Data security measures failing to match legal expectations
Computerworld - Emerging legal expectations for data security and privacy are making it increasingly important for companies to demonstrate reasonable care in protecting their IT assets, say security and legal experts.
Regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act (see story), as well as several proposed state and federal identity-theft prevention laws, impose significant security and administrative requirements on companies. The problem is that there are no regulation-specific technology standards or guidelines that companies can adopt to demonstrate compliance with these requirements.
The regulations have considerably increased the legal exposure of companies in the event of security breaches, said Erin Kenneally, a forensic analyst and attorney at the San Diego Supercomputer Center in La Jolla, Calif. "From a legal-risk standpoint, it is a very unstable field," Kenneally said.
Companies must establish processes to show that reasonable attempts are being made to secure data, said Bruce Heiman, a partner at Preston Gates Ellis & Rouvelas Meeds LLP in Washington. "You need to say what you'll do and do what you say," he said.
Because most of the laws are technology-agnostic, there is a "considerable level of interpretation" regarding how they should be implemented technologywise, said Lew Wagner, chief information security officer at the M.D. Anderson Cancer Center at the University of Texas in Houston. "At one level, they all boil down to access-control systems, audit-control systems, some sort of encryption capability for confidentiality and other administrative stuff, such as policy and training."
But because the legal view of due-care standards may differ from a technologist's view, in many cases, the courts will have to decide what acceptable standards are, said Jon Stanley, an attorney on the American Bar Association information security committee.
"Something will become a standard because a court says it is a standard. And ultimately, litigation specialists will go into IT rooms and say, 'Here is what you are going to have to do' " to comply, Stanley said.
Don't be surprised to see many companies biding their time, waiting for such case law to emerge before implementing widespread security-related technology changes, said Roger Brown, an IT auditor at Jefferson Health System, a $2 billion health care organization in Radnor, Pa.
Though HIPAA's privacy compliance and code-transaction testing deadlines went into effect April 14, health care organizations don't have to implement related security changes until 2005. But organizations that haven't implemented those changes are unlikely to be fully compliant with the privacy requirements currently in effect, he said.
"HIPAA should change the price of ignoring technology-related risks" for health care organizations, Brown said. But because it's written vaguely from an implementation standpoint, he said, the "final details will be fleshed out in the trial courts."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Changing the Way Government Works: Four Technology Trends that Drive Down Costs and Increase Productivity
This paper discusses four technology-based approaches to improving processes and increasing
productivity while driving down department and agency costs.
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Gov't Legislation/Regulation White Papers | Webcasts