Follow Us On

  • Newsletter Subscription Form

    Sign up for a FREE newsletter

    • USA | India call  305 447 6750
    Print-friendly version
    Expected Trends in Information Security Laws
    Posted on March 21, 2007 by admin

    Information security and the legal system have become increasingly intertwined.  Recent laws and regulations relating to information security include:

    •    E-Sign & UETA:  Electronic records.
    •    Sarbanes – Oxley:  Internal controls.
    •    GLBA:  Customer information in the financial sector.
    •    HIPAA:  Patient information in the healthcare sector.
    •    COPPA:  Personal information related to children.
    •    FTC Section 5:  Prohibiting deceptive business practices.

    Experts have identified notable trends in information security law. The trends indicate that legal requirements with respect to information security will continue to expand.

    Expansion of Scope

    All Companies
    One significant trend has been the expansion of the scope of regulations to all companies. The FTC has taken steps to expand the scope of the industry-specific regulations to all industries, particularly the GLBA. The FTC has also taken action against certain companies under FTC Section 5, such as DSW, Inc. in December 1, 2005 and ChoicePoint, Inc. in January 26, 2006.

    States such as Alaska, California, Nevada, Rhode Island, Texas and Utah require the implementation and maintenance of reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification or disclosure.

    All Data
    There is also a noticeable trend to expand the scope of information security laws to all data. With financial data, tax data, transaction data, etc., all being protected under  specific laws and regulations, the trend points in the direction that soon almost all data will require protection.

    Trend: The scope of information security laws and regulations is likely to expand to include virtually all companies and all data.

    Secure Destruction of Data

    Currently only a handful of laws and regulations, GLBA being the fore-runner, require the secure disposal of data.  Additionally, states such as Alaska, California, Kentucky, New Jersey, North Carolina, Texas and Utah have enacted state laws that require secure data destruction.

    In August 2006, congressional action was called for to limit the retention of data.  The reason for such a proposal had logical grounds.  AOL had released a list of 20 million keyword searches that over 600,000 users on the Internet had performed.  This triggered concern about companies that store Internet information of consumers for indefinite periods of time.

    Bill H.R. 4731 was introduced to require companies to delete Internet data with personal information when it was no longer useful for any legitimate business purpose.  Although this bill was not passed, this issue continues to be debated by legislators.

    Trend: There may be additional legislation requiring companies to delete all data that contains personal information, when the data is no longer useful for legitimate business purposes.  This trend will directly affect the technology we know as “warehousing”.

    Retention of Data

    The 2006/24/EC, known as the European Data Retention Directive, was brought into effect to combat terrorism. Telecommunication and Internet companies of European Union member nations will have to store telephone calls and Internet data for up to 6 months starting September 15, 2007.  Spain already applied the directive as of September, 2006.

    In 2006, Colorado State enacted a law that requires Internet Service Providers (ISPs) to preserve and release records of their users to law enforcement agencies in certain circumstances.  In addition, the Attorney Generals in 49 states have pushed for a national data retention standard which will help in investigating and cracking down on on-line sexual predators.

    Trend: There may be additional legislation requiring certain data to be retained.  There will be increasing debate about the specifics of the time period of retention, the nature of the data, and the quantity of data that should be retained.  Also, legislators will have to reconcile laws that require companies to delete data with any new laws requiring companies to retain data.

    Disclosure of Security Breaches

    Currently 34 states, and a federal regulation relating to financial institutions, require the  disclosure of security breaches. Organizations are required to disclose security breaches to those who may be affected or injured from the breach and also to law enforcement and regulators.

    Trend: There may be additional legislation requiring all businesses to disclose security breaches.   It is also likely that other countries, for example European countries, will also require the disclosure of security breaches.

    Risk Management and Security Requirements

    Laws and regulations generally require a five step approach to risk management and security.

    •    Asset Identification: All assets either directly under the control of the company or indirectly (possibly via outsourcing) need to be identified using a pre-defined process and a definition for the term asset.

    •    Risk Assessment: The risk exposure that a company faces must then be determined by identifying, confirming and evaluating the threats, vulnerabilities and implications.  There must be a listing of the security control options available to address the risks involved.

    •    Security Program: A documented security program is the next step where a response to the identified risks needs to be identified.  Different strategies and controls should be identified as options for implementation, and the ones selected must commensurately address the risk involved.

    •    Monitor and Improvise: On an ongoing basis, there must be regular testing to ensure that the security program and the implemented security controls are effective and are meeting the needs first identified as a result of the risk assessment.  Additionally, improvisations must be made to address new threats and vulnerabilities, and also to develop new alternatives to the existing controls.

    •    Third Parties: Organizations must address and oversee third party service providers as an ongoing process.

    The above information security steps are required by the GLBA.  In addition, these same requirements have been used by courts to determine whether a company acted negligently under state law.  For example, in a 2006 case, Guin v. Brazos Higher Education Service Corporation, Inc., an employee’s laptop with customer information was stolen from the employee’s home.  Nevertheless, the court found that Brazos had written security policies, current risk assessment reports, and proper safeguards for its customers’ personal information.  The court held that Brazos was only required to protect against harms that were reasonably foreseeable.  In this particular case, the court found that Brazos was not negligent.

    Trend: A risk-based approach to compliance and information security, irrespective of organization, is foreseen. The need for a definition for the term reasonable security has been long sought in the legal books. This risk-based approach is seen as the answer. It is expected that this trend will spread globally and will lead to a uniform risk-central approach.

    Enterprise Risk Management, Inc. (ERM) professionals have expertise in information security. ERM assists many types of organizations in complying with laws related to information security. ERM does not provide legal advice.

    This entry was posted in Education, Gramm Leach, Health Insurance Portability, Newsletters, Sarbanes. Bookmark the permalink.

    Comments are closed.
  • Get Our Free Mobile
    Device Security Whitepaper

  • UVP – All Pages

    First Name: *
    Last Name: *
    Title: *
    Company Name: *
    Email: **
    Phone: *
    * Required field.

    ** Please use a non Gmail, Yahoo, or Hotmail email address.