Cutter Consortium :: How Data Protection Regulations Impact IT Leaders

About the Service

Related Products & Services

Vol. 3, No. 13 | Printer Friendly PDF version

How Data Protection Regulations Impact IT Leaders

by Rebecca Herold, Senior Consultant, Cutter Consortium

Businesses must be vigilant about data security in today's global information-based economy. The dependence upon IT in this type of environment and the risks that are an inherent part of IT make it necessary for technology leaders to know the data protection laws and regulations that exist now more than ever before.

REGULATIONS WITH IT REQUIREMENTS

There are many regulations worldwide that have numerous data protection requirements. Some of these regulations directly apply to IT practices, while others have an indirect impact. It is important that IT leaders are aware of all of them.

Regulations in the US

Within the US, the regulations that have received the most press and that most explicitly define IT requirements include the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). The following sections describe the impact of these acts on IT leaders and also examine the Federal Trade Commission (FTC) Act, which is of growing importance to these leaders.

HIPAA

The Security Rule component of HIPAA has the greatest impact on IT leaders. At a high level, this section requires IT leaders to:

Perform a risk analysis for the electronic protected health information (PHI) within the organization and establish appropriate controls based upon the risks
Ensure the confidentiality, integrity, and availability of all electronic PHI that the organization creates, receives, maintains, or transmits
Protect against any reasonably anticipated threats or hazards to the security or integrity of PHI
Protect against any reasonably anticipated uses or disclosures of PHI
Comply with Security Rule standards with respect to all electronic PHI
Review and modify security measures as needed to ensure reasonable and appropriate protection of electronic PHI
Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule
Provide ongoing information security training and awareness to all personnel handling PHI
Ensure business partners have appropriate information security practices for the information the organization has entrusted to them

GLBA

The Safeguards Rule component of the GLBA also strongly impacts IT leaders. At a high level, this rule requires IT leaders to:

Establish a security plan to protect the confidentiality and integrity of personal data
Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal data that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information and assess the sufficiency of any safeguards in place to control these risks
Establish ongoing information security training and awareness
Implement security for and within information systems, including network and software design, information processing, storage, transmission, and disposal
Implement methods to detect, prevent, and respond to IT attacks, intrusions, or other systems failures
Design and implement information safeguards to control identified risks and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures
Ensure business partner and service providers security by taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue and requiring them within contracts to implement and maintain safeguards
Regularly evaluate and adjust the information security program based on the results of the testing and monitoring, material changes to operations or business arrangements, and any other circumstances that may have a material impact on the information security program

FTC Act

A regulation quickly growing in importance to IT leaders because of increasing compliance efforts, actions, and fines is Section 5 of the FTC Act. This basic consumer protection statute provides that "unfair or deceptive acts or practices in or affecting commerce are declared unlawful." While this regulation does not explicitly indicate information security requirements, the lack of security to support promises made to consumers -- such as those commonly found in Web site privacy policies -- can have significant impact on organizations. IT must implement information security procedures and technologies that support their organization's policies and contractual agreements. It is important for them to understand that they must also have reasonable and appropriate information security measures in place to demonstrate that they practice a standard of due care and also to comply with the growing number of laws.

International Regulations

Throughout the world, there are numerous data protection laws that impact the decisions IT leaders make. A few that have had significant impact on companies include Canada's Personal Information Privacy and Electronic Data Act (PIPEDA), the European Union (EU) Data Protection Directive, and Japan's Personal Information Protection Act.

Canada's PIPEDA

This law applies to every organization with regard to the use of personal information that it collects, uses, or discloses in the course of commercial activities as well as its employee's personal information. Under this law, IT leaders need to:

Establish safeguards for personal information to ensure only those with a business need can gain access to it
Establish retention practices to ensure personal information is retained for as long as is necessary to allow individuals access to it for pursuing actions related to PIPEDA violations

EU Data Protection Directive

Any person or organization that collects or handles personal information from a citizen of any of the 25 EU nations and transfers the information across the country borders must comply with this regulation. To comply with these requirements, IT leaders must generally:

Establish policies and procedures to keep personal data accurate and up to date, document when a data subject informs you that data is inaccurate, and take reasonable steps to ensure that data is accurate beyond simply asking the subject when the data was collected
Establish procedures to discontinue use of personal data and dispose of it when it is no longer necessary for the business purpose for which it was collected
Establish appropriate security technology to prevent personal data from being hacked, lost, damaged, or stolen
Establish procedures to prohibit the transfer of personal data outside the European Economic Area unless the country to which it is being transferred provides an adequate level of protection

Japan's Personal Information Protection Act

This law broadly provides for the protection of personal information used by the Japanese government, third parties, and the public sector -- often referred to as "personal information handling operators" -- who handle data on more than 5,000 people. As part of the compliance requirements, IT leaders must generally:

Establish procedures to keep third parties from accessing personal data except as required by law
Establish procedures to retrieve personal data for specific individuals upon their request
Establish procedures to correct personal data errors and inaccuracies as quickly as possible
Establish procedures to discontinue use of personal data as soon as requested
Establish safeguards for personal data

In addition to the aforementioned laws, there are literally hundreds of other international and US federal- and state- level laws with which organizations must comply. These laws cover not only customer and consumer personal information, but also employee information.

MORE INCIDENTS AND ACTIONS IN THE US

IT leaders must know that as technology advances, information security lags behind those advances. Diligence is necessary to ensure the security of personal data no matter where it is located. If IT leaders do not participate in data protection efforts, the business is at high risk of being negatively impacted by resulting incidents, noncompliance fines, civil suits, customer loss, diminished stock value, and brand damage.

IT leaders need to be aware of the increasing numbers of information security incidents and regulatory oversight actions. The following are five examples of such incidents and actions:

As of April 2006, the FTC has filed five data security cases based on deception that the commission and the courts have defined as a material representation or omission that is likely to mislead consumers acting reasonably under the circumstances. In each of these cases, the commission alleged that the companies made explicit or implicit promises that they would take appropriate steps to protect sensitive information obtained from consumers. Their security measures, however, were grossly inadequate and their promises were therefore deceptive. The FTC has also addressed 12 other data security cases, six spyware and adware cases, more than a dozen financial pretexting cases, and over 80 spam cases to date.
As of April 2006, the US Department of Health and Human Services has launched thousands of HIPAA noncompliance investigations, and two criminal cases have been brought for noncompliance with HIPAA.
The numbers of reported incidents of PIPEDA noncompliance in Canada have steadily increased over the past few years. In 2002, Canada launched approximately 1,700 PIPEDA investigations. Canadian Federal Privacy Commissioner Jennifer Stoddart warned in a 9 March 2006 speech that she will make greater use of her statutory powers to crack down on privacy violations in Canada, because organizations are not taking their privacy responsibilities seriously enough and are not responding appropriately to the Privacy Commissioner's directives following violations.
The number of actions taken in EU nations has steadily increased over the past several years. For example, in 2002 the Spanish Data Protective Authority fined approximately US $900,000 against an organization for inappropriately sharing customer data with a subsidiary and approximately US $1.17 million for disclosing protected personal information to the public.
During 2001 and 2002, 483 privacy complaint cases were investigated by the Privacy Commissioner Office in Hong Kong.

WHAT IT LEADERS NEED TO KNOW

Noncompliance with laws and regulations impacts organizations significantly through regulatory fines, but stronger impacts can also come from the potential civil actions and the long-lasting requirements of the regulatory agencies that result in organizations needing to implement more procedures and obtain more resources to demonstrate -- for as long as 20 years following a judgment -- that they have reasonable security measures in place.

Many laws and regulations have requirements for protecting information that IT leaders must be involved in. These leaders must participate in the implementation, establishment, and management of ongoing process to meet the requirements.

Critical to the success of the IT leaders is the visible and demonstrated support and backing of executive management. Executives set the example their personnel emulate. If business executives are not strong supporters of information security initiatives, IT leaders will have a very hard time meeting the technology requirements of data protection regulations and laws.

IT LEADER REGULATORY COMPLIANCE ACTION PLANS

IT leaders must establish a regulatory compliance action plan tailored to their business to ensure they are addressing all technology compliance requirements. This action plan needs to include the following, which are explicitly stated components of an effective security program, not only within regulations such as HIPAA and GLBA but also by regulatory oversight agencies such as the FTC.¹ In order to address these requirements, IT leaders must do the following:

Implement effective education programs to stay aware of regulatory requirements and make personnel aware of and provide training about the threats to information systems and the steps all business areas must take to address them
Develop and communicate information security policies and procedures regarding the appropriate use and security of information and computer systems
Incorporate security into the systems and applications development life cycle to ensure security is implemented and managed effectively
Identify and inventory all personal data, including data flows, storage locations, and persons with access to the data
Implement safeguards, such as encryption and access control technologies, to protect personal data in all locations and while in transit through untrusted networks
Include security requirements within contracts of business partners entrusted with personal information or that have access to the organization's personal information
Use malicious code prevention software, intrusion detection and prevention systems, and firewalls
Establish personal data backup and retention and disposal policies and procedures that meet compliance with applicable laws, regulations, and contractual requirements
Establish information privacy and security incident response and breach notification policies and procedures

NOTES

¹For more information about the security and safeguard recommendations of the FTC, visit www.ftc.gov/os/2006/03/P034101CommissionTestimonyConcerningSmallBusinessSecurity.pdf.

ABOUT THE AUTHOR

How Data Protection Regulations Impact IT Leaders

SITEMAP SEND FEEDBACK NEED HELP?

Cutter Consortium, founded in 1986, is a global IT advisory firm helping organizations forge solutions to the business technology challenges they face. Through its research, consulting, and training, Cutter assists enterprises as they create, implement, and maintain IT systems and organizations that support business objectives and encourage innovation. Cutter pushes the thinking in the field by fostering debate and collaboration between thought leaders from different domains, countries, and disciplines. As a completely independent entity that has no special ties to vendors, Cutter Consortium is beholden to no one and dedicated to providing completely objective, unbiased information to its clients. Cutter Consortium gives you access to the top thinkers in IT.

Cutter Consortium, 37 Broadway, Suite 1, Arlington, MA 02474, USA. Phone: +1 781 648 8700, Fax: 781 648 8707