In recent years, companies tend to be responsible for information security negligence. Especially the Federal Trade Commission (FTC) and New York State Attorney General have actively pursued companies that do not comply with effective security practices. Many easy-to-see cases show how enterprises need to implement more powerful security controls.
In June 2003, Guess, Incorporated agreed to resolve the FTC's claim. We can not disclose personal information against commonly known attacks by hackers. Howard Beales, FTC's Consumer Protection Director, said, "Consumers have every right to expect businesses that are said to be keeping personal information securely do so, , Guess needed to implement a comprehensive information security program that would meet or exceed the criteria of independent expert consent order within one year.
problem
The main reason an enterprise has insufficient or inconsistent control over information security is that it is widely accepted and lacks a comprehensive set of good security practices. Standardization bodies such as the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) publish the security standards for acceptance and use of various degrees of companies. The Information Systems Security Association (ISSA) recognizes the necessity of gathering universally agreed mandatory security practices and is currently developing the generally accepted information security principle (GAISP). saw.
Health Insurance Portability and Accountability Act (HIPAA) Final security regulations and governor / guidelines of the Gram-Leach-Breeze Act (GLBA) have established security rules that the health care services and financial services industry must comply with It is customer privacy law. If the entities covered by these laws do not comply with the required security practices, customers will not only expose their customers but also personal information, but subject to regulatory fine or fine There are times when that happens. These laws essentially define appropriate care standards for information security (security practices that must be observed to avoid liability) for the healthcare service and financial services industry. However, the entities subject to these laws are only about 25% of the Gross Domestic Product. Other industries can not help relying on the best judgment to protect your information.
Most companies certainly do the right thing and want to protect their customers. Avoiding harm to legal responsibilities and reputation is also a factor that motivates you to implement appropriate information security controls. Many companies 'security information experts believe they perhaps understand how to protect customer information, but many people are comfortable to prove that their practices abide by their employers' responsibilities There will be no. Due to the lack of commonly accepted security practices, many enterprise security information experts do not know how to protect customer information in a way that limits corporate responsibility.
Proposed solution
The best approach for companies wanting to protect customer information and avoid liability is to implement security practices that both HIPAA and GLBA require. Between these two customer privacy laws, 12 security practices are common. By following these 12 practices, companies can protect information security and potentially avoid responsibility. In fact, all the security requirements mandated to solve the aforementioned case are one of 12 common practices between HIPAA and GLBA.
What is Duc care?
Companies dealing with customer's personal information may be unable to break the law and know about it as in the case of guessing. This ignorance may occur partly from the substantial gap of computer crimes that may be present in the federal criminal law and the individual state criminal laws. Federal and state criminal laws are slow to evolve until they appropriately prosecute crimes based on the rapidly changing technology of information systems. Companies and information security experts can hardly point out the criminal code and laws to avoid the destruction of erroneous laws concerning customer protection. personal information.
Regarding criminal or civil responsibility and avoiding harsh reconciliation from the FTC, there are few guidelines for companies to follow, so we must first consider how legal standards are created. Legal standards are developed based on the concept of proper care, which is the care that a regular prudent person exercised under the same or similar circumstances. Failure to take appropriate precautions is the same as proof of fault. Companies that show negligence in connection with their information security practices are susceptible to litigation, fines and other sanctions, while companies that do appropriate care are substantially protected from such punishment You should.
Place to find duty-care information security practices
Companies that find employee information security practices are not limited to just two major federal laws that regulate the protection of customer information, HIPAA and GLBA, and both HIPAA and GLBA protect both customers' privacy requirements as well as customer information We have formulated substantive regulatory guidance on security management to make it possible. HIPAA regulations are called final security rules, and rules for GLBA are called interdepartmental guidelines.
Some of these regulatory requirements are industry specific, but there is much commonality between them. In particular, 12 security practices were found in both HIPAA final security rules and GLBA ministry guidelines. The fact that these two rule sets intersect in 12 places is not a coincidence. This is a clear signal of the appropriate care level from the federal government, hoping that the national health care providers and financial institutions will practice. If these standards are legitimate care that must be carried out by industries that account for about one quarter of the country's GDP, that is why other industries are expected to follow these same practices.
HIPAA & GLBA Security Duke Care Care Practice
The common twelve security practices of HIPAA and GLBA are all "high level" practices. There is no specific technology control. Several practices are necessary, but other practices are needed only if the risk assessment performed by the company determines that the practice is appropriate.
HIPAA final security rules and GLBA ministry guidelines are designed to provide guidance to senior management. How practices are implemented depends to a large extent on the enterprise that decides.
Below is a list of 12 common security practices that are common between HIPAA and GLBA (see HIPAA / GLBA Dew Care Care Practice Matrix. OpenCSOProject For detailed analysis and reference):
- Risk of assessment and control
- Assign security responsibility
- Appropriate access and approval
- Security awareness and training
- Incident response and report
- Recovery from disaster
- Security evaluation
- Vendor contract
- Facility access control
- Data integrity control
- encryption
- Security monitoring procedure
Validation by recent measures
If a company in the FTC settlement case referred to previously fulfilled these 12 practices faithfully, they would not have suffered any fine. The information was protected. For example, in the case of speculation, the FTC ordered speculation as follows:
- Adjust the information security program (HIPAA / GLBA Dead Care Practice # 2: Security Responsibilities Assignment) and specify the employee responsible.
- Identify important internal and external risks of customer information security, confidentiality, and integrity, which may lead to erroneous disclosure, misuse, loss, tampering, destruction, or other information compromise, Evaluate the validity of. We manage these risks. To this risk assessment, at a minimum, it is necessary to consider the risk in each area of the relevant business. (HIPAA / GLBA Demand Care Practice # 1: assessment and control risk);
- Design and implement reasonable safeguards to control the risks identified through risk assessment and regularly test or monitor the effectiveness of safeguards. Key controls, systems, and procedures. (HIPAA / GLBA Dead Care Practice # 7: Security Assessment);
- Evaluate and coordinate information security programs, taking into account significant changes in business or business arrangements as a result of testing and monitoring, or other circumstances that Guess may have serious implications for information security programs. (HIPAA / GLBA Dead Care Practice # 7: Security Evaluation)
These four requirements are met by performing three of 12 HIPAA / GLBA Devere Care practices, namely assessment and control risk, security responsibility assignment, and security assessment It was achieved. Other settlement matters have similar requirements and are subject to HIPAA / GLBA due care and practice. It is clear that the security practices required by both HIPAA and GLBA establish the basis for proper attention.
Conclusion
Companies are not maintaining strong security controls and are noticing that they pay the price because they are not protecting their customers. information. They need to proactively implement and maintain wise security processes to demonstrate that they are paying appropriate attention. Until universally accepted information security practices are born, the best approach to the enterprise is to implement the security practices required by both HIPAA and GLBA.
EmoticonEmoticon