Data security measures failing to match legal expectations

Computerworld - Emerging legal expectations for data security and privacy are making it increasingly important for companies to demonstrate reasonable care in protecting their IT assets, say security and legal experts.

Regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act (see story), as well as several proposed state and federal identity-theft prevention laws, impose significant security and administrative requirements on companies. The problem is that there are no regulation-specific technology standards or guidelines that companies can adopt to demonstrate compliance with these requirements.

The regulations have considerably increased the legal exposure of companies in the event of security breaches, said Erin Kenneally, a forensic analyst and attorney at the San Diego Supercomputer Center in La Jolla, Calif. "From a legal-risk standpoint, it is a very unstable field," Kenneally said.

Reasonable Attempts

Companies must establish processes to show that reasonable attempts are being made to secure data, said Bruce Heiman, a partner at Preston Gates Ellis & Rouvelas Meeds LLP in Washington. "You need to say what you'll do and do what you say," he said.

Because most of the laws are technology-agnostic, there is a "considerable level of interpretation" regarding how they should be implemented technologywise, said Lew Wagner, chief information security officer at the M.D. Anderson Cancer Center at the University of Texas in Houston. "At one level, they all boil down to access-control systems, audit-control systems, some sort of encryption capability for confidentiality and other administrative stuff, such as policy and training."

But because the legal view of due-care standards may differ from a technologist's view, in many cases, the courts will have to decide what acceptable standards are, said Jon Stanley, an attorney on the American Bar Association information security committee.

"Something will become a standard because a court says it is a standard. And ultimately, litigation specialists will go into IT rooms and say, 'Here is what you are going to have to do' " to comply, Stanley said.

Don't be surprised to see many companies biding their time, waiting for such case law to emerge before implementing widespread security-related technology changes, said Roger Brown, an IT auditor at Jefferson Health System, a $2 billion health care organization in Radnor, Pa.

Though HIPAA's privacy compliance and code-transaction testing deadlines went into effect April 14, health care organizations don't have to implement related security changes until 2005. But organizations that haven't implemented those changes are unlikely to be fully compliant with the privacy requirements currently in effect, he said.

"HIPAA should change the price of ignoring technology-related risks" for health care organizations, Brown said. But because it's written vaguely from an implementation standpoint, he said, the "final details will be fleshed out in the trial courts."