Having worked for an MSSP
(Managed Security Services Provider), I had the privilege of interacting and
working with many different clients from different industrial sectors. Each
organization depending on the sector they fell under had different reasons for
signing up with the MSSP. Even within the same sectors, the different
organizations had different drives as to why they needed an information
security company to partner with them. We would get the security focused kind
to the ‘check-box’ kind, but what was common across board was that for most, the
decision was somehow beyond their control and due to regulation, they had to
have some security controls in place to avoid being in violation of whatever
regulation they fell under. Currently, I work for a financial institution and I
now understand how powerful the audit team within the company is. The financial
sector is one of the most heavily regulated industry with healthcare being the
other ‘unlucky’ candidate and seeing first-hand the pull or push regulators have,
I now have a new-found appreciation of why audit is so much revered or avoided
depending on when the project deadline is due.
That said, for this week
I would like to talk about U.S. privacy breach laws.
You may be wondering how
this relates to cybersecurity. You may be asking yourself “…I thought as a cybersecurity professional,
the focus would be catching the bad guys?” Well, for one, both IT security
and audit teams within an organization need to be aware of their State’s data
privacy breach laws in order to avoid any nonconformity to compliance
requirements which may mean financial penalties and other legal ramifications.
When the business gets impacted (negatively), all business units feel the pain, and this
includes IT and Information security. Another thing to also note, is that IT or
cybersecurity strategy should always align with the business strategy so if regulators
ask the business to abide by some rules and regulations, the IT team should be also mapping out ways of meeting those requirements.
Back to U.S. Privacy
Breach Laws
Security breach laws
typically have provisions regarding who must comply with the law (e.g.,
businesses, data/ information brokers, government entities, etc.); definitions
of “personal information” (e.g., name combined with SSN, driver’s license or
state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized
acquisition of data); requirements for notice (e.g., timing or method of
notice, who must be notified); and exemptions (e.g., for encrypted information)
("SECURITY BREACH," 2016). Companies should therefore review their
data privacy, data security and incident response policies and procedures to not
only keep up with requirements, but also any changes that may be made to the State
laws. Some of the laws may require a company to be compliant even when not
located within the confines of the State. A good example is with third-party
service providers who may handle PII data on behalf of their client. This means
those vendors are required to adhere to the laws regardless of where they are
located. The organization needs to ensure the vendor also implements security
measures appropriate to the size, scope, industry and purpose of use of the
information collected are implemented and maintained (Halpert & Anderson,
2015).
Another example of how
different laws change is with HIPAA and ePHI. Due to the technological
advancements under HIPAA, we have ePHI (electronic Protected Health
Information) which covers “individually identifiable” “protected health
information” sent or stored electronically. Doctors now are using mobile
devices and electronic devices to review patient records and even share this
information with other medical providers. ePHI dictates how this information
can be handled. The HIPAA Ombibus rule defines this transitive chain of
possession such that all businesses that may come into contact with ePHI are
made responsible for the privacy and security of that information. This includes many companies that previously
had no idea they had to be HIPAA compliant. This shows that all businesses need
to be aware of what laws or regulations apply to them even if not directly. The
HIPAA Omnibus rule is one such rule that traverses supporting companies and has
far reaching consequences if the 3rd party providers do not abide by
those mandates.
In
conclusion
Due to the rampant data
breaches that have occurred over the years attributable to the advancements in
technology, in the period between 2006 and 2009, forty-seven states, the
District of Columbia, Guam, Puerto Rico and the Virgin Islands enacted
legislation requiring private, governmental or educational entities
to notify individuals of security breaches of information involving personally
identifiable information (PII). The three States that do not have security
breach laws are Alabama, New Mexico and South Dakota. It is important for us, as
security professionals, to be conversant on what legal requirements bind our
industries based on the areas of operation. We may be called upon one day by
senior leadership to explain some of these requirements and staying ahead of the
curve can come in handy when that time comes.
References
Halpert, J., &
Anderson, M. J. (2015, July 20). Data Protection, Privacy and
Security Alert (US). Retrieved September
9, 2016, from DLA Piper website:
https://www.dlapiper.com/en/us/insights/publications/2015/07/
state-breach-notification-laws/
SECURITY BREACH
NOTIFICATION LAWS. (2016, January 4). Retrieved September 9,
2016, from National Conference of State
Legislatures website:
http://www.ncsl.org/research/telecommunications-and-information-technology/
security-breach-notification-laws.aspx
No comments:
Post a Comment