Business Articles, Internet Resources and Tutorials - Senyum

Titles Titles & descriptions

Stress In The Workplace
Stress in the workplace is becoming a major concern for employers, managers and government agencies. One of t...

Real Estate Tax Incentives
Tax incentives for real estate investors can often make the difference in your tax rates. Deductions for renta...

Auto Responder Value
Your auto responder is 24 hours 7 days a week staff that will increase your sales.

Articles Tutorial
Articles on advertising, sales management, business, stock market, hobbies, health, lifestyle, family relationships, online business, money, stock trading and m...


Link Exchange

Exchange links with our website.


Sponsored Links

    

Deriving Due Care Practices from HIPAA and GLBA

Navigation: Main page » Security

 Print this page 

Author: Marc Menninger

Article source: http://www.selfseo.com/. Used with author's permission.

Recent years have shown a trend in corporations being held responsible for information security negligence. In particular, the Federal Trade Commission (FTC) and the Attorney General of New York have been actively pursuing companies that fail to follow effective security practices. Many high-visibility cases illustrate how companies are being required to implement stronger security controls, the Guess case being a good example.

In June 2003, Guess, Incorporated agreed to settle FTC charges that it exposed consumers' personal information to commonly known attacks by hackers, contrary to the company's claims. "Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's Bureau of Consumer Protection. The settlement required that Guess implement a comprehensive information security program that would be certified as meeting or exceeding the standards in the consent order by an independent professional within a year.

The Problem

A key reason why corporations demonstrate poor or inconsistent information security controls is the lack of a widely accepted and comprehensive set of good security practices. Standards bodies such as the U.S. National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) publish security standards with varying degrees of corporate acceptance and use. The Information Systems Security Association (ISSA) has identified the need for a universally agreed-upon collection of essential security practices and is currently developing the Generally Accepted Information Security Principles (GAISP)--although how well accepted these principles will be upon publication remains to be seen.

The Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule and the Gramm Leach Bliley Act (GLBA) Interagency Guidelines are customer privacy laws specifying the security rules that must be followed by the healthcare and financial services industries respectively. If entities covered by these laws fail to follow the required security practices they may not only be exposing their customers' private information but may also be subject to regulatory penalties and fines. These laws, in essence, define information security due care standards--the security practices that must be followed to avoid liability--for the healthcare and financial services industries. The entities covered by these laws, however, only represent approximately 25% of the U.S. Gross Domestic Product. Other industries must rely upon their best judgment to protect customer information--clearly not an effective approach as the cases mentioned earlier demonstrate.

Most companies certainly want to do the right thing and protect their customers' information, but avoiding legal liability and harm to their reputation are also factors that motivate them to implement appropriate information security controls. While most corporate information security professionals probably think they understand how to protect customer information, many wouldn't be comfortable attesting that their practices would protect their employer from liability. Lacking a commonly accepted set of security practices, many corporate information security professionals are uncertain how to secure customer information in a way that also limits their company's liability.

Proposed Solution

The best approach for companies that wish to protect their customer's information and potentially avoid liability is to implement the security practices required by both HIPAA and GLBA. There are 12 security practices in common between these two customer privacy laws. By following these 12 practices, companies will be practicing information security due care and can potentially avoid liability. Indeed, all of the security requirements mandated in the settlement of the cases mentioned earlier are among the 12 practices in common between HIPAA and GLBA.

What is Due Care?

Companies that handle the personal information of their customers may be breaking the law and not know it, as evidenced by the Guess case. This ignorance may partly stem from substantial gaps of prosecutable computer crimes that exist in federal criminal code and individual state criminal statutes. Federal and state criminal statutes are slow to evolve to adequately prosecute crimes based on the fast-changing technology of information systems. Companies and information security professionals may find little direction in criminal codes and statutes to help them avoid inadvertently breaking the law when it comes to protecting their customers' personal information.

Since there is little guidance for companies to follow when it comes to avoiding criminal or civil liability or harsh settlements from the FTC, they need to consider how legal standards are created in the first place. Legal standards are developed based on the concept of due care, which is the care that an ordinarily prudent person would have exercised under the same or similar circumstances. Failure to practice due care is equivalent to demonstrating negligence. Companies that demonstrate negligence relative to their information security practices are susceptible to lawsuits, fines, and other sanctions, whereas companies that practice due care should be largely protected from such punishments.

Where to Find Due Care Information Security Practices

Companies that wish to find due care information security practices need look no further than to two major federal laws that regulate the protection of customer information: HIPAA and GLBA. While both HIPAA and GLBA enacted a lot more than just customer privacy requirements, they both have spawned substantial regulatory guidance on security controls for protecting customer information. The regulations for HIPAA are called the Final Security Rule and those for GLBA are referred to as the Interagency Guidelines.

While some of the requirements in these regulations are industry-specific, there is a lot of commonality between the two. In particular, 12 security practices were found in both the HIPAA Final Security Rule and the GLBA Interagency Guidelines. The fact that these two sets of regulations intersect in 12 places is no coincidence. This is a clear signal from the federal government of the level of due care it expects the country's health care providers and financial institutions to practice. If these are the standards of due care that must be practiced by industries that represent about a quarter of the country's GDP, it stands to reason that other industries will be expected to follow these same practices.

HIPAA & GLBA Security Due Care Practices in Common

The 12 security practices in common between HIPAA and GLBA are all "high-level" practices. There are no specific technology controls. Some practices are required while others are required only if a risk assessment conducted by the entity determines that the practice is appropriate.

The HIPAA Final Security Rule and the GLBA Interagency Guidelines were designed to provide guidance to senior management. How the practices are implemented is left largely up to the companies to determine.

Following is the list of the 12 security practices in common between HIPAA and GLBA (please refer to the HIPAA/GLBA Due Care Practice Matrix in the Laws and Regulations section of the OpenCSOProject for detailed analysis and references):

  1. Assess and Control Risk
  2. Assign Security Responsibility
  3. Appropriate Access and Authorization
  4. Security Awareness and Training
  5. Incident Response and Reporting
  6. Disaster Recovery
  7. Security Evaluation
  8. Vendor Contracts
  9. Facility Access Controls
  10. Data Integrity Controls
  11. Encryption
  12. Security Monitoring Procedures

Validation from Recent Enforcement Actions

If the companies in the FTC settlement cases mentioned earlier had faithfully implemented these 12 practices, they would not have suffered any penalties and their customers' information would have been protected. For instance, in the Guess case, the FTC ordered Guess to:

  • Designate an employee or employees to coordinate and be accountable for the information security program (HIPAA/GLBA Due Care Practice #2: Assign Security Responsibility);
  • Identify material internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment must include consideration of risks in each area of relevant operation. (HIPAA/GLBA Due Care Practice #1: Assess and Control Risk);
  • Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards' key controls, systems, and procedures. (HIPAA/GLBA Due Care Practice #7: Security Evaluation);
  • Evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that Guess knows or has reason to know may have a material impact on its information security program. (HIPAA/GLBA Due Care Practice #7: Security Evaluation)

These four requirements would have been fulfilled by following just three of the 12 HIPAA/GLBA Due Care Practices: Assess and Control Risk, Assign Security Responsibility, and Security Evaluation. The other settlement cases had similar requirements, also covered by the HIPAA/GLBA Due Care Practices. It is clear that the security practices required by both HIPAA and GLBA establish a basis of due care.

Conclusion

Companies are finding that they will pay the price for not maintaining strong security controls and protecting their customers' information. They must proactively implement and maintain prudent security processes to demonstrate that they are practicing due care. Until a universally accepted set of information security practices is produced, the best approach for companies is to implement the security practices required by both HIPAA and GLBA.

_____________________________________________________

Marc R. Menninger is a Certified Information Systems Security Professional (CISSP) and is the founder and site administrator for the OpenCSOProject, a knowledge base for security professionals. To download security policies, articles and presentations, click here: Security Officer Forums.



Of Whom The World Was Not Worthy Of
What will people say about you when you die? How will your loved ones react to you leaving them?

Proform Elliptical Trainers Are Not For The Serious
Though many people seem to like their Proform ellipticals, these machines are found not to be very well built. They do just fine if you are not a serious or reg...

A Dream of the Perfect Partner
Understand the heart when thinking of loving one's perfect partner.

Who Takes Your Money
Your business is making profits, but where is the cash? It seems that someone has taken away your money. Your bank account is still the same, and your persona...

Have a Cause? Wear a Rubber Wristband!
Critics may call them a passing fad, but a rubber wristband is more than that. Wearing it is a civilizational need!

Treatments That Offer Hope To Hair Loss Sufferers
This article examines the products that have been approved for the treatment of hair loss and goes on to assess whether any of the alternatives can deliver real...

10 Ways to Get Your Flyers Noticed
Marketing Master and Writing Coach, Catherine Franz, shares with you ten ways you can spruce up your flyers so that they receive more attention.

Harnessing the Power of Email Marketing
*A DIRECT MAIL PIECE costs about 40-cents in postage alone.

The Secrets of Writing a Good Press Release
Does the thought of trying to get publicity for your business seem like something that you can't do yourself, and would have to hire a professional for? Do you ...

Having a Bad e MALE Day? Email, Spam, Spam and More Spam
Do you ever feel that you are being got at? All these emails telling you that you have won the lottery and offers of cheap viagra. Isn't this all killing your s...

What A Tangled Web We Weave
The world wide web or www is a wonderful, inspiring, endless, fantastic place. They do call it a web for a reason - there are hundreds of thousands of websites...

Acid Reflux and Heartburn Natural Remedies Part I
Using antacids for acid reflux or heartburn will create more acid imbalance in your body. Using natural remedies for these conditions provides you a way that y...

Exercise The Right Way - The Leg Press
It is crucial that beginning bodybuilders are shown how to perform the core exercises correctly. This article provides step by step instructions for the Leg Pre...

Visual Science of Selling
Statistics state that 55% of people judgments are made based on what is seen visually, as opposed to 38% based on voice and the message you give. That means wha...

Media Savvy - How To Manage Your Time To Gain The Best Media Coverage
Media management has become one of the strategic tools for managers and leaders to drive marketing opportunities, communicate key messages, and build a profile....

5 Ways to Start And Promote Your Affiliate Program
"I made $5,000 in one week"

Gentlemen Prefer Blogs
Mayor Jerry Brown—formerly the Governor of California—has just started his own blog.

Shih Tzu - Reward Training For Your Shih Tzu
Reward training is often seen as the most modern method of training a shih tzu, but reward training is probably much older than other methods of dog training.

Delight Your Dog With a Natural Dog Treat
If you're like many pet owners, it's important that your dog treats are as chemical-free as they are delicious. Here's where to find some healthy, appropriate d...

Guidelines For A New Sending Paradigm - Part 4 of 5 - Build Strong Relationships (H2H)
Sustainable email programs are cooperative exercises, dependent on the behavior of senders, recipients, and intermediate ISPs. These no-nonsense articles will h...

Importance of Just-In-Time Inventory System
Just-in-time inventory is viewed as the waste of resources and considered as obstacle in improvement. As there is little buffer inventory between the workstatio...

Backspin Advice
Honestly, the first thing that you need to realize about creating backspin is that it's a very tough shot to accomplish, let alone control.

Applying for a Payday or Cash Advance Loan Online
Applying online for a cash advance or payday loan online can be a lot more convenient than driving to a cash store. Its also much more discreet. Here are some...

Dont Miss Information Because of Misinformation
It has been said that with the wealth of information, freely available, the Internet has the ability to make you smarter, faster, than any other medium on the p...

 
Newsletter


Article Categories

Home
Web & Online Business
Affiliate Revenue
Auctions
Blogging RSS
E-Books
E-Commerce
Email Marketing
Ezine Publishing
Internet Marketing
PPC Advertising
SEO
Security
Site Promotion
Spam Blocker
Traffic Building
Web Design
Web Development
Money & Finance
Credit
Currency Trading
Debt Consolidation
Debt Relief
Insurance
Investing
Loans
Mortgage Refinance
Personal Finance
Real Estate
Stocks Mutual Funds
Taxes
Wealth Building
Business
Advertising
Branding
Business Tips
Careers Employment
Copywriting
Customer Service
Entrepreneurialism
Management
Marketing
Networking
Network Marketing
Presentation
Public Relations
Resumes & Cover Letters
Sales
Sales Management
Sales Training
Small Business
Strategic Planning
Team Building
Health & Medicine
Acne
Alternative Medicine
Beauty
Depression
Diabetes
Exercise
Fitness Equipment
Hair Loss
Medicine
Meditation
Men's Issues
Muscle Building
Nutrition
Nutrition Supplements
Weight Loss
Women's Issues
Yoga
Family & Relationships
Babies Toddler
Dating
Holidays
Home Improvement
Interior Decorating
Landscaping & Gardening
Marriage & Wedding
Parenting
Pregnancy
Relationships
Sexuality
Hobbies & Lifestyle
Casinos & Gambling
Cooking Tips
Crafts & Hobbies
Fashion & Style
Golf
Humanities
Mobile Cell Phone
Music
Outdoors
Pets
Photography
Poetry
Politics
Recipes
Science
Vacation Rentals
Writing
Writing Articles
Self-Improvement
Attraction
Coaching
Creativity
Goal Setting
Grief & Loss
Happiness
Innovation
Inspirational
Leadership
Motivation
Organizing
Positive Attitude
Religion
Spirituality
Stress Management
Success
Time Management


www.senyum.net - This website contains articles on wide range of topics. Articles on advertising, sales management, business, stock market, hobbies, health, lifestyle,
family relationships, online business, money, stock trading and many more are available.
www.senyum.net covers USA, UK, Canada, Australia, China and Germany : - complete articles online business - articles tutorial.
Copyright © 2006 SmileMedia Co. All rights reserved.