| Recent years have shown a trend in
| |
| | Find Due Care Information Security
|
| corporations being held responsible for
| |
| | PracticesCompanies that wish to find due
|
| information security negligence. In
| |
| | care information security practices need
|
| particular, the Federal Trade Commission
| |
| | look no further than to two major federal
|
| (FTC) and the Attorney General of New
| |
| | laws that regulate the protection of
|
| York have been actively pursuing
| |
| | customer information: HIPAA and GLBA.
|
| companies that fail to follow effective
| |
| | While both HIPAA and GLBA enacted a lot
|
| security practices. Many high-visibility
| |
| | more than just customer privacy
|
| cases illustrate how companies are being
| |
| | requirements, they both have spawned
|
| required to implement stronger security
| |
| | substantial regulatory guidance on
|
| controls, the Guess case being a good
| |
| | security controls for protecting customer
|
| example.In June 2003, Guess, Incorporated
| |
| | information. The regulations for HIPAA
|
| agreed to settle FTC charges that it
| |
| | are called the Final Security Rule and
|
| exposed consumers' personal information
| |
| | those for GLBA are referred to as the
|
| to commonly known attacks by hackers,
| |
| | Interagency Guidelines.While some of the
|
| contrary to the company's claims.
| |
| | requirements in these regulations are
|
| "Consumers have every right to expect
| |
| | industry-specific, there is a lot of
|
| that a business that says it's keeping
| |
| | commonality between the two. In
|
| personal information secure is doing
| |
| | particular, 12 security practices were
|
| exactly that," said Howard Beales,
| |
| | found in both the HIPAA Final Security
|
| Director of the FTC's Bureau of Consumer
| |
| | Rule and the GLBA Interagency Guidelines.
|
| Protection. The settlement required that
| |
| | The fact that these two sets of
|
| Guess implement a comprehensive
| |
| | regulations intersect in 12 places is no
|
| information security program that would
| |
| | coincidence. This is a clear signal from
|
| be certified as meeting or exceeding the
| |
| | the federal government of the level of
|
| standards in the consent order by an
| |
| | due care it expects the country's health
|
| independent professional within a
| |
| | care providers and financial institutions
|
| year.The ProblemA key reason why
| |
| | to practice. If these are the standards
|
| corporations demonstrate poor or
| |
| | of due care that must be practiced by
|
| inconsistent information security
| |
| | industries that represent about a quarter
|
| controls is the lack of a widely accepted
| |
| | of the country's GDP, it stands to reason
|
| and comprehensive set of good security
| |
| | that other industries will be expected to
|
| practices. Standards bodies such as the
| |
| | follow these same practices.HIPAA & GLBA
|
| U.S. National Institute of Standards and
| |
| | Security Due Care Practices in CommonThe
|
| Technology (NIST) and the International
| |
| | 12 security practices in common between
|
| Organization for Standardization (ISO)
| |
| | HIPAA and GLBA are all "high-level"
|
| publish security standards with varying
| |
| | practices. There are no specific
|
| degrees of corporate acceptance and use.
| |
| | technology controls. Some practices are
|
| The Information Systems Security
| |
| | required while others are required only
|
| Association (ISSA) has identified the
| |
| | if a risk assessment conducted by the
|
| need for a universally agreed-upon
| |
| | entity determines that the practice is
|
| collection of essential security
| |
| | appropriate.The HIPAA Final Security Rule
|
| practices and is currently developing the
| |
| | and the GLBA Interagency Guidelines were
|
| Generally Accepted Information Security
| |
| | designed to provide guidance to senior
|
| Principles (GAISP)--although how well
| |
| | management. How the practices are
|
| accepted these principles will be upon
| |
| | implemented is left largely up to the
|
| publication remains to be seen.The Health
| |
| | companies to determine.Following is the
|
| Insurance Portability and Accountability
| |
| | list of the 12 security practices in
|
| Act (HIPAA) Final Security Rule and the
| |
| | common between HIPAA and GLBA (please
|
| Gramm Leach Bliley Act (GLBA) Interagency
| |
| | refer to the HIPAA/GLBA Due Care Practice
|
| Guidelines are customer privacy laws
| |
| | Matrix in the Laws and Regulations
|
| specifying the security rules that must
| |
| | section of the OpenCSOProject for
|
| be followed by the healthcare and
| |
| | detailed analysis and references):
|
| financial services industries
| |
| | Assess and Control Risk
|
| respectively. If entities covered by
| |
| | Assign Security Responsibility
|
| these laws fail to follow the required
| |
| | Appropriate Access and Authorization
|
| security practices they may not only be
| |
| | Security Awareness and Training
|
| exposing their customers' private
| |
| | Incident Response and Reporting
|
| information but may also be subject to
| |
| | Disaster Recovery
|
| regulatory penalties and fines. These
| |
| | Security Evaluation
|
| laws, in essence, define information
| |
| | Vendor Contracts
|
| security due care standards--the security
| |
| | Facility Access Controls
|
| practices that must be followed to avoid
| |
| | Data Integrity Controls
|
| liability--for the healthcare and
| |
| | Encryption
|
| financial services industries. The
| |
| | Security Monitoring ProceduresValidation
|
| entities covered by these laws, however,
| |
| | from Recent Enforcement ActionsIf the
|
| only represent approximately 25% of the
| |
| | companies in the FTC settlement cases
|
| U.S. Gross Domestic Product. Other
| |
| | mentioned earlier had faithfully
|
| industries must rely upon their best
| |
| | implemented these 12 practices, they
|
| judgment to protect customer
| |
| | would not have suffered any penalties and
|
| information--clearly not an effective
| |
| | their customers' information would have
|
| approach as the cases mentioned earlier
| |
| | been protected. For instance, in the
|
| demonstrate.Most companies certainly want
| |
| | Guess case, the FTC ordered Guess to:
|
| to do the right thing and protect their
| |
| | Designate an employee or employees to
|
| customers' information, but avoiding
| |
| | coordinate and be accountable for the
|
| legal liability and harm to their
| |
| | information security program (HIPAA/GLBA
|
| reputation are also factors that motivate
| |
| | Due Care Practice #2: Assign Security
|
| them to implement appropriate information
| |
| | Responsibility);
|
| security controls. While most corporate
| |
| | Identify material internal and external
|
| information security professionals
| |
| | risks to the security, confidentiality,
|
| probably think they understand how to
| |
| | and integrity of customer information
|
| protect customer information, many
| |
| | that could result in the unauthorized
|
| wouldn't be comfortable attesting that
| |
| | disclosure, misuse, loss, alteration,
|
| their practices would protect their
| |
| | destruction, or other compromise of such
|
| employer from liability. Lacking a
| |
| | information, and assess the sufficiency
|
| commonly accepted set of security
| |
| | of any safeguards in place to control
|
| practices, many corporate information
| |
| | these risks. At a minimum, this risk
|
| security professionals are uncertain how
| |
| | assessment must include consideration of
|
| to secure customer information in a way
| |
| | risks in each area of relevant operation.
|
| that also limits their company's
| |
| | (HIPAA/GLBA Due Care Practice #1: Assess
|
| liability.Proposed SolutionThe best
| |
| | and Control Risk);
|
| approach for companies that wish to
| |
| | Design and implement reasonable
|
| protect their customer's information and
| |
| | safeguards to control the risks
|
| potentially avoid liability is to
| |
| | identified through risk assessment, and
|
| implement the security practices required
| |
| | regularly test or monitor the
|
| by both HIPAA and GLBA. There are 12
| |
| | effectiveness of the safeguards' key
|
| security practices in common between
| |
| | controls, systems, and procedures. (HIPAA
|
| these two customer privacy laws. By
| |
| | GLBA Due Care Practice #7: Security
|
| following these 12 practices, companies
| |
| | Evaluation);
|
| will be practicing information security
| |
| | Evaluate and adjust its information
|
| due care and can potentially avoid
| |
| | security program in light of the results
|
| liability. Indeed, all of the security
| |
| | of testing and monitoring, any material
|
| requirements mandated in the settlement
| |
| | changes to its operations or business
|
| of the cases mentioned earlier are among
| |
| | arrangements, or any other circumstances
|
| the 12 practices in common between HIPAA
| |
| | that Guess knows or has reason to know
|
| and GLBA.What is Due Care?Companies that
| |
| | may have a material impact on its
|
| handle the personal information of their
| |
| | information security program. (HIPAA/GLBA
|
| customers may be breaking the law and not
| |
| | Due Care Practice #7: Security
|
| know it, as evidenced by the Guess case.
| |
| | Evaluation)
|
| This ignorance may partly stem from
| |
| | These four requirements would have been
|
| substantial gaps of prosecutable computer
| |
| | fulfilled by following just three of the
|
| crimes that exist in federal criminal
| |
| | 12 HIPAA/GLBA Due Care Practices: Assess
|
| code and individual state criminal
| |
| | and Control Risk, Assign Security
|
| statutes. Federal and state criminal
| |
| | Responsibility, and Security Evaluation.
|
| statutes are slow to evolve to adequately
| |
| | The other settlement cases had similar
|
| prosecute crimes based on the
| |
| | requirements, also covered by the HIPAA
|
| fast-changing technology of information
| |
| | GLBA Due Care Practices. It is clear that
|
| systems. Companies and information
| |
| | the security practices required by both
|
| security professionals may find little
| |
| | HIPAA and GLBA establish a basis of due
|
| direction in criminal codes and statutes
| |
| | care.ConclusionCompanies are finding that
|
| to help them avoid inadvertently breaking
| |
| | they will pay the price for not
|
| the law when it comes to protecting their
| |
| | maintaining strong security controls and
|
| customers' personal information.Since
| |
| | protecting their customers' information.
|
| there is little guidance for companies to
| |
| | They must proactively implement and
|
| follow when it comes to avoiding criminal
| |
| | maintain prudent security processes to
|
| or civil liability or harsh settlements
| |
| | demonstrate that they are practicing due
|
| from the FTC, they need to consider how
| |
| | care. Until a universally accepted set of
|
| legal standards are created in the first
| |
| | information security practices is
|
| place. Legal standards are developed
| |
| | produced, the best approach for companies
|
| based on the concept of due care, which
| |
| | is to implement the security practices
|
| is the care that an ordinarily prudent
| |
| | required by both HIPAA and
|
| person would have exercised under the
| |
| | GLBA.____________________________________
|
| same or similar circumstances. Failure to
| |
| | _________________Marc R. Menninger is a
|
| practice due care is equivalent to
| |
| | Certified Information Systems Security
|
| demonstrating negligence. Companies that
| |
| | Professional (CISSP) and is the founder
|
| demonstrate negligence relative to their
| |
| | and site administrator for the
|
| information security practices are
| |
| | OpenCSOProject, a knowledge base for
|
| susceptible to lawsuits, fines, and other
| |
| | security professionals. To download
|
| sanctions, whereas companies that
| |
| | security policies, articles and
|
| practice due care should be largely
| |
| | presentations, click here: Security
|
| protected from such punishments.Where to
| |
| | Officer Forums.
|
