Skip Navigation Links.
Collapse IRMI OnlineIRMI Online
Expand How To Use IRMI OnlineHow To Use IRMI Online
My Paid Publications
Expand What's NewWhat's New
Expand DashboardsDashboards
Expand Commercial Liability InformationCommercial Liability Information
Expand Commercial Property InformationCommercial Property Information
Expand Commercial Auto InformationCommercial Auto Information
Expand D&O, PL, E&O, EPLI InformationD&O, PL, E&O, EPLI Information
Expand Workers Compensation InformationWorkers Compensation Information
Classifications and Cross-References
Collapse Risk Mgt. and Multiline InformationRisk Mgt. and Multiline Information
Expand Risk Management -- Why and HowRisk Management -- Why and How
Collapse Free Risk Management and Multiline CommentaryFree Risk Management and Multiline Commentary
Expand Brand Equity and Product RecallBrand Equity and Product Recall
Expand Catastrophe Risk ManagementCatastrophe Risk Management
Expand Corporate AviationCorporate Aviation
Expand Corporate Fraud PreventionCorporate Fraud Prevention
Collapse Cyber and Privacy Risk and InsuranceCyber and Privacy Risk and Insurance
Hacking, Malware, and Social Engineering Threats (January 2012)
SEC Issues Guidance on Cybersecurity and Cyber Incident Disclosure (December 2011)
The Militarization of Cyber Space and the Risks for U.S. Businesses (November 2011)
SEC Requires Disclosure of Cyber Attacks (October 2011)
Massachusetts Enacts Privacy Regulations (September 2011)
Avoiding Privacy Risks: Smile! You're on the Web Camera! (March 2010)
The Developing Legal Standards for Data Security (August 2008)
Privacy and Security Litigation and Enforcement: Growing Risks for Businesses? (May 2007)
Deflecting and Responding to Data Security Breaches (February 2006)
"Media Liability" Coverage in Tech/Media/eBusiness Policies (February 2006)
Variations in "Fraud/Dishonesty" Exclusions in Tech/Media/eBusiness Policies (January 2006)
Insuring Liability for Third-Party Claims Seeking Lost Profits (November 2005)
Addressing Liability Risks for Data Loss from an Insurance and Contractual Risk Transfer Perspective (July 2005)
Addressing Privacy Risk from an Insurance and Contractual Risk Transfer Perspective (May 2005)
Storing Liability: The Increasing Risks of Off-Site Data Storage (May 2005)
Privacy: Outsourcing and the Need for a Vendor Compliance Strategy (March 2005)
E-mail Privacy: Does Your E-mail Take a Pit Stop? (September 2004)
Indemnity and Insurance Provisions in E-Business Contracts (July 2004)
Protecting Data Assets: Not Just a Cyberspace Issue (June 2004)
New Liability Forms and Media, Tech, and E-Business Risks (May 2004)
Protecting Your Employees from Identity Theft (February 2004)
Creating a Privacy Policy Compliant with the New Online Privacy Protection Act (December 2003)
Tech E&O—A Primer for Risk Managers (November 2003)
Going Public: Dealing with the Disclosure Mandate of California's Latest Privacy Law (September 2003)
Cyber Liability Insurance Market Update (August 2003)
Security Requirements in a Privacy World (June 2003)
The Growing Privacy Risk and the Insurance Industry (February 2003)
Insuring First-Party Cyber Risk for Fortune 1000 Companies (November 2002)
Stand-Alone E-Business Insurance: Who's Buying, Selling, and Why? (September 2002)
The End of Computer Virus Coverage as We Know It? (May 2002)
You Say Professional Services, I Say B2B Activities (January 2002)
Is Computer Data "Tangible Property" or Subject to "Physical Loss or Damage"?—Part 1 (August 2001)
Is Computer Data "Tangible Property" or Subject to "Physical Loss or Damage"?—Part 2 (November 2001)
E-Commerce Insurance Issues: A Year in Review (June 2001)
New Stand-Alone E-Commerce Insurance for First-Party Risks? (February 2001)
New Stand-Alone E-Commerce Insurance for Third-Party Liability Claims (Part 1) (December 2000)
New Stand-Alone E-Commerce Insurance for Third-Party Liability Claims (Part 2) (December 2000)
Third-Party Liability E-Commerce Risks and Traditional Insurance Programs (August 2000)
First-Party E-Commerce Risks (June 2000)
Insurance Issues for E-Commerce Activities (May 2000)
Expand Drafting and Interpreting Insurance PoliciesDrafting and Interpreting Insurance Policies
Expand Enterprise Risk ManagementEnterprise Risk Management
Expand Internal ControlsInternal Controls
Expand NanotechnologyNanotechnology
Expand Political RiskPolitical Risk
Expand Risk Management TechnologyRisk Management Technology
Expand SecuritySecurity
Expand Terrorism Risk Management & InsuranceTerrorism Risk Management & Insurance
Expand IRMI InsightsIRMI Insights
Expand IRMI Update Newsletter ArchivesIRMI Update Newsletter Archives
Expand Risk Finance InformationRisk Finance Information
Expand Construction InformationConstruction Information
Expand Personal Lines InformationPersonal Lines Information
Expand Claims, Caselaw, LegalClaims, Caselaw, Legal
Expand Insurance IndustryInsurance Industry
Expand Glossary of Insurance & Risk Management TermsGlossary of Insurance & Risk Management Terms
Expand SearchSearch
Terms of Use
Privacy Statement
System Requirements
Support

The Developing Legal Standards for Data Security

August 2008

Over the last 5 years, there have been a rapidly growing number of incidents involving the theft or loss of sensitive personal information of both customers and employees. These incidents reflect the considerable risks involved in the collection and processing of large amounts of personal data—particularly data that includes sensitive financial information such as credit card and Social Security numbers.

by Gary Clayton
Privacy Compliance Group, Inc.

The global nature of these risks is seen in the U.S. Justice Department's recent announcement that it had charged 11 people in connection with the hacking of at least 9 major retailers, and the theft and sale of more than 41 million credit and debit cards from customers of major retailers such as T.J. Maxx, OfficeMax, Marshalls, and Sports Authority.

Officials with the Department of Justice said the defendants indicted were part of a criminal ring that stretched from the United States to Eastern Europe to East Asia, highlighting the global nature of computer crime. Charges of conspiracy, computer intrusion, fraud, and identity theft have been brought against people from Estonia, Ukraine, China, and Belarus, as well as the United States.1

The global threat to the security and privacy of personal data is causing legislators in countries worldwide to enact legislation. As a result, the safeguarding of sensitive personal data is no longer simply a good business practice. It is becoming a legal obligation with companies having fiduciary-like duties to protect personal information with appropriate and reasonable security measures. Companies are also subject to the duty to prevent inappropriate access or other misuse of information, notifying individuals of security breaches, and implementing appropriate administrative, physical, and technical safeguards to protect the data. This article provides an overview of some of the significant laws and regulations that have been implemented for managing risks related to the processing of personal data.

Laws in the United States

The new laws recognize the maxim that "security is a process, not a product." Corporate legal obligations to implement security safeguards are being mandated in an expanding number of laws, regulations, and government enforcement actions. These regulate security from a number of perspectives. Many of the laws aim to protect specific industries, such as financial and healthcare.

In the financial sector alone, there are over 200 laws, regulations, and government bulletins, alerts, and other documents that address the information security obligations of financial institutions.2 Additionally, laws in the United States are making it clear that information security is no longer just a technical issue for the IT department. The CEO, board of directors, and other upper management are being made responsible for ensuring appropriate safeguards are put in place.

The U.S. laws and regulations are requiring the development and implementation of a "comprehensive information security program" that is appropriate to safeguard the specific data in question. In turn, this requires organizations to conduct periodic risk assessments to identify specific threats and vulnerabilities and to develop and implement a security program to safeguard against the identified risks. Companies must continually review and adjust this program in light of changes, both internal and external. Companies may be required to bring in outside experts or third-party service providers. Upper management is being made responsible for the overall security program and ensuring its upkeep.

Finally, 45 U.S. states and jurisdictions, including Puerto Rico and the District of Columbia, have enacted security breach notification laws imposing an obligation to disclose security breaches to individuals whose data is involved.3

International Laws

Internationally, there are over 60 countries that have enacted data protection laws to protect privacy and security of personal data. Some of the more significant laws or guidelines are listed below.

OECD Guidelines for the Security of Information Systems and Networks

The Organization for Economic Cooperation and Development (OECD) has stated the need to develop a global "Culture of Security" to protect networks and sensitive data. The guidelines are voluntary and call for cooperation among governments, business, and society. The guidelines encourage the use of safeguards to prevent, detect, and rapidly respond to security incidents. The guidelines also call for organizations to implement technical and nontechnical safeguards, to conduct regular risk assessments, and to develop and implement privacy and security policies and procedures.

European Union

The EU Data Protection Directive provides the basic framework for privacy and data protection throughout Europe. The Directive requires data processors (data controllers) to use appropriate technical and organizational measures to adequately protect personal data. These safeguards must be "appropriate" in light of the current state of technology, the expense involved, the level of risk to the data, and the nature of the personal data.4 In addition to the EU Directive, a number of the individual Member States, such as Italy and Spain, have adopted comprehensive national data protection legislation.

Argentina

The Personal Data Protection Act of 2000 contains stringent data security requirements for data controllers to:

take such technical and organizational measures as are necessary to guarantee the security and confidentiality of personal data, in order to avoid their alteration, loss, unauthorized consultation or treatment, and which allow for the detection of any intentional or unintentional distortion of such information, whether the risks arise from human conduct or the technical means used.

Act No. 25326 (2000).

Australia

The Federal Privacy Act of 1988 (Act No. 119 of 1988) contains 11 privacy principles. Australia also has a set of similar "national privacy principles" that apply to nongovernment organizations. Both of these sets of principles require entities to take reasonable steps to protect personal data against loss, unauthorized access, disclosure, or other misuse. Alternatively, private companies may devise their own codes of privacy and submit them to Australia's Privacy Commissioner for Approval.

Canada

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), organizations that process personal data must implement physical, organizational, and technological safeguards that are designed to protect against data loss or theft, as well as unauthorized access, use, disclosure, copying, or modification of data. PIPEDA does not specify the exact form that these safeguards must take. Instead, PIPEDA simply states that the safeguards must be "appropriate" in light of the sensitivity of the information and the amount, distribution, format, and method of storage used for the information.

Hong Kong

The Personal Data (Privacy) Ordinance mandates that data processors must take:

[a]ll practicable steps to protect against unauthorized access to, use or destruction of personal data, taking into account the nature of the data, the potential risks to that data, and the physical location of the data.

Japan

Japan has enacted the Act on the Protection of Personal Information, Law No. 57 (2003), which requires data processors to maintain the accuracy of information. Data processors must also implement "necessary and proper" measures for preventing unauthorized disclosure, loss or damage of personal data. The Japanese Act also requires processors to ensure the security of data in the hands of third parties.

Conclusion

Most of the privacy and data protection laws and regulations impose an obligation on organizations to implement "reasonable" and "appropriate" safeguards. To determine this, organizations must effectively manage their own internal data processing as well as that of their agents and contractors, to provide for the reasonable security of personal data. Additionally, organizations must implement controls to ensure that upper management is provided with adequate and up-to-date information necessary to accurately assess risks to personal data and to implement a robust data protection program.

This article is the first part of a series of articles relating to the development of legal obligations for protecting private data and the implementation of practical solutions to meet these obligations. The second article in this series will examine practical risk avoidance steps that organizations can take to develop and implement such a robust data protection program. The final article will outline risk mitigation steps that organizations can take when the inevitable security breach occurs.

1Simone Baribeau and Ellen Nakashima, "11 Charged in Global Theft, Sale of 40 Million Card Numbers," www.washingtonpost.com, (August 6, 2008).

2Thomas J. Smedinghoff, "Trends in the Law of Information Security," World Data Protection Report (August 2004).

3A complete list of all such laws and regulations can be found at State Security Breach Notification Laws, National Conference of State Legislatures.

4Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Advertisements
    
 
© 2000-2012 International Risk Management Institute, Inc. (IRMI). All rights reserved.