There once was a time when in-house lawyers could sleep soundly and let the computer experts stay up at night worrying about IT issues. Those days are long gone (if they ever really existed at all)!
Courts and regulators require that companies take “Reasonable Security Measures” to protect personally identifiable information and personal healthcare data. But, what exactly does that mean? How do you know if your company’s data security measures will be deemed reasonable? These are questions squarely within the legal department’s wheelhouse.
There is no one-size-fits-all solution to data security that will satisfy every court and regulator. However, several government and private organizations have published data security standards. Following these standards will go a long way toward protecting your company, both from experiencing a data breach and defending itself in the event one occurs.
Numerous statutes require that companies provide reasonable security for sensitive, personal information. These statutes include, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, HIPAA and the Federal Trade Commission Act, among others. Also, nearly every state has now enacted some form of data-privacy statute. While there are certain central concepts for data security that apply regardless of the industry and data, each of these acts may require additional steps to maintain reasonable personal data security.
The Federal Trade Commission
The Federal Trade Commission has taken the position that a data breach can constitute an unfair and deceptive trade practice. As a result, since 2002, the FTC has brought approximately 60 cases against companies alleged to have put consumers’ personal data at unreasonable risk. These cases have led to fines in excess of $1 million, as well as injunctions. In one case, LifeLock agreed to pay $100 million to consumers to settle FTC contempt charges that the company violated the terms of a 2010 federal court order that required the company to secure consumers’ personal information.
All the news coming from the FTC is not bad, however. In an effort to assist companies in protecting consumer information, the FTC has issued written guidance in two documents explaining how companies can protect consumer data and, thereby, avoid liability.
Protecting Personal Information, A Guide for Business
The first FTC guidance document is called, Protecting Personal Information, A Guide for Business. According to this document, “a sound data security plan is built on 5 key principles.”
FTC Principles for Data Security
- Take Stock. Know what personal information you have in your files and on your computers.
- Scale Down. Keep only what you need for your business.
- Lock It. Protect the information that you keep.
- Pitch It. Properly dispose of what you no longer need.
- Plan Ahead. Create a plan to respond to security incidents.
The guide provides further detail for each of these five principles, and I strongly encourage you to study it.
Start with Security, a Guide for Business
The second document, Start with Security, a Guide for Business, contains ten lessons learned from more than 50 FTC cases. These lessons provide concrete steps to protect sensitive data. And, the FTC discusses them in greater detail than the five FTC principles mentioned above. Thus, every chief legal officer and chief information security officer must consider them.
Ten Lessons on Data Security
- Start with security.
- Control access to data sensibly.
- Require secure passwords and authentication.
- Store sensitive personal information securely and protect it during transmission.
- Segment your network and monitor who’s trying to get in and out.
- Secure remote access to your network.
- Apply sound security practices when developing new products.
- Make sure your service providers implement reasonable security measures.
- Put procedures in place to keep your security current and address vulnerabilities that may arise.
- Secure paper, physical media, and devices.
Other important Standards for Establishing Reasonable Security MEasures
The FTC is not the only organization that has issued standards for data security. Courts and regulators may also consider the following documents when deciding whether a company implemented reasonable security measures:
- NIST Cybersecurity Framework.
- SEC OCIE 2015 Cybersecurity Examination Initiative.
- California Attorney General’s 2016 Data Breach Report.
- National Association of Corporate Director’s Handbook on Cyber Risk Oversight.
- Center for Internet Security Critical Security Controls (CIS Controls).
As you can see, what constitutes “reasonable security measures” is a complicated question, with no single answer. Moreover, the answer depends, to a certain extent, on the type of data involved. Nonetheless, companies today cannot avoid seeking the answer to this question. The financial and reputation risks are too high to do otherwise.
Chief legal officers also no longer have the luxury of claiming that they are not “tech-savvy” and deferring to the information technology department. The issues extend beyond technical concepts into questions that merge the technical with the legal. As such, chief legal officers must immerse themselves in this topic to protect both their companies and their careers.
Photo courtesy of Blue Coats Photo on Flickr.