Data security measures failing to match legal expectations
Computerworld - Emerging legal expectations for data security and privacy are making it increasingly important for companies to demonstrate reasonable care in protecting their IT assets, say security and legal experts.
Regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act (see story), as well as several proposed state and federal identity-theft prevention laws, impose significant security and administrative requirements on companies. The problem is that there are no regulation-specific technology standards or guidelines that companies can adopt to demonstrate compliance with these requirements.
The regulations have considerably increased the legal exposure of companies in the event of security breaches, said Erin Kenneally, a forensic analyst and attorney at the San Diego Supercomputer Center in La Jolla, Calif. "From a legal-risk standpoint, it is a very unstable field," Kenneally said.
Companies must establish processes to show that reasonable attempts are being made to secure data, said Bruce Heiman, a partner at Preston Gates Ellis & Rouvelas Meeds LLP in Washington. "You need to say what you'll do and do what you say," he said.
Because most of the laws are technology-agnostic, there is a "considerable level of interpretation" regarding how they should be implemented technologywise, said Lew Wagner, chief information security officer at the M.D. Anderson Cancer Center at the University of Texas in Houston. "At one level, they all boil down to access-control systems, audit-control systems, some sort of encryption capability for confidentiality and other administrative stuff, such as policy and training."
But because the legal view of due-care standards may differ from a technologist's view, in many cases, the courts will have to decide what acceptable standards are, said Jon Stanley, an attorney on the American Bar Association information security committee.
"Something will become a standard because a court says it is a standard. And ultimately, litigation specialists will go into IT rooms and say, 'Here is what you are going to have to do' " to comply, Stanley said.
Don't be surprised to see many companies biding their time, waiting for such case law to emerge before implementing widespread security-related technology changes, said Roger Brown, an IT auditor at Jefferson Health System, a $2 billion health care organization in Radnor, Pa.
Though HIPAA's privacy compliance and code-transaction testing deadlines went into effect April 14, health care organizations don't have to implement related security changes until 2005. But organizations that haven't implemented those changes are unlikely to be fully compliant with the privacy requirements currently in effect, he said.
"HIPAA should change the price of ignoring technology-related risks" for health care organizations, Brown said. But because it's written vaguely from an implementation standpoint, he said, the "final details will be fleshed out in the trial courts."
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- The Truth About Virtual Computing for CAD If you're a user of graphics-intensive software such as 3D modeling, simulation and analysis, and visualization, you might be skeptical about moving to...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Simplifying Product Design In A Complex World Product design engineering has moved far beyond the confines of ever-more powerful workstations. Companies can't afford to restrict projects to using only local...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All Gov't Legislation/Regulation White Papers | Webcasts