Deriving Due Care Practices from HIPAA and GLBA

Navigation: Main page » Security

 Print this page Submit articleComment article

Author: Marc Menninger

Article source: http://www.selfseo.com/. Used with author's permission.

Recent years have shown a trend in corporations being held responsible for information security negligence. In particular, the Federal Trade Commission (FTC) and the Attorney General of New York have been actively pursuing companies that fail to follow effective security practices. Many high-visibility cases illustrate how companies are being required to implement stronger security controls, the Guess case being a good example.

In June 2003, Guess, Incorporated agreed to settle FTC charges that it exposed consumers' personal information to commonly known attacks by hackers, contrary to the company's claims. "Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's Bureau of Consumer Protection. The settlement required that Guess implement a comprehensive information security program that would be certified as meeting or exceeding the standards in the consent order by an independent professional within a year.

The Problem

A key reason why corporations demonstrate poor or inconsistent information security controls is the lack of a widely accepted and comprehensive set of good security practices. Standards bodies such as the U.S. National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) publish security standards with varying degrees of corporate acceptance and use. The Information Systems Security Association (ISSA) has identified the need for a universally agreed-upon collection of essential security practices and is currently developing the Generally Accepted Information Security Principles (GAISP)--although how well accepted these principles will be upon publication remains to be seen.

The Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule and the Gramm Leach Bliley Act (GLBA) Interagency Guidelines are customer privacy laws specifying the security rules that must be followed by the healthcare and financial services industries respectively. If entities covered by these laws fail to follow the required security practices they may not only be exposing their customers' private information but may also be subject to regulatory penalties and fines. These laws, in essence, define information security due care standards--the security practices that must be followed to avoid liability--for the healthcare and financial services industries. The entities covered by these laws, however, only represent approximately 25% of the U.S. Gross Domestic Product. Other industries must rely upon their best judgment to protect customer information--clearly not an effective approach as the cases mentioned earlier demonstrate.

Most companies certainly want to do the right thing and protect their customers' information, but avoiding legal liability and harm to their reputation are also factors that motivate them to implement appropriate information security controls. While most corporate information security professionals probably think they understand how to protect customer information, many wouldn't be comfortable attesting that their practices would protect their employer from liability. Lacking a commonly accepted set of security practices, many corporate information security professionals are uncertain how to secure customer information in a way that also limits their company's liability.

Proposed Solution

The best approach for companies that wish to protect their customer's information and potentially avoid liability is to implement the security practices required by both HIPAA and GLBA. There are 12 security practices in common between these two customer privacy laws. By following these 12 practices, companies will be practicing information security due care and can potentially avoid liability. Indeed, all of the security requirements mandated in the settlement of the cases mentioned earlier are among the 12 practices in common between HIPAA and GLBA.

What is Due Care?

Companies that handle the personal information of their customers may be breaking the law and not know it, as evidenced by the Guess case. This ignorance may partly stem from substantial gaps of prosecutable computer crimes that exist in federal criminal code and individual state criminal statutes. Federal and state criminal statutes are slow to evolve to adequately prosecute crimes based on the fast-changing technology of information systems. Companies and information security professionals may find little direction in criminal codes and statutes to help them avoid inadvertently breaking the law when it comes to protecting their customers' personal information.

Since there is little guidance for companies to follow when it comes to avoiding criminal or civil liability or harsh settlements from the FTC, they need to consider how legal standards are created in the first place. Legal standards are developed based on the concept of due care, which is the care that an ordinarily prudent person would have exercised under the same or similar circumstances. Failure to practice due care is equivalent to demonstrating negligence. Companies that demonstrate negligence relative to their information security practices are susceptible to lawsuits, fines, and other sanctions, whereas companies that practice due care should be largely protected from such punishments.

Where to Find Due Care Information Security Practices

Companies that wish to find due care information security practices need look no further than to two major federal laws that regulate the protection of customer information: HIPAA and GLBA. While both HIPAA and GLBA enacted a lot more than just customer privacy requirements, they both have spawned substantial regulatory guidance on security controls for protecting customer information. The regulations for HIPAA are called the Final Security Rule and those for GLBA are referred to as the Interagency Guidelines.

While some of the requirements in these regulations are industry-specific, there is a lot of commonality between the two. In particular, 12 security practices were found in both the HIPAA Final Security Rule and the GLBA Interagency Guidelines. The fact that these two sets of regulations intersect in 12 places is no coincidence. This is a clear signal from the federal government of the level of due care it expects the country's health care providers and financial institutions to practice. If these are the standards of due care that must be practiced by industries that represent about a quarter of the country's GDP, it stands to reason that other industries will be expected to follow these same practices.

HIPAA & GLBA Security Due Care Practices in Common