In 2003, California passed the nation's first law requiring companies to notify consumers if the company's computer systems were breached and consumer information was inappropriately accessed by a third party. In light of the subsequent media frenzy highlighting numerous instances of security breaches and the continuing threat of identity theft, many states passed copycat laws attempting to limit the negative effects of data security breaches and provide consumers with tools to fight identity theft, such as the ability to freeze their credit reports. The federal government has also joined the fray, with Senator Clinton of New York recently introducing comprehensive privacy legislation attempting to provide consumers with tools to protect themselves from possible identity theft and impose various obligations on companies to limit the potential damaging effect of security breaches.
A company's duty to notify consumers of a security breach is only one small part of its overall obligation to maintain reasonable security measures for all of its corporate information. Today, when so much attention is being paid to passing new laws and new regulations governing a company's obligation to consumers to disclose a security breach, it must be recognized that most businesses already have existing legal obligations to employ reasonable security controls and procedures over the data and information it maintains.
Sources of the Existing Duty to Provide Security
Numerous, often overlapping, federal and state statutes, rules, regulations, as well as case law decisions and governmental enforcement proceedings, taken together, all serve to require nearly all companies - even those in non-regulated industries - to provide information security. These sources include:
Industry specific privacy laws.At both the federal and state levels, certain laws require companies to provide security measures to protect consumer information. At the federal level, these include the Gramm-Leach Bliley Act in the financial sector, the Health Insurance Portability and Accountability Act in the healthcare sector, and the Children's Online Privacy Protection Act covering the personal information of children collected over the Internet. At the state level, California, Arkansas and Rhode Island, among others, have passed legislation imposing a general obligation to provide information security.
Sector specific regulations.Various federal and state agencies have promulgated regulations mandating information security for specific industries. For example, the Internal Revenue Service requires companies to protect electronic tax records. Similarly, some state insurance departments require information security for consumer information.
Corporate governance legislation.Another example of security regulation is Sarbanes-Oxley, which mandates that public corporations implement reasonable information security controls to protect financial information.
Recent case law.Judges have also extended the obligation to provide information security through cases involving the admissibility of electronic records and involving the scope of a corporate director's fiduciary duty with respect to protection of company information.
The question then becomes what exactly is required for a company to comply with its legal obligation to provide information security. Laws and regulations rightly do not delineate or impose what technologies or specific methods a company or industry should adopt. Given the breadth and scope of the economy and industry, that companies operate in a generally free market, compete for customers in varying ways, and the often-times dizzying array of technological means for providing information security, can a definitive legal obligation therefore be distilled? The answer is yes, but not with respect to specific methodologies or specific technologies. To comply with the legal obligation to provide information security, a company must implement a continually updated program and plan for addressing security issues, which has been referred to as a "process-oriented" approach.
The FTC has adopted this process-oriented approach, first set forth in regulations affecting the banking, financial and health industries. It has required companies against which it commenced enforcement actions to adopt this approach when entering into consent decrees, and several state attorneys general have likewise adopted this approach in their enforcement proceedings. Because industries and companies, as well as the security threats they face, are unique, implementing an information security plan should be an on-going, continual process that is responsive to existing threats, and that constantly evolves to meet new threats. Thus, in order to comply with the legal obligation to provide information security, a company must implement plans and procedures to constantly analyze threats and implement systems to protect the company and its information from them.
The Legal Standard
A company's process-oriented approach to information security should be in writing, and it should include the factors set forth below. These factors are by no means exhaustive - every company needs to conduct its own analysis about what is reasonably necessary in order to protect the security of its information.
Risk Assessment (Internal And External), Review And Repeat
Businesses should conduct an internal analysis and audit to determine exactly how customer information is collected, maintained, and disposed, and what threats to the company's security systems exist. The analysis should cover what information systems exist within the company, what should be protected, the range of options to protect them, and what laws (if any) specifically apply to them. External threats also need to be reviewed - what threats have been publicized, what problems have other companies and competitors confronted, and what solutions to these threats exist. Plans should also be implemented for revisiting and revising the analysis and audit at regular intervals.
Appoint Accountable Leaders
Nothing focuses like accountability. Companies should appoint or designate one person to be responsible for information security issues, tasked with coordinating and implementing the process oriented program. This person must be given the authority to coordinate and implement input across multiple departments, including information technology, human resources, accounting and finance.
Limit Access/Third Party Providers
Access to customer information should be limited to those who need to see or work with the relevant data. Detection methods should also be implemented if information is accessed by unauthorized personnel.
Companies also retain the services of third parties, who through business necessity have access to information. Companies should investigate the bona fides of any third party provider, contractually require third parties to themselves implement appropriate security measures, and actively monitor third party performance and compliance.
Any time information or media containing information is disposed of, reasonable measures must be taken to ensure that the information on the media is not accessible post-disposal. This includes shredding paper; destroying tapes, disks, CD-ROM and memory cards; and crucially, hard drives on computers. For example, when leased computers are returned to the leasing company or sold off-lease to third parties, diligent care must be taken to wipe clean all hard drives so that remnant company and customer information is not accessible or present.
It is prudent for businesses to have an independent entity review their privacy and security safeguards periodically. This will show good faith on the part of the business, and it will be difficult for anyone (importantly, regulators) to argue about the utility and effectiveness of the safeguards when the plan is independently reviewed. The assessment should explain the safeguards being used and why the safeguards are appropriate given the nature and scope of the business activities involved. The independent assessor should certify that the safeguards being used provide reasonable assurance that the security measures are, in fact, protecting personally identifiable information as intended.
Employees are the first line of defense as well as the likeliest weak point in every security plan. Stolen passwords and inside jobs account for a large portion of security breaches. Access to customer personal information as well as access to any key information system should be on a strict need to know basis. A comprehensive employee training program for employees who will have access to customer's personally identifiable information is crucial. Employees should be educated on the general legal implications regarding information privacy and security issues, and it is especially important to highlight the negative consequences in the event of a breach or other problem.
Monitoring And Testing
Without appropriate monitoring and testing, a company cannot know whether its safeguards are effective or appropriate.
Lawmakers and regulators will no doubt continue their efforts to ensure that companies take reasonable steps to ensure the security and privacy of their information and systems, and companies that emphasize information security and the process oriented approach set forth above will likely not be materially affected by any formal changes in the law. Information security is a constantly evolving process that requires constant supervision, and is at root a management issue. Technology will no doubt play a significant role in any information security policy and system. But, unless a company takes the time to diligently analyze its information systems and makes a serious effort to protect the company against the risks of improper disclosures, the company faces potential liability and exposure. As experienced by many companies that have suffered security breaches, the glare of scrutiny by regulators as well as public opinion can be exceedingly harsh.
Published September 1, 2006.