As we begin the new year, maintaining appropriate security protections for personal information should be a high priority in 2007 for companies in all industries. Data security, which vaulted to prominence in 2006 in the overall context of information regulations, has emerged as a critical area where active enforcement, ongoing breach problems and varied new regulatory and standard-setting initiatives require proactive efforts to update even the most reasonable security program.
These new obligations and risks are relevant to essentially any company that maintains personal information about customers, employees or other individuals - encompassing retailers, online merchants, banks, health care entities and the rest of Corporate America. It is hard to conceive of the business that is truly unaffected.
What's been happening on the security front? Let's look at several 2006 developments, with an eye toward what needs to be given specific attention in 2007.
Continuing Security Breaches
While many of us thought that security breaches captured more than reasonable public attention in 2005, interest in security breaches has remained high - and perhaps even grown in 2006. We also have seen these security problems arise in virtually all sectors, including government, not-for-profits, universities, health care entities and a wide variety of retailers. These breaches verified some common themes - why is so much personal data stored on laptops, why aren't laptops better protected, how can companies increase awareness to reduce human error - but the breaches also covered a wide range of security problems and industries. This should lead all companies to re-evaluate their data protection practices - both systemic steps, like laptop security and increasing network protections, and consciousness-raising measures like increased employee training on practical security steps.
Enforcement Continues And Expands
In addition to wide media exposure, security breaches have led in certain instances to government enforcement actions. These actions have been brought by a wide variety of enforcement agencies, some obvious, some not.
For example, continuing a growing line of cases involving a failure to implement reasonable security practices, the Federal Trade Commission (FTC) recently brought an action against Guidance Software Inc., based on the FTC's charges that Guidance's failure to take reasonable security measures to protect sensitive customer data contradicted security promises made on its website and violated federal law. As a result of these failures, hackers were able to access sensitive credit card information for thousands of Guidance's consumers. As with many of the FTC's previous settlements, the Guidance Software settlement imposes a series of security practices on the company, including implementation of a comprehensive information-security program and audits of the security program by an independent third-party security professional for 20 years.
The FTC's charges contain some useful information for companies evaluating their own practices. According to the FTC complaint, Guidance failed to implement "simple, inexpensive and readily available security measures" to protect its consumers' data. For example, contrary to the published claims on its website, Guidance "created unnecessary risks to credit card information" by storing it in clear, readable text. In addition, the complaint alleges that Guidance failed to protect the customer information by:
Failing to assess adequately the vulnerability of its network to commonly known or reasonably foreseeable web-based attacks, such as structured query language injection attacks;
Failing to implement simple, low-cost, and readily available defenses to such attacks;
Storing in clear, readable text network administrator credentials, such as user name and password, which facilitated access to credit card information stored on the network;
Failing to use readily available security measures to monitor and limit access from the corporate network to the Internet; and
Failing to employ measures to detect unauthorized access to consumers' credit card information.
State Enforcement Activities
The FTC was not the only enforcement agency taking action on security breaches. When Humana confronted two separate security breaches, it found itself facing charges from the North Dakota Insurance Commissioner. The investigation resulted in an order requiring Humana to provide credit-monitoring services for one year for every affected customer who requests them, as well as an additional year of monitoring if the customer experiences any credit-report irregularities. The order also requires Humana to report the names of those customers requesting credit monitoring directly to the Insurance Department on a monthly basis. The settlement also included Humana's payment of $50,000 to offset costs and expenses incurred by the Department during its investigation.
Most recently, in December, Ameriprise Financial Services reached a settlement with the Massachusetts Secretary of State, where it agreed to pay $25,000 to settle an investigation into the loss of a company laptop that contained the personal data of thousands of Massachusetts residents. So, not only are breaches causing significant harm to reputations, but they also can result in government enforcement, even by regulators who have no explicit authority that is specific to security breaches. These regulators often are not the primary regulator of security practices at all - for example, in both the Humana and Providence situations above, one would think that the Department of Health and Human Services, either through the Office of Civil Rights (privacy) or the Centers for Medicare and Medicaid Services (security) would have been the appropriate regulator to address a security breach. In 2007 and beyond, these "other" regulators may well prove to be the main entities companies have to worry about in the event of privacy or security problems.
Continuing Evolution Of Best Practices
In addition, even for companies that currently have reasonable security practices, the bar is continuing to be raised, so that those companies need to re-evaluate their security practices on an ongoing basis. For example, for companies that collect credit card information electronically (including a wide variety of small and large merchants and retailers that are not typically at the forefront of information security activities), new Payment Card Industry (PCI) security standards are now being implemented, with a compliance date in 2008. These standards, imposed by contract throughout the industry, will require a significant undertaking by any merchant that accepts credit card payments. Recognizing the difficulty of meeting some of these compliance requirements, the industry recently created the PCI Security Standards Council to administer the standards and assist companies in meeting their requirements.
The Council has set out to:
Protect cardholder information through a global, industrywide data security standard;
Help to reduce the costs and time required for PCI compliance;
Maintain a list of qualified data security solution providers;
Lead training and education, and provide a streamlined process for relevant certifications, establishing a single source of approval recognized by the Council members; and
Provide a transparent forum where all stakeholders in the process can offer their feedback and input into the ongoing development, enhancement and dissemination of data security standards.
For more information on this group, please see www.pcisecuritystandards.org/.
Similarly, even for the financial services industry (which has been subject to security regulation for a relatively long time), new standards are in place. These standards, issued by the Federal Financial Institutions Examination Council, require financial institutions to implement upgraded online security practices designed primarily to improve customer authentication methods to avoid "phishing" breaches.
As these best practices continue to evolve, a recent survey, issued by Ernst & Young, indicates that security concerns are in fact becoming a higher priority for many companies. (The full survey results are available at www.ey.com/Global/download.nsf/International/TSRS_-_GISS_ 2006/$file/EY_GISS2006.pdf.)
Among the main "trends" identified by E&Y are:
Information risk management is becoming integrated into overall risk management.
There is an increasing focus on proactive privacy and personal data protection.
Privacy and data protection practices are becoming increasingly formalized.
Information security is becoming more proactive in meeting business objectives and business-continuity planning.
Information security is increasingly adopting recognized standards.
At the same time, the E&Y survey focused on areas where improvement is needed, including (1) integrating information security within the organization; (2) extending the impact of compliance; (3) managing the risks of third-party relationships; (4) focusing on personal data protection and privacy initiatives and controls; and (5) designing and building information security with continuous improvement.
New Project On Vendor Reviews
The E&Y survey highlights the security risks associated with third-party relationships. Obviously, for both "principals" and "agents," developing an appropriate contracting strategy to implement effective contractual controls and create appropriate oversight and monitoring remains a substantial challenge, particularly for larger companies. Companies continue to face pressures both from specific regulatory requirements and from the clear recognition that, in many situations, the regulatory "minimum" simply is not sufficient to appropriately protect personal information. At the same time, companies cannot realistically engage in effective monitoring across their full range of vendors.
One interesting project is emerging to assist with this ongoing dilemma. The BITS group, an offshoot of the Financial Services Roundtable, has taken on the vendor dilemma by developing a set of common guidelines, by which companies can evaluate vendors and vendors can attempt to standardize their practices, to meet the needs of different customers and reduce the costs of having to meet the demands of these different customers. This project, called the Financial Institution Shared Assessments Program, has been led by several major banks in partnership with major accounting firms. The program is designed to (1) raise the level of security of financial services, while, at the same time, (2) lower costs for banks, insurance companies and computer-services providers.
According to the BITS website, the Financial Institution Shared Assessments Program:
Provides major efficiencies and cost savings to financial institutions and service providers;
Is a more efficient alternative to existing service provider assessment methods; and
Helps financial institutions align service-provider testing with industry regulations.
More information on this program - which could easily serve as a model for other industries - is available at www.bitsinfo.org/FISAP/index.php.
Security concerns need to remain high on the risk-management agenda for virtually any company that collects and maintains personal data on customers, employees or others. In practical terms, this is going to include virtually all businesses, albeit to varying degrees. Developing an effective security program responding to these challenges involves a mix of legal/compliance steps and an effective technology approach. These two areas need to be integrated - technology is crucial, but companies also will need to rely on the assistance of established legal and compliance experts in assessing practical requirements and developing policies and procedures (along with other relevant documentation concerning security choices).
Published February 1, 2007.