ASC X9 Issues New Data Protection and Breach Notification Standard
A Major Milestone in Efforts to Protect Vulnerable Information
ANNAPOLIS, Md. – Nov. 18, 2021
The Accredited Standards Committee X9 Inc. (X9) has published a new standard, “Financial and Personal Data Protection and Breach Notification.” X9.141 is a two-part document addressing both the “before” data protection and the “after” breach notification. Significantly, the standard complements and expands upon important National Institute of Standards and Technology (NIST) material, and it covers all sensitive data, both financial and non-financial. Both parts are available for download, separately or together.
Data security breaches continue to put millions of consumers, as well as businesses, their employees and other stakeholders, at risk. Protecting internal business and consumer information is a shared responsibility for all parties involved, including legacy and cloud service providers, organizations that store, transmit or process sensitive information, financial institutions, business employees and individual consumers.
The new standard clearly defines requirements for data protection and breach notification for the financial services industry. It is also applicable to all organizations, in any industry, that handle sensitive personal information, and its adoption will be a solid step toward building robust defenses against both sophisticated cyber-criminals and everyday data thieves.
“A highlight of X9.141 is that it is aligned with the business information security controls contained in the NIST Cybersecurity and Privacy Frameworks,” said X9 Executive Director Steve Stevens. “This outcome greatly facilitates an organization’s compliance efforts. Together with the NIST documents, X9.141 lays out a clear path for a business to follow in addressing its data protection needs.”
X9.141 “Part 1: Data Protection” provides requirements and recommendations for the protection of data in the financial services industry. It is based on a special NIST publication, which was chosen for compatibility with prevailing security and privacy assessments within other industries. It also cross-references certain other NIST, International Organization for Standardization (ISO) and X9 standards.
X9.141 “Part 2: Breach Notification” builds on Part 1 and takes into account U.S. federal and state privacy laws. It offers a consistent breach notification process to protect and inform consumers and other stakeholders nationwide, including requirements and comprehensive recommendations.
“A clear need for a data protection and breach notification standard has been recognized for years by major industry groups. In a joint letter to Congress in 2017, seven organizations called for one strong national standard for all personal data, whether financial or non-financial in nature, eliminating the current inconsistent patchwork of laws. X9.141 is the realization of that goal,” said Alan Thiemann, an attorney and partner with Han Santos, PLLC and general counsel for Conexxus.
Thiemann further stated, “It is critical that a business, whether a financial institution or any other industry entity, be able to focus its compliance resources on a single uniform standard for protecting all personal data, from consumer/payment data to personal information of employees, job applicants, vendors or suppliers.”
About the Accredited Standards Committee X9 Inc.
The Accredited Standards Committee X9 Inc. is a non-profit organization accredited by the American National Standards Institute (ANSI) to develop and maintain national and – through ISO — international standards for the financial services industry. The subjects of X9’s standards include: retail, mobile and business payments; corporate treasury functions; block chain technology; processing of electronic legal orders issued to financial institutions; tracking of financial transactions and instruments; financial transaction messaging (ISO 8583 and ISO 20022); quantum computing; PKI; checks; cloud; data breach notification and more.
X9 acts as the U.S. Technical Advisory Group (TAG) for ISO TC68 (Financial), TC321 (E-Commerce) and TC322 (Sustainable Finance) and performs the secretariat functions for ISO TC68. Please visit our website (www.x9.org) for more information.
ASC X9 TR 48-2018 Card-Not-Present (CNP) Fraud Mitigation in the United States
ANSI X9.124-2-2018 Financial Services – Symmetric Key Cryptography for the Financial Services Industry – Format
Preserving Encryption- Part 2: Key Stream with Counter Mode
ANSI X9.129-2017 (Version 01) Legal Order Exchange
ANSI X9.69-2017 Framework for Key Management Extensions