What Defines ‘Reasonable’ Security Measures?

Plenty of sensitive client data does not fall under federally legislated standards. So how do you know if you’re taking reasonable security actions? Here’s where to go to find out.

(ChannelProNetwork.com) – What constitutes “reasonable” steps in securing a client’s data? For electronic healthcare records, these are spelled out in the federally legislated HIPAA standard; for credit card transactions, PCI DSS (Payment Card Industry Data Security Standard). For protection and redress against identity theft in credit accounts, there’s FACTA (Fair and Accurate Credit Transactions Act), and the Gramm-Leach-Bliley Act for financial services firms, both enforced by the FTC.

But plenty of sensitive client data is neither health- nor credit-card-related. What federal or state requirements prevail here? Of equal concern to businesses: What measures, when taken, prove sufficient diligence to protect them from liability in the event of a breach?

First to define “reasonable” steps is California, whose attorney general in February chose the 20 controls defined by the Center for Internet Security (CIS), a 501(c)(3) organization dedicated to enhancing the cybersecurity readiness and response among public and private sector entities, as the “minimum level of information security that all organizations handling personal data should meet.” Listed in the order in which they should be implemented, they include such widely accepted but surprisingly neglected practices as taking inventory of all authorized and unauthorized hardware devices and software, implementing and maintaining secure configurations, patching vulnerabilities, and restricting unauthorized users. They also outline a process to help organizations of varying sizes scale their security solutions to fit.

Similarly, HIPAA and FACTA federal guidelines reference National Institute of Standards and Technology (NIST) guidelines. NIST is a non-regulatory arm of the U.S. Commerce Department that sets security standards for all federal computer systems.

California Picks Existing Standard
Angie Singer Keating is CEO of Tyrone, Pa.-based Reclamere, which deals in data destruction, data breach response, notification and compliance. “I am thrilled that the California attorney general had the good sense to pick an existing standard instead of trying to reinvent the wheel,” says Keating. Acknowledging considerable overlap between CIS and NIST, she says that the top 20 are great for small and midsize organizations, NIST for midsize and larger. She expects other states to follow California’s lead, in the absence of overarching federal standards.

Knowing NIST, the SAN-CIS 20, and the security requirements of a client’s industry make a channel partner a valuable resource. But when it comes to data security compliance, tech tools are just one leg of a three-legged stool of “people, process, and technology,” says Keating. “Breakdowns in processes and human error must be addressed. The best way to make sure that the triad is balanced is to have regular and robust risk analysis performed”—the implication here being that this must be done by company outsiders.

Often that analysis is an attorney’s job, particularly for those two nontechnology legs. Jason Gavejian is a lawyer at Jackson Lewis’ Morristown, N.J., office, where he specializes in data security and workplace privacy. He says that most of his clients are small to midsize firms. “Given our workplace law history, it’s a natural transition for us to coordinate among HR, legal, IT, and the various business units to try [to] make sure that we’re implementing the appropriate policies and procedures, based on the law in your state, or on the type of data you store.”

For more information on Reclamere’s Data Security Services, contact us.

To view the live article on Channel Pro Network, click here.