Chapter 2

Overview of Information Security and Compliance: Seeing the Forest for the Trees

Michael R. Overly

2.1 Introduction

Businesses today are faced with the almost-insurmountable task of complying with a confusing array of laws and regulations relating to data privacy and security. These can come from a variety of sources: local, state, national, and even international lawmakers. Information security standards not only are established through laws and regulations but also may be created by contractual standards such as the Payment Card Industry Data Security Standard (PCI DSS) and even common industry standards for information security published by organizations like the Computer Emergency Response Team (CERT) at Carnegie Mellon, and the families of standards from the International Organization for Standardization (ISO).

In many instances, laws and regulations are vague and ambiguous, with little specific guidance regarding compliance. Worse yet, the laws of different jurisdictions may be, and frequently are, conflicting. One state or country may require security measures that are entirely different from those of another state or country. Reconciling all of these legal obligations can be, at best, a full-time job and, at worst, the subject of fines, penalties, and lawsuits.

In response to the growing threat to data security, regulators in literally every jurisdiction have enacted or are in the process of enacting laws and regulations to impose data security and privacy obligations on businesses. Even within a single jurisdiction, a number of government entities may all have authority to take action against a business that fails to comply with applicable standards. That is, a single security breach might subject a business to enforcement actions from a wide range of regulators, not to mention possible claims for damages by customers, business partners, shareholders, and others. The United States, for example, uses a sector-based approach to protect the privacy and security of personal information (e.g., separate federal laws exist relating to health care, financial, credit worthiness, student, and children’s personal information). Other approaches, for example in the European Union, provide a unified standard but offer heightened protection for certain types of highly sensitive information (e.g., health care information, sexual orientation, union membership). Actual implementation of the standards into law is dependent on the member country. Canada uses a similar approach in its Personal Information Protection and Electronic Documents Act (“PIPEDA”). Liability for fines and damages can easily run into millions of dollars. Even if liability is relatively limited, the company’s business reputation may be irreparably harmed from the adverse publicity and loss in customer and business partner confidence.

The challenges of compliance with this ever-increasing morass of laws, regulations, standards, and contractual obligations can be overwhelming, particularly in the context of Big Data, for which the volume and variety of data might implicate dozens of potentially conflicting obligations and standards. Even if no personally identifiable information is at risk, businesses have obligations to protect other highly sensitive information relating to, for example, their trade secrets, marketing efforts, business partner interactions, and so on.

Although there are no easy solutions, this chapter seeks to achieve several goals:

• To make clear that privacy relating to personal information is only one element of compliance. Businesses also have obligations to protect a variety of other types of data (e.g., trade secrets, data and information of business partners, nonpublic financial information, etc.).
• To sift through various privacy and security laws, regulations, and standards to identify three common, relatively straightforward threads that run through many of them:
  1. The confidentiality, integrity, and availability (CIA) requirement that has been a fundamental precept of information security for many, many years;
  2. Acting ‘‘reasonably’’ or taking ‘‘appropriate’’ or ‘‘necessary’’ measures to protect sensitive information; and
  3. Scaling security measures to reflect the sensitivity of the information and magnitude of the threat presented (e.g., “one size fits all” is not an appropriate approach to information security and privacy).

By understanding these high-level concepts, businesses can better understand their overall information security and compliance obligations.

2.2 What Kind of Data Should Be Protected?

In thinking about information security, the natural first thought is of personally identifiable data or personal information. Although it is certainly true that most laws and regulations focus on personal information, this is only one type of data for which businesses may have legal obligations. Almost every business will have a wide variety of highly sensitive information that must be secured. Some examples include the following:

• General confidential information of the business. This could include financial information, marketing plans, potential promotional activities, business contact information, investor information, new product plans, customer lists, and so on.
• Intellectual property frequently makes up one of the most, if not the most, substantial asset of businesses. A breach of security could result in the business forever losing its ability to enforce its intellectual property rights. For example, trade secrets are defined as sensitive information of a business that has value because it is not generally known in the industry and is the subject of efforts by the business to ensure it remains confidential (e.g., the formula for Coca-Cola®). If a trade secret is revealed to the public, it loses its status and value as a trade secret. Almost every business has at least some trade secrets. A customer list, software source code, formulas, methods of doing business, and so on can all be trade secrets. These must be secured to ensure the information remains protected as a trade secret.
• Health care information is one of the most highly regulated and sensitive types of information. In the United States, for example, the Health Insurance Portability and Accountability Act (HIPAA) regulates the privacy and security of personal health information. In some jurisdictions, it is afforded the highest protection in comparison with other types of personal data. In the European Union, health care information is afforded heightened protection under the European Union Data Protection Directive, as reflected in the member countries’ implementing laws. See also the Australian Privacy Act 1988 and recent Privacy Amendment (Enhancing Privacy Protection) Act. A business may be in the health care industry and have possession of actual patient records, but even a business that has nothing to do with the health care industry may have health care information of its employees (e.g., insurance claim information) that it is obligated to protect.
• Like health care information, personal financial information is also heavily regulated and highly sensitive. In the United States, the Gramm-Leach-Bliley Act (GLBA) addresses the privacy and security of personal financial information. In other countries, personal information is broadly defined in overarching laws to encompass almost anything identifiable to an individual, including, of course, financial information. See, for example, Japan’s Personal Information Protection Act. As with health care information, a business need not be in the financial services industry to possess this type of information. Every employer has sensitive financial information of its employees (e.g., salary information, Social Security and other personal identification numbers, bank account numbers, etc.).
• Even security information, itself, is sensitive and should be protected. The security policies, security audit reports, disaster recovery and business continuity plans, and other similar information of a business are all highly sensitive. If compromised, the information could be used to exploit vulnerabilities in the business.

2.3 Why Protections Are Important

Legal compliance is certainly at the very top of every business’ list in terms of reasons to implement information security measures to protect sensitive data. However, there are other, significant, reasons for businesses to address this risk:

• Protecting Corporate Assets. As noted in the preceding section, in addition to personally identifiable data, every business also has other, highly proprietary information that it must protect (e.g., intellectual property, marketing plans, new product plans, investor information, financial information, etc.). These are all valuable assets of the business, deserving of protection.
• Establishing Diligence. Many laws and regulations include the concept of requiring the business to act with due diligence in protecting sensitive data. The same concept exists more generally in the obligation of corporate management to act with due care and to exercise reasonable judgment in conducting the business, which would include acting with due diligence in protecting corporate information assets. Neither applicable law nor this more general corporate governance standard requires perfection. Rather, the business and its managers must be able to demonstrate they acted reasonably, appropriately, and with due diligence in protecting their information assets. By implementing and documenting a thoughtful approach to mitigating information security risks, the business and its managers will have evidence to support they did just that in the event of a breach.
• Protecting Business Reputation. Being the subject of a security breach can dramatically harm the reputation of a business. Adverse publicity of this kind could seriously harm a business. Customers and business partners may lose confidence in the ability of the business to protect their information and secure their systems.
• Minimize Potential Liability. Finally, the most obvious reason for implementing a thoughtful approach to information security is minimizing potential liability. Liability can take many forms: fines by a variety of regulators, statutory sanctions, shareholder lawsuits, and civil suits by business partners and customers (including the possibility of costly class action lawsuits) against both the business and, potentially, its management.

2.4 Common Misconceptions about Information Security Compliance

There is much confusion and many misconceptions when it comes to information security compliance. The two biggest misconceptions are that “it’s all about the data” and “it’s all about confidentiality.” While data and confidentiality are certainly of critical importance, a more holistic approach is required. A business must be concerned about its data, but it must be equally concerned about the systems on which the data resides. In addition, confidentiality is only one of the three key protections required for true security.

Anyone involved in information security should be familiar with the acronym CIA, which stands for confidentiality, integrity, and availability. For data to be truly secure, each of these three elements must be satisfied.

• Confidentiality means the data is protected from unauthorized access and disclosure. This is the most obvious of the three requirements in CIA.
• Integrity means the data can be relied on as accurate and that it has not been subject to unauthorized alteration. Consider the importance of the integrity element in the context of Big Data: If the data cannot be relied on because certain elements may have been altered, the entire database is rendered suspect.
• Finally, availability means the data is available for access and use when required. It does no good to have data that is confidential and the integrity maintained, but the data is not actually available when a user requires it. To achieve this last requirement, the systems on which the data resides must have specific service levels for availability, response time, and so on. This is particularly important when a third-party vendor may be hosting the data for the benefit of the business.

The importance of CIA cannot be overstated. It is not just a concept in information security treatises. Lawmakers have directly incorporated that very language into certain information security laws and regulations. Businesses that fail to achieve CIA with regard to their data may be found in violation of those laws.

A final misconception about information security and privacy laws is that they require perfection (i.e., any breach, regardless of how diligent the business has been, will create liability). This is not true. The laws and regulations in this area are directed at having businesses do what is reasonable and appropriate. If the business achieves that standard and a breach nonetheless occurs, it will generally not have a compliance problem.

2.5 Finding Common Threads in Compliance Laws and Regulations

The sheer number and variety of laws, regulations, and other standards governing the handling of sensitive information can be daunting, if not overwhelming. In some instances, it may be almost impossible for even a large, sophisticated organization to identify all applicable requirements, reconcile inconsistencies, and then implement a compliance program. In this section, the goal is not to discuss any specific laws or regulations but to identify three common threads that run through many of them. By understanding those common threads, businesses can more easily understand their baseline compliance obligations.1

As mentioned in the introduction to the chapter, there are three common threads to consider. These threads run through not only laws and regulations but also contractual standards such as the PCI DSS and, even, common industry standards for information security published by organizations like CERT at Carnegie Mellon and the families of standards furnished by ISO. Embracing these common threads in designing and implementing an overall approach to information will greatly increase the ability of a business to achieve overall compliance with the laws, regulations, and other requirements applicable to it.

• CIA. As discussed, the well-established, foundational concept of CIA found in every handbook on information security has now been codified into many laws and regulations. The three prongs of this concept address the most fundamental goals of information security: The data/information must be maintained in confidence, it must be protected against unauthorized modification, and it must be available for use when needed. The lack of any of the foregoing protections would materially have an impact on compliance and the value of the information asset.
• Acting “reasonably” or taking “appropriate” or “necessary” measures. The concept of acting reasonably is used in many state and federal laws in the United States, Australia, and many other countries. The related concept of acting to take appropriate or necessary measures is used in the European Union and many other areas. Together, they form the heart of almost every information security and data privacy law. A business must act reasonably or do what is necessary or appropriate to protect its data. Note that this does not require perfection. Rather, as discussed in the next paragraph, the business must take into account the risk presented and do what is reasonable or necessary to mitigate that risk. If a breach nonetheless occurs, provided the business has established this basic requirement, it will not be generally found in violation of the applicable law or regulation.
• Scaling security measures to reflect the nature of the data and threat. A concept that is closely related to acting reasonably or doing what is appropriate is the idea of scaling security measures to reflect the nature of the threat and sensitivity of the data. That is, a business need not spend the entirety of its security budget to address a low-risk threat. But, if the risk is substantial, particularly in light of the volume or sensitivity of the data, the level of effort and expenditure by the business to address that risk must increase. A database with only names and physical addresses may not require as much security as a database of names, addresses, and Social Security numbers. To better understand this concept, here are excerpts from two laws that incorporate ‘‘scaling.” The first is from the Massachusetts Data Security Law:

Safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.

The second example is from the HIPAA Security Rule and gives the following factors to consider:

1. (i) The size, complexity, and capabilities of the Covered Entity.
2. (ii) The Covered Entity’s technical infrastructure, hardware, and software security capabilities.
3. (iii) The costs of security measures.
4. (iv) The probability and criticality of potential risks to ePHI (ePHI refers to protected health information in electronic form).

2.6 Conclusion

Although the number and complexity of privacy and information security laws, regulations, and other standards is ever increasing, businesses should appreciate certain common threads that run through them. In this chapter, three of the most common and most important threads were presented. By understanding that current law does not require perfection but only due care, reasonableness, and scaling measures to reflect the sensitivity of the data being placed at risk, businesses can go a long way to achieving compliance.

Note

1. Of course, businesses must ensure overall compliance with the laws and regulations applicable to them. The goal here is to identify the common ground found in many of those laws and regulations to afford businesses with a high-level view of compliance obligations.