Legal and Regulatory Obligations Regarding Data and Information Security

Abstract

This chapter discusses the historical background, sources, and scope of the current definitive legal standard for information technology security practices at most U.S. companies, regardless of size or industry sector. In addition, this chapter includes discussion of the requirement for a process-oriented written information security program (WISP) and the minimum required elements of a WISP, including the requirements to provide both "reasonable security" and security breach notification.

Keywords

Information security; Security measures; Information technology; Legal; Regulatory; Law; Statute; Compliance; Security breach; Plan; Risk; Best practices

In this chapter

 Impact of recent history

 Sources of legal obligations

 Scope of legal obligations

 Definitive legal standard

 Responsibility for compliance

 Required elements of a written information security plan

Warning

The information presented in this chapter is intended to inform readers of potential issues, responsibilities, and requirements of the law with regard to data security. It is not legal advice and should not be construed in any manner as such. The publisher and the author make no legal warranties of any kind and nothing in this chapter should be taken as legal advice. For more information, contact your firm's legal counsel or an attorney who specializes in Internet, e-commerce, and electronic data security law.

Introduction

The privacy and security of personal information first became an area of concern in the 1960s and 1970s with military-based security data and the passage of the 1970 Fair Credit Reporting Act (FCRA). Since then, the emergence of the Internet and the proliferation of networked information systems, while providing businesses and governments with far-reaching economic benefits, has resulted in widespread abuse and theft of personal information as well as acts of cyber terrorism that have exposed grave risk to the nation's critical infrastructure and defense.

The reaction to these incidents has been a significant expansion of government oversight into the information technology (IT) systems and data maintained by both businesses and government. As of the writing of this book, no single federal law or regulation governed the security of all types of personal or other sensitive information. As a result, states have stepped in with their own laws resulting in a complex patchwork of federal and state requirements that affect nearly all businesses. Until the 1990s, legislative regulation was largely limited to specific sectors of the economy (e.g., credit reporting, government, healthcare, education). However, with the significant rise in security breaches over the past 10 years, the United States has implemented many federally based security protection laws, with most state-mandated regulations proliferating since 2008.

From this complex patchwork of laws and regulations, a definitive legal standard is emerging which mandates nearly all businesses in the United States be subject to two key legal requirements:

1. The requirement to provide reasonable security for their corporate data and information systems;

2. The requirement to disclose security breaches to those who may be adversely affected by such breaches.

Within the first requirement, a legal definition of "reasonable security" has emerged from applicable law. All of the major security-related statutes, regulations, and government enforcement actions over the past few years show an amazing consistency in approach. When viewed as a whole, they establish a clearly defined standard for legal compliance-one that requires a process-oriented approach to the development and maintenance of a written information security program (WISP). In addition, the emerging legal standard has helped to clarify the scope and extent of a company's obligation to implement an information security program. Under the standard, the obligation to provide reasonable security requires both (1) implementation of an ongoing process and (2) addressing certain categories of security measures. Moreover, evidence suggests that even in cases not subject to such laws, this process-oriented approach is the definitive standard against which legal compliance is measured.

The second requirement, which has also received extensive legislative support, is a legal corollary to the requirement to provide reasonable security. Born out of years of data breaches involving sensitive personal information and resulting cases of identity theft, this requirement primarily stipulates that security breaches be disclosed to individuals whose personal information has been compromised. In addition, the requirement also dictates that security breaches be disclosed to the government by certain entities, such as those involved in certain types of financial transactions or critical infrastructure. As of 2012, the requirement to disclose security breaches is the law in 46 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, and is likely to become federal law in the near future, as well.

In addition to direct financial losses that stem from the data breach itself, noncompliance of either of these legal requirements has resulted in high costs in litigation, settlement fees, and fines imposed by government regulatory agencies. Lawsuits may be filed by customers, company shareholders, vendors, and other business partners. Even more costly (and more difficult to quantify) is the loss of public goodwill arising from a breach of data security.

The only thing that can make a major security breach even worse is a regulatory investigation or civil action alleging that you failed to meet your obligations under applicable law, and that such a failure resulted in the breach.

-Pros Auer Rose LLP (Neuburger and Newman, 2010)

For both the requirement to provide "reasonable security" and the requirement to disclose breaches, this chapter will examine (1) recent history which has resulted in broad regulatory change, (2) the current regulatory environment, including the nature and scope of requirements, and (3) what companies should do to manage their information security in order to address their compliance obligations.

In terms of BC/DR planning efforts, it is important to understand that security breaches, including theft of personal or other sensitive data, are a significant cause of disasters and this risk includes both direct financial losses as well as losses from a tarnished reputation and potential legal action. As you develop your BC/DR plan, you'll need to pay special attention to the types of data your company deals with and how those types of data need to be managed, particularly in terms of mitigating (avoiding) the risk and recovering from an incident. More information on risk and impact assessment, including how to properly evaluate security threats and determine their potential impact, can be found in Chapters 4 and 5. In addition, more information on recent legal developments surrounding data privacy and security can be found in the Case Study from Deanna Conn following this chapter.

Impact of recent history

Several recent highly publicized data security breaches involving the loss or disclosure of sensitive personal information have put added pressure on federal and state lawmakers to continue to enhance federal and corporate legal obligations to implement security safeguards. It all began on February 15, 2005, when data broker Choice Point Inc. disclosed that sensitive personal information it had collected on 145,000 individuals had been compromised. In the 5 months that followed, over 60 additional companies, educational institutions, and federal and state government agencies, almost all household names, also disclosed breaches of the security of sensitive personal information in their possession, affecting a cumulative 50 million records. Among the records compromised, perhaps the most significant were the chairman of the Federal Trade Commission (FTC) and as many as 60 U.S. Senators (Federal Trade Commission, 2006).

More recently, it appeared as if things went from bad to worse. In 2007, TJX, which owns and operates over 2500 retail outlets including Maxx, Marshalls, and Bob's Stores, disclosed that in 2005, an unknown intruder illegally accessed one of the company's payment systems and stole the credit and debit card information of 94 million customers across the United States, Canada, Puerto Rico, as well as the United Kingdom and Ireland over an 18-month period (Federal Trade Commission, 2008). This made the TJX breach the worst up until that time in terms of compromising consumer personal information. In June of 2009, TJX announced that it agreed to pay $9.75 million to settle investigations by 41 states attorneys general who were examining the company's data security policies and practices. Under the agreement, TIC will pay $45.5 million in settlement fees, plus $41.75 million to cover the fees associated with the investigations. Additionally, the company agreed to contribute $2.5 million toward the creation of a data security fund that states will use to create a number of security-related initiatives such as developing best practice models, new legislations, and establishing consumer information and outreach...