| Recent years have shown a trend in corporations | | | | that regulate the protection of customer information: |
| being held responsible for information security | | | | HIPAA and GLBA. While both HIPAA and GLBA |
| negligence. In particular, the Federal Trade Commission | | | | enacted a lot more than just customer privacy |
| (FTC) and the Attorney General of New York have | | | | requirements, they both have spawned substantial |
| been actively pursuing companies that fail to follow | | | | regulatory guidance on security controls for protecting |
| effective security practices. Many high-visibility cases | | | | customer information. The regulations for HIPAA are |
| illustrate how companies are being required to | | | | called the Final Security Rule and those for GLBA are |
| implement stronger security controls, the Guess case | | | | referred to as the Interagency Guidelines.While some |
| being a good example.In June 2003, Guess, | | | | of the requirements in these regulations are |
| Incorporated agreed to settle FTC charges that it | | | | industry-specific, there is a lot of commonality between |
| exposed consumers' personal information to | | | | the two. In particular, 12 security practices were found |
| commonly known attacks by hackers, contrary to the | | | | in both the HIPAA Final Security Rule and the GLBA |
| company's claims. "Consumers have every right to | | | | Interagency Guidelines. The fact that these two sets |
| expect that a business that says it's keeping personal | | | | of regulations intersect in 12 places is no coincidence. |
| information secure is doing exactly that," said Howard | | | | This is a clear signal from the federal government of |
| Beales, Director of the FTC's Bureau of Consumer | | | | the level of due care it expects the country's health |
| Protection. The settlement required that Guess | | | | care providers and financial institutions to practice. If |
| implement a comprehensive information security | | | | these are the standards of due care that must be |
| program that would be certified as meeting or | | | | practiced by industries that represent about a quarter |
| exceeding the standards in the consent order by an | | | | of the country's GDP, it stands to reason that other |
| independent professional within a year.The ProblemA | | | | industries will be expected to follow these same |
| key reason why corporations demonstrate poor or | | | | practices.HIPAA & GLBA Security Due Care |
| inconsistent information security controls is the lack of | | | | Practices in CommonThe 12 security practices in |
| a widely accepted and comprehensive set of good | | | | common between HIPAA and GLBA are all |
| security practices. Standards bodies such as the U.S. | | | | "high-level" practices. There are no specific technology |
| National Institute of Standards and Technology (NIST) | | | | controls. Some practices are required while others are |
| and the International Organization for Standardization | | | | required only if a risk assessment conducted by the |
| (ISO) publish security standards with varying degrees | | | | entity determines that the practice is appropriate.The |
| of corporate acceptance and use. The Information | | | | HIPAA Final Security Rule and the GLBA Interagency |
| Systems Security Association (ISSA) has identified the | | | | Guidelines were designed to provide guidance to |
| need for a universally agreed-upon collection of | | | | senior management. How the practices are |
| essential security practices and is currently developing | | | | implemented is left largely up to the companies to |
| the Generally Accepted Information Security Principles | | | | determine.Following is the list of the 12 security |
| (GAISP)--although how well accepted these principles | | | | practices in common between HIPAA and GLBA |
| will be upon publication remains to be seen.The Health | | | | (please refer to the HIPAA/GLBA Due Care Practice |
| Insurance Portability and Accountability Act (HIPAA) | | | | Matrix in the Laws and Regulations section of the |
| Final Security Rule and the Gramm Leach Bliley Act | | | | OpenCSOProject for detailed analysis and |
| (GLBA) Interagency Guidelines are customer privacy | | | | references): |
| laws specifying the security rules that must be | | | | Assess and Control Risk |
| followed by the healthcare and financial services | | | | Assign Security Responsibility |
| industries respectively. If entities covered by these | | | | Appropriate Access and Authorization |
| laws fail to follow the required security practices they | | | | Security Awareness and Training |
| may not only be exposing their customers' private | | | | Incident Response and Reporting |
| information but may also be subject to regulatory | | | | Disaster Recovery |
| penalties and fines. These laws, in essence, define | | | | Security Evaluation |
| information security due care standards--the security | | | | Vendor Contracts |
| practices that must be followed to avoid liability--for the | | | | Facility Access Controls |
| healthcare and financial services industries. The entities | | | | Data Integrity Controls |
| covered by these laws, however, only represent | | | | Encryption |
| approximately 25% of the U.S. Gross Domestic | | | | Security Monitoring ProceduresValidation from Recent |
| Product. Other industries must rely upon their best | | | | Enforcement ActionsIf the companies in the FTC |
| judgment to protect customer information--clearly not | | | | settlement cases mentioned earlier had faithfully |
| an effective approach as the cases mentioned earlier | | | | implemented these 12 practices, they would not have |
| demonstrate.Most companies certainly want to do the | | | | suffered any penalties and their customers' information |
| right thing and protect their customers' information, but | | | | would have been protected. For instance, in the Guess |
| avoiding legal liability and harm to their reputation are | | | | case, the FTC ordered Guess to: |
| also factors that motivate them to implement | | | | Designate an employee or employees to coordinate |
| appropriate information security controls. While most | | | | and be accountable for the information security |
| corporate information security professionals probably | | | | program (HIPAA/GLBA Due Care Practice #2: Assign |
| think they understand how to protect customer | | | | Security Responsibility); |
| information, many wouldn't be comfortable attesting | | | | Identify material internal and external risks to the |
| that their practices would protect their employer from | | | | security, confidentiality, and integrity of customer |
| liability. Lacking a commonly accepted set of security | | | | information that could result in the unauthorized |
| practices, many corporate information security | | | | disclosure, misuse, loss, alteration, destruction, or other |
| professionals are uncertain how to secure customer | | | | compromise of such information, and assess the |
| information in a way that also limits their company's | | | | sufficiency of any safeguards in place to control these |
| liability.Proposed SolutionThe best approach for | | | | risks. At a minimum, this risk assessment must include |
| companies that wish to protect their customer's | | | | consideration of risks in each area of relevant |
| information and potentially avoid liability is to implement | | | | operation. (HIPAA/GLBA Due Care Practice #1: |
| the security practices required by both HIPAA and | | | | Assess and Control Risk); |
| GLBA. There are 12 security practices in common | | | | Design and implement reasonable safeguards to |
| between these two customer privacy laws. By | | | | control the risks identified through risk assessment, and |
| following these 12 practices, companies will be | | | | regularly test or monitor the effectiveness of the |
| practicing information security due care and can | | | | safeguards' key controls, systems, and procedures. |
| potentially avoid liability. Indeed, all of the security | | | | (HIPAA/GLBA Due Care Practice #7: Security |
| requirements mandated in the settlement of the cases | | | | Evaluation); |
| mentioned earlier are among the 12 practices in | | | | Evaluate and adjust its information security program in |
| common between HIPAA and GLBA.What is Due | | | | light of the results of testing and monitoring, any |
| Care?Companies that handle the personal information | | | | material changes to its operations or business |
| of their customers may be breaking the law and not | | | | arrangements, or any other circumstances that Guess |
| know it, as evidenced by the Guess case. This | | | | knows or has reason to know may have a material |
| ignorance may partly stem from substantial gaps of | | | | impact on its information security program. (HIPAA |
| prosecutable computer crimes that exist in federal | | | | GLBA Due Care Practice #7: Security Evaluation) |
| criminal code and individual state criminal statutes. | | | | These four requirements would have been fulfilled by |
| Federal and state criminal statutes are slow to evolve | | | | following just three of the 12 HIPAA/GLBA Due Care |
| to adequately prosecute crimes based on the | | | | Practices: Assess and Control Risk, Assign Security |
| fast-changing technology of information systems. | | | | Responsibility, and Security Evaluation. The other |
| Companies and information security professionals may | | | | settlement cases had similar requirements, also |
| find little direction in criminal codes and statutes to help | | | | covered by the HIPAA/GLBA Due Care Practices. It is |
| them avoid inadvertently breaking the law when it | | | | clear that the security practices required by both |
| comes to protecting their customers' personal | | | | HIPAA and GLBA establish a basis of due |
| information.Since there is little guidance for companies | | | | care.ConclusionCompanies are finding that they will |
| to follow when it comes to avoiding criminal or civil | | | | pay the price for not maintaining strong security |
| liability or harsh settlements from the FTC, they need | | | | controls and protecting their customers' information. |
| to consider how legal standards are created in the first | | | | They must proactively implement and maintain prudent |
| place. Legal standards are developed based on the | | | | security processes to demonstrate that they are |
| concept of due care, which is the care that an | | | | practicing due care. Until a universally accepted set of |
| ordinarily prudent person would have exercised under | | | | information security practices is produced, the best |
| the same or similar circumstances. Failure to practice | | | | approach for companies is to implement the security |
| due care is equivalent to demonstrating negligence. | | | | practices required by both HIPAA and |
| Companies that demonstrate negligence relative to | | | | ______________________Marc R. Menninger |
| their information security practices are susceptible to | | | | is a Certified Information Systems Security |
| lawsuits, fines, and other sanctions, whereas | | | | Professional (CISSP) and is the founder and site |
| companies that practice due care should be largely | | | | administrator for the OpenCSOProject, a knowledge |
| protected from such punishments.Where to Find Due | | | | base for security professionals. To download security |
| Care Information Security PracticesCompanies that | | | | policies, articles and presentations, click here: Security |
| wish to find due care information security practices | | | | Officer Forums. |
| need look no further than to two major federal laws | | | | |