Combating Cyber Risks with a Written Information Security Program
Recent data breaches call for businesses to amp up security measures and have an incident response plan ready.
As the fallout continues from recent data breaches involving large, well-known retailers, businesses of all sizes and in all industries should view these incidents as a wake-up call. There is no question that data breaches can happen to any business. And if a data breach does occur, the victimized business likely will face corporate embarrassment, public relations nightmares, loss of business, litigation and liability, regulatory and governmental investigations, and significant expenses.
The recent, high-profile data breach incidents should teach any business two important lessons. First, every business, regardless of size or industry, should ensure that it has deployed appropriate and legally compliant data security measures. Second, each business should adopt an incident response plan to ensure that it is prepared to deal with a data security breach should one occur.
Many laws—such as the Gramm-Leach-Bliley Act, HIPAA, and various state laws—specifically require that businesses adopt “reasonable, appropriate, and necessary” measures to protect the confidentiality, integrity, and availability of data, while also avoiding the unauthorized access, disclosure, or alterations to systems and data as well as accidental loss or destruction of such data. But these laws do not tell us what is meant by reasonable, appropriate, and necessary.
To demonstrate conformity with applicable standards and to provide a potential defense to regulatory scrutiny or third-party claims, businesses should consider adopting a comprehensive written information security program (WISP). A WISP is already required in the health care and financial sectors. It also is a legal requirement in Massachusetts.
The Massachusetts regulation, usually referenced as 201 CMR 17.00, has the potential to be the most far-reaching because it applies to all individuals, corporations, associations, partnerships, and other legal entities, regardless of where they are located, that own, license, store, or maintain personal information about a Massachusetts resident. The regulation specifically requires the development, implementation, maintenance, and monitoring of a WISP applicable to all records containing the personal information of Massachusetts residents. Under 201 CMR 17.00, “personal information” is a Massachusetts resident’s first and last name, or first initial and last name, in combination with any of the following:
- Social Security number.
- Driver’s license number or state-issued identification card number.
- Financial account number or credit/debit card number.
The regulation is enforced by the Massachusetts attorney general. In addition, there is the potential for private lawsuits, unfair and deceptive trade practice actions under state law, and Federal Trade Commission regulatory actions. And while the mere fact that a breach has occurred does not mean that a company has violated the law, the failure to adopt a WISP may be used as evidence of negligence.
Among other things, a WISP should include the following, all of which happen to be required under the Massachusetts regulation:
- Designation of one or more employees to maintain the WISP.
- Identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any records containing personal information.
- Identification of locations where personal information is stored (e.g., paper records, electronic records, computer systems, and portable devices).
- Limitations on the amount of personal information collected, the time such information is retained, and access to such information for those persons who are reasonably required to know such information.
- Implementation of ongoing employee training.
- Imposition of disciplinary measures for violations of WISP rules.
- Verification and contractual assurances that third-party service providers are capable of protecting personal information.
- Regular monitoring of the effectiveness of the program and adjustments as may be necessary.
- Review of the program at least annually.
- Documentation regarding responsive actions to breaches.
A WISP should be reasonably consistent with industry standards for information security programs and contain administrative, technical, and physical safeguards to ensure the security of records containing personal information. The adequacy of any such program will be evaluated by taking into account:
- The size, scope, and type of business.
- The resources available to the business.
- The amount of stored information.
- The need for security and confidentiality of both consumer and employee information.
Resources for Preparing a WISP
There are many resources related to WISPs. For example, the Massachusetts Office of Consumer Affairs and Business Regulation published a guide for small businesses, and guidance also can be found in the Gramm-Leach-Bliley Act and HIPAA. The International Organization for Standardization (ISO), a non-governmental organization that promulgates and publishes standards to promote quality controls around the world and provides certification, also has published standards for information security in ISO 27001 and ISO 27002. Finally, the National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, has developed a voluntary framework applicable to companies in “critical infrastructure” designed to reduce cyber risks. Although the framework is voluntary, many believe that the NIST framework will set the standard of care not only for companies in critical infrastructure (e.g., power generation, transportation, telecommunications), but also for companies of all sizes and in any industry.
These resources notwithstanding, it is advisable for businesses to involve legal counsel to most effectively formulate and draft a WISP, given that the WISP should not conflict with other existing policies and should not run afoul of other laws, such as those related to an organization’s interactions with its employees.
When all is said and done, a WISP is no longer just a best practice, even for a business outside of the most regulated fields. In addition to meeting other legal requirements that may touch a particular business, a WISP also can be a potential defense in regulatory actions and third-party claims if a data breach occurs despite an organization’s best efforts to develop and implement a sound information security program.