Data security measures failing to match legal expectations
Computerworld - Emerging legal expectations for data security and privacy are making it increasingly important for companies to demonstrate reasonable care in protecting their IT assets, say security and legal experts.
Regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act (see story), as well as several proposed state and federal identity-theft prevention laws, impose significant security and administrative requirements on companies. The problem is that there are no regulation-specific technology standards or guidelines that companies can adopt to demonstrate compliance with these requirements.
The regulations have considerably increased the legal exposure of companies in the event of security breaches, said Erin Kenneally, a forensic analyst and attorney at the San Diego Supercomputer Center in La Jolla, Calif. "From a legal-risk standpoint, it is a very unstable field," Kenneally said.
Companies must establish processes to show that reasonable attempts are being made to secure data, said Bruce Heiman, a partner at Preston Gates Ellis & Rouvelas Meeds LLP in Washington. "You need to say what you'll do and do what you say," he said.
Because most of the laws are technology-agnostic, there is a "considerable level of interpretation" regarding how they should be implemented technologywise, said Lew Wagner, chief information security officer at the M.D. Anderson Cancer Center at the University of Texas in Houston. "At one level, they all boil down to access-control systems, audit-control systems, some sort of encryption capability for confidentiality and other administrative stuff, such as policy and training."
But because the legal view of due-care standards may differ from a technologist's view, in many cases, the courts will have to decide what acceptable standards are, said Jon Stanley, an attorney on the American Bar Association information security committee.
"Something will become a standard because a court says it is a standard. And ultimately, litigation specialists will go into IT rooms and say, 'Here is what you are going to have to do' " to comply, Stanley said.
Don't be surprised to see many companies biding their time, waiting for such case law to emerge before implementing widespread security-related technology changes, said Roger Brown, an IT auditor at Jefferson Health System, a $2 billion health care organization in Radnor, Pa.
Though HIPAA's privacy compliance and code-transaction testing deadlines went into effect April 14, health care organizations don't have to implement related security changes until 2005. But organizations that haven't implemented those changes are unlikely to be fully compliant with the privacy requirements currently in effect, he said.
"HIPAA should change the price of ignoring technology-related risks" for health care organizations, Brown said. But because it's written vaguely from an implementation standpoint, he said, the "final details will be fleshed out in the trial courts."
- 5 Customers Deliver Virtual Desktops and Apps to Empower a Modern Workforce Learn how Citrix solutions helped 5 companies realize the full value of desktop virtualization through a project-by-project approach based on key business priorities.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- IDC MarketScape: Worldwide Client Virtualization Software 2013 Vendor Assessment IDC has placed Citrix in the 2013 IDC MarketScape Leaders Category once again noting that, "Citrix's position reflects the company's market leadership and...
- Infographic: Top Use Cases for Desktop Virtualization A wide range of business issues is driving IT toward desktop virtualization. One solution-Citrix XenDesktop with FlexCast technology-helps IT teams empower their entire...
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Gov't Legislation/Regulation White Papers | Webcasts