Written Information Security Programs Help Demonstrate Data Security Compliance

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Michael Bologna  

Nov. 6 --Businesses seeking to manage the risks posed by hacking, data breaches and network security failures must focus their resources on vigorous written information security programs (WISPs), two attorneys specializing in privacy and data security said Nov. 5.

Thomas Smedinghoff, a partner in the Chicago office of Edwards Wildman Palmer LLP, said state and federal data security laws contain a variety of flexible legal standards for demonstrating compliance. He said the laws demand that covered entities take “appropriate,’’ “necessary’’ or “reasonable’’ steps to ensure data and network security.

Smedinghoff, who is a member of Privacy & Security Law Report's board of advisers, said the best way to demonstrate conformity with “reasonableness’’ standards is to implement and maintain a comprehensive WISP. His comments came during an American Bar Association webinar entitled “Cybersecurity Law 101: The Legal Obligations of Every Business to Provide Data Security.’’

“This comprehensive written information security program, or a WISP, is in many respects a legal requirement. It is an expressed legal requirement in Massachusetts,’’ Smedinghoff said. “It is an expressed legal requirement in the health care and financial sectors. I think for many of the other sectors or non-regulated industries, it is becoming the de facto legal requirement.’’

A WISP is the standard against which the Federal Trade Commission, as well as many state attorneys general, will assess a company's security program, he added.

Smedinghoff added that a vigorous WISP demonstrates that an organization has taken reasonable care to safeguard its data in a climate of rapidly changing cyberthreats.

“Based on some case law that we've seen, it is also a defense to liability,’’ he said. “I think there is a general recognition that security is not perfect and bad things can happen. Just because something bad has happened, does not mean you had legally noncompliant security.’’

WISP Is Not a Policy

Smedinghoff said a WISP is not a policy or a set of procedures, but a vigorous program that describes the full range of security-related activities of the organization, and directs the organization toward the goal of ensuring data security, confidentiality and integrity.

He said the WISP must contain physical, technical and administrative safeguards that are appropriate to the wide range of risks affecting the business. Such risk considerations should evaluate: the size and complexity of the organization; the sensitivity of data collected and hosted by the organization; the people inside and outside the organization that have access to the data; the equipment used for collecting and storing data; and any special security requirements affecting the organization or its industry.

Smedinghoff also stressed that the WISP must contain active process features that consistently:

• assign security responsibilities to people within the organization;

• identify the information assets to be protected;

• conduct risk assessments that evaluate threats, vulnerabilities and damages;

• identify and implement security controls that are responsive to risk assessments;

• address and act on risks posed by third parties;

• monitor the effectiveness of the program; and

• adjust the program in response to regular assessments.


Massachusetts Data Regulations

Smedinghoff was joined during the webinar by Sara Cable, an assistant attorney general in the Consumer Protection Division of the Office of the Massachusetts Attorney General. Cable said her comments were her own and did not necessarily reflect the views of the Office of the Attorney General.

Cable said a comprehensive WISP is a critical tool for demonstrating compliance with the Massachusetts data security regulations (201 Mass. Code Regs. 17.01-17.05), which establish minimum standards for safeguarding personal information collected and maintained by businesses serving state residents. Cable stressed that the WISP cannot be a program that exists only on paper.

It “is not enough to have a policy in place,’’ she said. “You need to have an entire comprehensive program that is actually followed.’’

Cable pointed to four common “Homer Simpson moments,’’ or preventable data security failures. She said all of these failures would trigger scrutiny and potential penalties under the Massachusetts data security regulations:

• Encryption failures. Cable said such breaches typically occur when unencrypted laptop computers and smartphones are lost or stolen, unencrypted personal data are sent to the wrong recipient or encrypted data are transmitted together with the encryption key.

• Poor WISP compliance. Cable said a wide variety of preventable breaches occur simply because an organization fails to implement its security program in a meaningful way.

• Computer system and network security failures. These problems frequently include failures to update anti-virus software, properly manage system passwords and secure hardware.

• Failure to oversee vendors and third parties. Cable said organizations frequently stumble into compliance problems because they fail to ensure vendors and third parties, using the organization's data, have implemented rigorous security programs.


Massachusetts Enforcement Action

Cable pointed to several recent enforcement actions, featuring one or more of these failures. She stressed that small failures can trigger big-ticket penalties.

In May 2012 South Shore Hospital in South Weymouth, Mass., agreed to pay $750,000 to settle allegations that it did not protect the personal health information of 800,000 consumers.

Cable said the hospital shipped three boxes with 472 unencrypted backup tapes containing personal health information to an off-site vendor to be erased. Only one of the boxes reached the intended destination, and the other two have never been recovered.

Cable said the hospital failed in its compliance obligations because it never informed the vendor that personal information was on the tapes. The hospital also failed to take reasonable steps to ensure the vendor maintained sufficient safeguards for securing the patient information on the tapes.


To contact the reporter on this story: Michael Bologna in Chicago at mbologna@bna.com

To contact the editor responsible for this story: Katie W. Johnson at kjohnson@bna.com

Request Bloomberg Law: Privacy & Data Security