | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Data and Information Management | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Records Management | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Process or Activity | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Records Management | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Data and Information Management | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Data and Information Management | |
| Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 | Privacy protection for information and data | Business Processes | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Data and Information Management | |
| Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 | Privacy protection for information and data | Business Processes | |
| Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 | Privacy protection for information and data | Business Processes | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Data and Information Management | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Privacy protection for information and data | Data and Information Management | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Data and Information Management | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: Subject to suitable and specific measures to safeguard the rights of the customer whose personal data is being processed, and § 6-48.1-7.(o)(12)(i) This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: Under the responsibility of a professional subject to confidentiality obligations under federal, state or local law. § 6-48.1-7.(o)(12)(ii) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4) {refrain from adversely affecting} Nothing in this chapter shall be construed to: Impose any obligation on a controller or processor that adversely affects the rights or freedoms of any person, including, but not limited to, the rights of any person to freedom of speech or freedom of the press guaranteed in the First Amendment to the United States Constitution; or § 6-48.1-7.(r)(1)] | Privacy protection for information and data | Data and Information Management | |
| Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Data and Information Management | |
| Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Business Processes | |
| Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for debt collection or benefit payments. CC ID 00190 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to advance the public interest. CC ID 00191 [This chapter shall not be construed to restrict a controller's or processor's ability to: Process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is: § 6-48.1-7.(o)(12)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 [{scientific research} This chapter shall not be construed to restrict a controller's or processor's ability to: Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine, whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification; § 6-48.1-7.(o)(10) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1)] | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Data and Information Management | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Data and Information Management | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Data and Information Management | |
| Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Data and Information Management | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Data and Information Management | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define opt-out exceptions for disclosing restricted data. CC ID 00159 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i) {refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Capture personal data removal requests. CC ID 13507 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i)] | Privacy protection for information and data | Communicate | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A customer shall have the right to: Correct inaccuracies in the customer's personal data and delete personal data provided by, or obtained about, the customer, taking into account the nature of the personal data and the purposes of the processing of the customer's personal data; § 6-48.1-5.(e)(2)] | Privacy protection for information and data | Records Management | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Process or Activity | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)] | Privacy protection for information and data | Data and Information Management | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 [The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter. § 6-48.1-4.(c)] | Privacy protection for information and data | Data and Information Management | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Data and Information Management | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Behavior | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Data and Information Management | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Data and Information Management | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Data and Information Management | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Data and Information Management | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Data and Information Management | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Data and Information Management | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [{refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Does not use the personal data to recognize or respond to the specific customer who is the subject of the personal data, or associate the personal data with the other personal data about the same specific customer; and § 6-48.1-7.(l)(2) {refrain from requiring} Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller: Does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section. § 6-48.1-7.(l)(3) {time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2) A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)] | Privacy protection for information and data | Data and Information Management | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)] | Privacy protection for information and data | Data and Information Management | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Data and Information Management | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Process or Activity | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Data and Information Management | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Data and Information Management | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Data and Information Management | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Data and Information Management | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [{time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2) {vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)] | Privacy protection for information and data | Data and Information Management | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Communicate | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Data and Information Management | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Privacy protection for information and data | Data and Information Management | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 [{opt out request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer's requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension. § 6-48.1-6.(b)(1)] | Privacy protection for information and data | Communicate | |
| Provide data at a cost that is not excessive. CC ID 00430 [{vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3) {vexatious request} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve (12) month period. If requests from a customer are manifestly unfounded, excessive or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. § 6-48.1-6.(b)(3)] | Privacy protection for information and data | Data and Information Management | |
| Provide records or data in a reasonable manner. CC ID 00431 [A customer shall have the right to: Obtain a copy of the customer's personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the customer to transmit the data to another controller without undue delay, where the processing is carried out by automated means; provided such controller shall not be required to reveal any trade secret; and § 6-48.1-5.(e)(3)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from collecting personal data, as necessary. CC ID 15269 [{refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Use personal data for specified purposes. CC ID 11831 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer's request to delete such data by doing the following: Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or § 6-48.1-6.(b)(5)(i) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Conduct internal research to develop, improve or repair products, services or technology; § 6-48.1-7.(p)(1) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Effectuate a product recall; § 6-48.1-7.(p)(2) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Identify and repair technical errors that impair existing or intended functionality; or § 6-48.1-7.(p)(3) The obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to: Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party. § 6-48.1-7.(p)(4) {be necessary} {be proportionate} {be adequate} {be relevant} {administrative measure} {technical measure} Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use or retention of personal data. § 6-48.1-7.(s)] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [Any controller in possession of de-identified data shall: Take reasonable measures to ensure that the data cannot be associated with an individual; § 6-48.1-7.(j)(1) Any controller in possession of de-identified data shall: Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and § 6-48.1-7.(j)(2) {refrain from requiring} Nothing in this chapter shall be construed to: Require a controller or processor to re-identify de-identified data or pseudonymous data; or § 6-48.1-7.(k)(1) {refrain from requiring} Nothing in this chapter shall be construed to: Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated customer request with personal data. § 6-48.1-7.(k)(2)] | Privacy protection for information and data | Data and Information Management | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Data and Information Management | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 [The rights afforded under this section, and inclusive of § 6-48.1-5(f) shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the customer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. § 6-48.1-7.(m)] | Privacy protection for information and data | Data and Information Management | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Data and Information Management | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Data and Information Management | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Data and Information Management | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)] | Privacy protection for information and data | Behavior | |
| Define the organization's liability based on the applicable law. CC ID 00504 [{not relieve} {personal data} Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller's or processor's role in the processing relationship. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to an enforcement action under § 6-48.1-8. § 6-48.1-7.(d) {is not in violation} A controller or processor that discloses personal data to a processor or third-party controller shall not be deemed to have violated this chapter if the processor or third-party controller that receives and processes such personal data violates said sections; provided at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller or processor in compliance with this chapter is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data. § 6-48.1-7.(q)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the appeal process based on the applicable law. CC ID 00506 [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6) {be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Process or Activity | |
| Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 [{time requirement} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller declines to act regarding the customer's request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision. § 6-48.1-6.(b)(2)] | Privacy protection for information and data | Communicate | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 [{be conspicuous} {be available} {be similar} A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: A controller shall establish a process for a customer to appeal the controller's refusal to take action on a request within a reasonable period of time after the customer's receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general. § 6-48.1-6.(b)(6)] | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [A controller shall comply with a request by a customer to exercise the customer rights authorized as follows: If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request. § 6-48.1-6.(b)(4)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Check the accuracy of restricted data. CC ID 00088 | Privacy protection for information and data | Data and Information Management | |
| Check the data accuracy of new accounts. CC ID 04859 | Privacy protection for information and data | Data and Information Management | |
| Use documents for identification that do not appear altered or forged. CC ID 04860 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 | Privacy protection for information and data | Data and Information Management | |
| Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 | Privacy protection for information and data | Data and Information Management | |
| Correlate the applicant's social security number with their date of birth. CC ID 04864 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's personal data against known fraudulent activities. CC ID 04865 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's address against known suspicious addresses. CC ID 04866 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 | Privacy protection for information and data | Data and Information Management | |
| Provide additional personal data when the application is incomplete. CC ID 04869 | Privacy protection for information and data | Data and Information Management | |
| Interview appropriate parties to validate consumer information. CC ID 16902 | Privacy protection for information and data | Process or Activity | |
| Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 | Privacy protection for information and data | Business Processes | |
| Use contact methods specified by the consumer for identity verification. CC ID 16878 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [This chapter shall not be construed to restrict a controller's or processor's ability to: Perform under a contract to which a customer is a party, including fulfilling the terms of a written warranty; § 6-48.1-7.(o)(6) This chapter shall not be construed to restrict a controller's or processor's ability to: Take steps at the request of a customer prior to entering into a contract; § 6-48.1-7.(o)(7)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 [Any controller in possession of de-identified data shall: Contractually obligate any recipients of the de-identified data to comply with all provisions of this chapter. § 6-48.1-7.(j)(3)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Communicate | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Third Party and supply chain oversight | Business Processes | |
| Provide products or services per customer requests. CC ID 08893 [This chapter shall not be construed to restrict a controller's or processor's ability to: Provide a product or service specifically requested by a customer; § 6-48.1-7.(o)(5)] | Third Party and supply chain oversight | Business Processes | |