What concerns would you have if somehow your medical information was obtained by your employer or your financial information was retrieved from a dumpster? I suspect most people would be really upset.In this advanced digital age, when data can be moved around easily, the need to protect our own personal data has never been more important. However, several times a week we each have to complete a form or enter information into a web site to register for something where we are sharing some of this data, moving it away from our own control.So what assurances do we have that the company with whom you have shared some of your most sensitive data will protect it as much as you would like? Well, it all comes down to basic trust, which is just not good enough. Bermuda lags behind many other countries in terms of personal data protection laws that require a company to protect your data. Other jurisdictions have had legislation in place for several years.For instance, in the United States there are a number of laws which address the protection of personal data including:State legislation for “Personally Identifiable Information” or PII which mandates that data about a person that are held by a company be given the appropriate level of protection. Among such data are full name, a national identifying number, address and finger prints.Health Insurance Portability and Accountability Act (HIPAA) imposes very strict requirements on how personal health information is to be handled and secured.Gramm Leach Bliley Act (GLBA), also known as the Financial Services Modernization Act (FSMA) while broad in nature, also includes very strict privacy requirements for non-public personal financial data.The credit card industry is somewhat different, in that several years ago, in a successful strategy to fend off federal legislation, the card associations (Mastercard, Visa, Amex, Discover etc) joined forces to develop security standards for the handling of credit card data. The standards are called the Payment Card Industry Data Security Standards (PCI-DSS) and are enforced worldwide. Failure to adhere to the requirements can result in a company being unable to accept credit cards for payment.The EU has had the Data Protection Directive in place for over 20 years and it is comprehensive in nature in terms of the regime it imposes for the protection of personal data. Comprised of eight principles, the Directive requires that:an individual be notified of data being collectedthe data are used only for the purpose statedonly the required data are collectedthe data are accuratethe data are retained for the minimum period of timethe data are processed in accordance with the rights of the data ownerthe appropriate security controls are applied to protect the dataThe eighth principle is that the data cannot be transferred outside of EU unless the jurisdiction to which the data are being moved also has EU-sanctioned data protection laws. It is this principle that causes problems for multinational companies where there is a need to consolidate personal data across their multiple locations.Apart from a simple desire for privacy, the threat of identity theft is real, as it is may not be that difficult for a perpetrator to gather the necessary personal information to “become you”. While some companies do not need legislation to incentivise them to implement the necessary security controls, other companies, when facing a tough economy and pressure to reduce expenses, may not implement controls unless legally required to do so.I expect that at some point in the next 24 months, Bermuda’s own form of personal data protection legislation will be proposed. It is likely that it will look similar to that of the EU as the ability to exchange data with entities in the EU will require it to be so. Whenever it is proposed, it is important that individuals and companies participate in the consultation process to ensure that the correct balance is struck between the rights of an individual to protection of personal information and the ability of a company to protect it, practically and economically.Ronnie Viera, CISSP, CISM, CISADisclaimer: Views and comments expressed are personal and do not necessarily represent those of Mr Viera’s employer.