Deriving Due Care Practices from HIPAA and GLBA

Recent years have shown a trend in corporationsthat regulate the protection of customer information:
being held responsible for information securityHIPAA and GLBA. While both HIPAA and GLBA
negligence. In particular, the Federal Trade Commissionenacted a lot more than just customer privacy
(FTC) and the Attorney General of New York haverequirements, they both have spawned substantial
been actively pursuing companies that fail to followregulatory guidance on security controls for protecting
effective security practices. Many high-visibility casescustomer information. The regulations for HIPAA are
illustrate how companies are being required tocalled the Final Security Rule and those for GLBA are
implement stronger security controls, the Guess casereferred to as the Interagency Guidelines.While some
being a good example.In June 2003, Guess,of the requirements in these regulations are
Incorporated agreed to settle FTC charges that itindustry-specific, there is a lot of commonality between
exposed consumers' personal information tothe two. In particular, 12 security practices were found
commonly known attacks by hackers, contrary to thein both the HIPAA Final Security Rule and the GLBA
company's claims. "Consumers have every right toInteragency Guidelines. The fact that these two sets
expect that a business that says it's keeping personalof regulations intersect in 12 places is no coincidence.
information secure is doing exactly that," said HowardThis is a clear signal from the federal government of
Beales, Director of the FTC's Bureau of Consumerthe level of due care it expects the country's health
Protection. The settlement required that Guesscare providers and financial institutions to practice. If
implement a comprehensive information securitythese are the standards of due care that must be
program that would be certified as meeting orpracticed by industries that represent about a quarter
exceeding the standards in the consent order by anof the country's GDP, it stands to reason that other
independent professional within a year.The ProblemAindustries will be expected to follow these same
key reason why corporations demonstrate poor orpractices.HIPAA & GLBA Security Due Care
inconsistent information security controls is the lack ofPractices in CommonThe 12 security practices in
a widely accepted and comprehensive set of goodcommon between HIPAA and GLBA are all
security practices. Standards bodies such as the U.S."high-level" practices. There are no specific technology
National Institute of Standards and Technology (NIST)controls. Some practices are required while others are
and the International Organization for Standardizationrequired only if a risk assessment conducted by the
(ISO) publish security standards with varying degreesentity determines that the practice is appropriate.The
of corporate acceptance and use. The InformationHIPAA Final Security Rule and the GLBA Interagency
Systems Security Association (ISSA) has identified theGuidelines were designed to provide guidance to
need for a universally agreed-upon collection ofsenior management. How the practices are
essential security practices and is currently developingimplemented is left largely up to the companies to
the Generally Accepted Information Security Principlesdetermine.Following is the list of the 12 security
(GAISP)--although how well accepted these principlespractices in common between HIPAA and GLBA
will be upon publication remains to be seen.The Health(please refer to the HIPAA/GLBA Due Care Practice
Insurance Portability and Accountability Act (HIPAA)Matrix in the Laws and Regulations section of the
Final Security Rule and the Gramm Leach Bliley ActOpenCSOProject for detailed analysis and
(GLBA) Interagency Guidelines are customer privacyreferences):
laws specifying the security rules that must beAssess and Control Risk
followed by the healthcare and financial servicesAssign Security Responsibility
industries respectively. If entities covered by theseAppropriate Access and Authorization
laws fail to follow the required security practices theySecurity Awareness and Training
may not only be exposing their customers' privateIncident Response and Reporting
information but may also be subject to regulatoryDisaster Recovery
penalties and fines. These laws, in essence, defineSecurity Evaluation
information security due care standards--the securityVendor Contracts
practices that must be followed to avoid liability--for theFacility Access Controls
healthcare and financial services industries. The entitiesData Integrity Controls
covered by these laws, however, only representEncryption
approximately 25% of the U.S. Gross DomesticSecurity Monitoring ProceduresValidation from Recent
Product. Other industries must rely upon their bestEnforcement ActionsIf the companies in the FTC
judgment to protect customer information--clearly notsettlement cases mentioned earlier had faithfully
an effective approach as the cases mentioned earlierimplemented these 12 practices, they would not have
demonstrate.Most companies certainly want to do thesuffered any penalties and their customers' information
right thing and protect their customers' information, butwould have been protected. For instance, in the Guess
avoiding legal liability and harm to their reputation arecase, the FTC ordered Guess to:
also factors that motivate them to implementDesignate an employee or employees to coordinate
appropriate information security controls. While mostand be accountable for the information security
corporate information security professionals probablyprogram (HIPAA/GLBA Due Care Practice #2: Assign
think they understand how to protect customerSecurity Responsibility);
information, many wouldn't be comfortable attestingIdentify material internal and external risks to the
that their practices would protect their employer fromsecurity, confidentiality, and integrity of customer
liability. Lacking a commonly accepted set of securityinformation that could result in the unauthorized
practices, many corporate information securitydisclosure, misuse, loss, alteration, destruction, or other
professionals are uncertain how to secure customercompromise of such information, and assess the
information in a way that also limits their company'ssufficiency of any safeguards in place to control these
liability.Proposed SolutionThe best approach forrisks. At a minimum, this risk assessment must include
companies that wish to protect their customer'sconsideration of risks in each area of relevant
information and potentially avoid liability is to implementoperation. (HIPAA/GLBA Due Care Practice #1:
the security practices required by both HIPAA andAssess and Control Risk);
GLBA. There are 12 security practices in commonDesign and implement reasonable safeguards to
between these two customer privacy laws. Bycontrol the risks identified through risk assessment, and
following these 12 practices, companies will beregularly test or monitor the effectiveness of the
practicing information security due care and cansafeguards' key controls, systems, and procedures.
potentially avoid liability. Indeed, all of the security(HIPAA/GLBA Due Care Practice #7: Security
requirements mandated in the settlement of the casesEvaluation);
mentioned earlier are among the 12 practices inEvaluate and adjust its information security program in
common between HIPAA and GLBA.What is Duelight of the results of testing and monitoring, any
Care?Companies that handle the personal informationmaterial changes to its operations or business
of their customers may be breaking the law and notarrangements, or any other circumstances that Guess
know it, as evidenced by the Guess case. Thisknows or has reason to know may have a material
ignorance may partly stem from substantial gaps ofimpact on its information security program. (HIPAA
prosecutable computer crimes that exist in federalGLBA Due Care Practice #7: Security Evaluation)
criminal code and individual state criminal statutes.These four requirements would have been fulfilled by
Federal and state criminal statutes are slow to evolvefollowing just three of the 12 HIPAA/GLBA Due Care
to adequately prosecute crimes based on thePractices: Assess and Control Risk, Assign Security
fast-changing technology of information systems.Responsibility, and Security Evaluation. The other
Companies and information security professionals maysettlement cases had similar requirements, also
find little direction in criminal codes and statutes to helpcovered by the HIPAA/GLBA Due Care Practices. It is
them avoid inadvertently breaking the law when itclear that the security practices required by both
comes to protecting their customers' personalHIPAA and GLBA establish a basis of due
information.Since there is little guidance for companiescare.ConclusionCompanies are finding that they will
to follow when it comes to avoiding criminal or civilpay the price for not maintaining strong security
liability or harsh settlements from the FTC, they needcontrols and protecting their customers' information.
to consider how legal standards are created in the firstThey must proactively implement and maintain prudent
place. Legal standards are developed based on thesecurity processes to demonstrate that they are
concept of due care, which is the care that anpracticing due care. Until a universally accepted set of
ordinarily prudent person would have exercised underinformation security practices is produced, the best
the same or similar circumstances. Failure to practiceapproach for companies is to implement the security
due care is equivalent to demonstrating negligence.practices required by both HIPAA and
Companies that demonstrate negligence relative to______________________Marc R. Menninger
their information security practices are susceptible tois a Certified Information Systems Security
lawsuits, fines, and other sanctions, whereasProfessional (CISSP) and is the founder and site
companies that practice due care should be largelyadministrator for the OpenCSOProject, a knowledge
protected from such punishments.Where to Find Duebase for security professionals. To download security
Care Information Security PracticesCompanies thatpolicies, articles and presentations, click here: Security
wish to find due care information security practicesOfficer Forums.
need look no further than to two major federal laws