The Developing Legal Standards for Data Security
August 2008
Over the last 5 years, there have been a rapidly
growing number of incidents involving the theft or loss of sensitive personal
information of both customers and employees. These incidents reflect the considerable
risks involved in the collection and processing of large amounts of personal
data—particularly data that includes sensitive financial information such as
credit card and Social Security numbers.
by Gary
Clayton
Privacy Compliance
Group, Inc.
The global nature of these risks is seen in the U.S. Justice Department's
recent announcement that it had charged 11 people in connection with the hacking
of at least 9 major retailers, and the theft and sale of more than
41 million credit and debit cards from customers
of major retailers such as T.J. Maxx, OfficeMax, Marshalls, and Sports Authority.
Officials with the Department of Justice said the defendants indicted were
part of a criminal ring that stretched from the United States to Eastern Europe
to East Asia, highlighting the global nature of computer crime. Charges of conspiracy,
computer intrusion, fraud, and identity theft have been brought against people
from Estonia, Ukraine, China, and Belarus, as well as the United States.1
The global threat to the security and privacy of personal data is causing
legislators in countries worldwide to enact legislation. As a result, the safeguarding
of sensitive personal data is no longer simply a good business practice. It
is becoming a legal obligation with companies having fiduciary-like duties to
protect personal information with appropriate and reasonable security measures.
Companies are also subject to the duty to prevent inappropriate access or other
misuse of information, notifying individuals of security breaches, and implementing
appropriate administrative, physical, and technical safeguards to protect the
data. This article provides an overview of some of the significant
laws and regulations that have been implemented for managing risks related to the
processing of personal data.
Laws in the United States
The new laws recognize the maxim that "security is a process, not a product."
Corporate legal obligations to implement security safeguards are being mandated
in an expanding number of laws, regulations, and government enforcement actions.
These regulate security from a number of perspectives. Many of the laws aim
to protect specific industries, such as financial and healthcare.
In the financial sector alone, there are over 200 laws, regulations, and
government bulletins, alerts, and other documents that address the information
security obligations of financial institutions.2 Additionally, laws
in the United States are making it clear that information security is no longer
just a technical issue for the IT department. The CEO, board of directors, and
other upper management are being made responsible for ensuring appropriate safeguards
are put in place.
The U.S. laws and regulations are requiring the development and implementation
of a "comprehensive information security program" that is appropriate to safeguard
the specific data in question. In turn, this requires organizations to conduct
periodic risk assessments to identify specific threats and vulnerabilities and
to develop and implement a security program to safeguard against the identified
risks. Companies must continually review and adjust this program in light of
changes, both internal and external. Companies may be required to bring in outside
experts or third-party service providers. Upper management is being made responsible
for the overall security program and ensuring its upkeep.
Finally, 45 U.S. states and jurisdictions, including Puerto Rico and the
District of Columbia, have enacted security breach notification laws imposing
an obligation to disclose security breaches to individuals whose data is involved.3
International Laws
Internationally, there are over 60 countries that have enacted data protection
laws to protect privacy and security of personal data. Some of the more significant
laws or guidelines are listed below.
OECD Guidelines for the Security of Information Systems and Networks
The Organization for Economic Cooperation and Development (OECD) has stated
the need to develop a global "Culture of Security" to protect networks and sensitive
data. The guidelines are voluntary and call for cooperation among governments,
business, and society. The guidelines encourage the use of safeguards to prevent,
detect, and rapidly respond to security incidents. The guidelines also call
for organizations to implement technical and nontechnical safeguards, to conduct
regular risk assessments, and to develop and implement privacy and security
policies and procedures.
European Union
The EU Data Protection Directive provides the basic framework for privacy
and data protection throughout Europe. The Directive requires data processors
(data controllers) to use appropriate technical and organizational measures
to adequately protect personal data. These safeguards must be "appropriate"
in light of the current state of technology, the expense involved, the level
of risk to the data, and the nature of the personal data.4 In addition
to the EU Directive, a number of the individual Member States, such as Italy
and Spain, have adopted comprehensive national data protection legislation.
Argentina
The Personal Data Protection Act of 2000 contains stringent data security
requirements for data controllers to:
take such technical and organizational measures as are necessary to guarantee
the security and confidentiality of personal data, in order to avoid their
alteration, loss, unauthorized consultation or treatment, and which allow
for the detection of any intentional or unintentional distortion of such
information, whether the risks arise from human conduct or the technical
means used.
Act No. 25326 (2000).
Australia
The Federal Privacy Act of 1988 (Act
No. 119 of 1988) contains 11 privacy principles. Australia also has a set
of similar "national privacy principles" that apply to nongovernment organizations.
Both of these sets of principles require entities to take reasonable steps to
protect personal data against loss, unauthorized access, disclosure, or other
misuse. Alternatively, private companies may devise their own codes of privacy
and submit them to Australia's Privacy Commissioner for Approval.
Canada
Under Canada's
Personal Information Protection and Electronic Documents Act (PIPEDA), organizations
that process personal data must implement physical, organizational, and technological
safeguards that are designed to protect against data loss or theft, as well
as unauthorized access, use, disclosure, copying, or modification of data. PIPEDA
does not specify the exact form that these safeguards must take. Instead, PIPEDA
simply states that the safeguards must be "appropriate" in light of the sensitivity
of the information and the amount, distribution, format, and method of storage
used for the information.
Hong Kong
The Personal Data (Privacy) Ordinance mandates that data processors must
take:
[a]ll practicable steps to protect against unauthorized access to, use or
destruction of personal data, taking into account the nature of the data,
the potential risks to that data, and the physical location of the data.
Japan
Japan has enacted the Act on the Protection of Personal Information, Law
No. 57 (2003), which requires data processors to maintain the accuracy of information.
Data processors must also implement "necessary and proper" measures for preventing
unauthorized disclosure, loss or damage of personal data. The Japanese Act also
requires processors to ensure the security of data in the hands of third parties.
Conclusion
Most of the privacy and data protection laws and regulations impose an obligation
on organizations to implement "reasonable" and "appropriate" safeguards. To
determine this, organizations must effectively manage their own internal data
processing as well as that of their agents and contractors, to provide for the
reasonable security of personal data. Additionally, organizations must implement
controls to ensure that upper management is provided with adequate and up-to-date
information necessary to accurately assess risks to personal data and to implement
a robust data protection program.
This article is the first part of a series of articles
relating to the development of legal obligations for protecting private data
and the implementation of practical solutions to meet these obligations. The
second article in this series will examine practical risk avoidance steps that
organizations can take to develop and implement such a robust data protection
program. The final article will outline risk mitigation steps that organizations
can take when the inevitable security breach occurs.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.