Are You Breaking Cyber Law?
In the information security world, there’s a lot of talk around compliance and regulations directed at securing critical systems. Additionally, many organizations use compliance as a means to justify security spending and initiatives. It can be difficult in some cases to know exactly what you are required to do. Sometimes regulations are very direct and clear, while, in other instances, regulations can be risk-based and subjective. It’s always fun sitting in a room with legal, IT, and compliance and trying to build a plan on “complying” with mandated regulations. Compliance always wants to take a checklist approach, legal is often trying to define what’s required versus what isn’t, and IT just wants to know what they need to do. It can very quickly become quite the quagmire, but the situation can be navigated.
Understand the Data You Access
It can be obvious what types of sensitive data a company is managing – hospitals store medical data, banks store sensitive financial information. However, what tends to happen is that many organizations are managing and accessing data that’s regulated and they don’t even know it. Consider the data that your HR department may be storing. In the typical course of business, you may not be responsible for managing any kind of sensitive data. HR, on the other hand, is going to have access to social security numbers, bank account numbers, birth dates, salaries, and other sensitive personal information on each employee. It’s also not uncommon for some companies to request (and store) health-related information on their employees that’s used to manage their health insurance plan. I’m not saying that these groups are automatically subject to the HIPAA security controls, but it’s important to know what data you do have so you can assess what laws are applicable to your organization.
Know Your Industry and What Regulations Apply to You
In the healthcare industry, it’s pretty cut and dry. HIPAA is typically the governing regulation and it spells out pretty specific criteria that can be audited. The same is also the case for much of the financial services sector. Larger entities that offer financial products or services are required to safeguard sensitive data and the FTC Safeguards Rule spells out what those requirements are. Companies that process credit cards should adhere to the Payment Card Industry (PCI) security standard. Banks fall under the jurisdiction of the OCC and FFIEC.
The water gets a little bit muddy where the law isn’t as cut and dry. Consider pharmaceutical manufacturers, for example. There is no such thing as the “Cyber Security for Pharmaceutical Manufacturers Law,” something with a clearly defined set of rules that can be easily digested and measured. Instead, to find relevant security requirements, you have to refer to the Food and Drug Administration 21 cfr part 211 guidance which stipulates “Appropriate controls shall be exercised over computer or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel.” In this case, there’s a lot of latitude for both the auditor and the manufacturer to dispute what is and is not appropriate controls. It’s up to the organization to unilaterally ensure it’s meeting the intent of the regulation and that can be a challenge for many companies.
Then there are individual state laws which often get overlooked. Just about every state has its own language around what is meant by “security breach,” who needs to be notified in the event of a breach, and the timeframe for when notifications need to be delivered. New York State’s Department of Financial Services recently released requirements for companies doing business in that state that meet certain financial conditions. The Massachusetts Division of Banks issued a letter in September 2015 requiring in-scope organizations to conduct an internal assessment against the FFIEC Cyber Security Assessment Tool. More recently, the attorney general in California stated that failure to implement all of the CIS Critical Controls would constitute a lack of “reasonable security.” Organizations doing business in California that have not implemented those controls could be considered in violation of California cyber security law.
Align With a Known Framework
Managing the sea of security regulations can be a daunting task. Companies with a less mature security program often don’t know where to start. I recommend picking a standard security framework like the NIST CSF, COBIT, HITRUST, or CIS Critical Controls as a starting point. The majority of security best practices aren’t a secret and can be found within these frameworks. Even if you don’t know which laws directly or indirectly apply to you, if you’re aligning with the controls outlined by these guides it’s likely you’re going to meet and exceed what’s called out in the majority of regulations that have been published to date, even if you don’t know that you’re subject to them. Using this approach, an auditor is likely to show some leniency for gaps since you’re at least making an effort to follow industry standards and protect your systems.
It’s the companies that don’t do anything at all and wait until a breach happens that get into the most trouble. It’s in those cases that vague security regulations can be interpreted much more harshly because the organization that was compromised is now under scrutiny. Regulators are more likely to dig into your security program (or potentially lack thereof). It’s in these instances that partners may invoke their right to audit security controls to ensure they’re not also liable from a compliance standpoint.
Get Help If You Need It
There are many legal firms and compliance consultants with expertise in information technology compliance. You can also leverage IT consultants and professional organizations to assist with bringing controls up to the level where they meet the intent of published regulations. The point is, you don’t necessarily have to go it alone. Even if you’re not a lawyer, you can also work with partners like Arraya Solutions who have that knowledge and understand how to meet regulatory requirements. Reach out to our Cyber Security Practice to start a dialogue today!