Data Security: What the Law Requires of IT
The Legal Standard for Compliance
The laws, regulations, contracts, and other obligations that impose a duty to provide security typically require only that you provide "reasonable" or "appropriate" security. They offer little guidance as to what kind of security measures are required or how much security is enough. This raises a very difficult question: What constitutes "reasonable" or "appropriate" security?
Yet a careful review of newer statutes and regulations, court decisions, and government enforcement actions reveals an amazingly consistent approach for defining the parameters of a "legal" standard for compliance. That standard focuses on process, not on specific security controls.
The legal standard does not dictate what measures are required to achieve reasonable security. Instead, it requires companies to undertake a risk-based process to identify and implement measures that are reasonable under the circumstances to achieve the desired security objectives. This means companies must assess the risks they face, identify and implement appropriate security measures in response to those risks, verify that those security measures have been effectively implemented, and ensure that they are continually updated in response to new developments. And when that is done, the law requires that the process be repeated periodically.
As a result, security measures necessary for legal compliance vary depending on the situation, with decisions regarding the specifics of your security strategy being left up to your company. In Guin v. Brazos Higher Education Service, for example, the court rejected an argument that a specific security measure -- in that case, encryption of personal data on a laptop -- was legally required. Instead, the court noted that the security controls in place were reasonable in light of the risk assessment done.
In other words, the focus is on risk assessment, and then on adopting security controls that are responsive to the threats your company faces. It is not enough merely to implement impressive-sounding security measures.
For example, posting armed guards around a building or requiring key-card access may give the appearance of security, but if the primary threat the company faces is unauthorized remote access via the Internet, physical security measures are of little value. Likewise, firewalls and intrusion detection software are often effective ways to stop hackers and protect sensitive databases, but if a company's major vulnerability is careless (or malicious) employees who inadvertently (or intentionally) disclose passwords or protected information, then even those sophisticated technical security measures, although important, will not adequately address the problem.
Adopting appropriate security controls in response to risk assessment plays an important role in determining whether liability will be imposed in the event of a breach. In Bell v. Michigan Council, for example, the court held that a union was liable for failure to provide appropriate security where it did nothing to protect against a foreseeable threat to its data. Yet in the Guin case noted above, the court held that a proper risk assessment had been performed and that the harm in question was not reasonably foreseeable. As such, the defendant was not liable for its failure to defend against that particular risk.
The law also examines whether security controls are adequate and properly implemented. Just because data is encrypted, for example, does not mean it is secure. One need only look at the TJX breach, which compromised an estimated 90 million encrypted credit card records. Ongoing monitoring, testing, and evaluation of the effectiveness of security controls is required to ensure that they are properly implemented and continue to be effective.
And when assembling your security strategy to appropriately meet the risks your organization faces, don't forget about third parties that have your data. Outsourcing information processing does not relieve you of your obligation to secure the outsourced data. As a consequence, you must look carefully at the security measures your outsource providers have in place -- contractual and otherwise -- to respond to a breach should one occur.