It’s a common complaint – most U.S. laws requiring data security never cough up the specifics of what must be done to comply. Unlike other areas of business regulation, data security requirements seem hopelessly vague:
- Several states’ PII laws require businesses to implement and maintain “reasonable security procedures and practices” to protect PII from unauthorized access, destruction, use, modification, or disclosure.
- Regulations under the Gramm-Leach-Bliley Act compel financial institutions to have a “reasonably designed”comprehensive information security program with administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.
- FACTA regulations require that consumer report information be disposed of “by taking reasonable measures to protect against unauthorized access to or use of the information….”
- HIPAA covered entities and business associates must address the security standards for ePHI in a way that protects against “reasonably anticipated threats or hazards” to ePHI security or integrity.
- The FTC enforces reasonable data security under Section 5 of the FTC Act, which prohibits unfair and deceptive acts in commerce, without explicitly mentioning data security and without any supporting regulatory standards for specific data safeguards.
Obviously, we can’t just put “remember to have reasonable data security” in a compliance checklist or internal audit protocol, because “reasonable” tells us nothing concrete about what specific security controls are needed to be compliant. So, why do these laws stop short of telling us specifically what to do?
As it turns out, data security laws need to be framed in this open-ended way precisely because of the realities of data security threats, exposures, and resources:
Different industries have different threat environments
As the 2017 Verizon Data Breach Investigations Report (DBIR) reminds us, different industries face entirely different data security threats. For example, here were the top threat patterns in 2016 breaches for the following industries:
- Manufacturing: cyber espionage (86%), privilege misuse (6%), miscellaneous errors (2%)
- Finance: web application attacks (81%), card skimmers (10%), privilege misuse (6%)
- Healthcare: privilege misuse (34%), miscellaneous errors (32%), lost/stolen assets (14%)
- Retail: card skimmers (41%), web application attacks (25%), miscellaneous errors (13%)
- Accommodation: point-of-sale intrusions (87%), privilege misuse (2%), card skimmers (2%)
- Education: cyber espionage (26%), miscellaneous errors (22%), web application attacks (15%).
And these are industry averages – different businesses in the same industry will also experience very different threats, due to differences in their operations and in the value of their protected information.
Threat patterns change over time
Nothing stays the same when it comes to the data security threat environment. The 2017 DBIR indicates that ransomware, cyber espionage, and privilege misuse are way up from the year before, while point-of-sale intrusions and web application attacks are down precipitously. While the bad guys’ motivations are fairly constant (financial, followed by cyber espionage, and then fun/ideology/grudge), tactics continue to evolve rapidly.
Differences in business size and complexity have an impact too
Businesses operating at huge scale will have more employees, more systems and system connections, and more endpoints, yielding a larger attack surface and a more complex threat environment than a small business in the exact same industry. And the resources available for cyber security defenses will inevitably be different as well.
Given that data security cannot be one-size-fits-all, it actually makes sense that data security laws do not prescribe a unitary checklist of specific security controls – that’s not possible. Any such list would be too onerous for many, and at the same time would miss important controls needed by others. Even if such a unicorn of a list were possible, it would rapidly become out of date as threat patterns change.
Instead, most data security laws require that businesses do a security risk assessment, and then establish and maintain their security safeguards to address the identified security risks. For example, both Interagency Guidelines and FTC regulations under Gramm-Leach-Bliley require financial institutions to base their safeguards upon the results of a security risk assessment. HIPAA regulations require covered entities and business associates to perform security risk assessments. The Massachussetts’ PII Protection Standards require businesses to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of records containing PII. And the FTC routinely takes the enforcement position that failing to perform security risk assessments can contribute to unfair or deceptive trade practices for data security, and commonly includes a risk assessment requirement in its consent orders.
But beyond being legally required for many, a security risk assessment is the only meaningful way to know that your business’ security safeguards are appropriate for its data security risks, and therefore, are reasonable. And the assessment need not be complicated. You simply need to come to grips with three key questions, given who you are, what you do with protected information, and where and how you do it:
- What are our data security threats?
- What are our security vulnerabilities for those threats?
- what are the likelihoods and exposures for such risks?
Static solutions to dynamic problems are a recipe for trouble. So remember – an updated security risk assessment is the compliant – and in practicality, the best – way to ensure your business’s data security safeguards are up to the task.