Information Security: The New IT (or "it") Issue -- Part 1
For any business, knowledge of how information is secured and managed is essential in avoiding the long arm of the law.
There is no question that the amount of information created in the information age is overwhelming. From banking transactions to Fitbits, we are all generating incredible amounts of information every single day whether we realize it or not. As should no longer be surprising, this data -- this information about us as individuals -- is vulnerable. Consequently, issues of data security and privacy have moved to the mainstream in a quick and powerful way. And that's before we even whispered the name "Snowden."
Taking note of the sheer number of vulnerabilities, governmental bodies from all three branches of government, as well as state and federal authorities, have gotten involved. Primarily, the Federal Communications Commission and the Federal Trade Commission have each made loud and important contributions on the subject. In addition, the differences between how Americans and Europeans treat data is not only different, but particularly for businesses that work internationally, knowledge of how information is secured and managed is essential in avoiding the long arm of the law.
However, before beginning to contemplate international standards and actions, it's important for clients -- and their lawyers -- to do a careful risk assessment. That is, do you -- and your clients -- know what data is actually being stored on client systems (or in client cloud files)? What kinds of information are being held? Credit card numbers? Medical records? Financial information? Other personal information? It's hard to know how to manage (read: protect) such information when you're not sure what's there, let alone where it is, in the first place.
Before taking an even deeper dive into this murky swamp, there's one other critical factor to consider. Certain industries/professions/entities have additional regulatory requirements (some might call them burdens) that must be met based on the nature of the work that they do. Examples that come to mind include healthcare, where the Food and Drug Administration (FDA), among other government agencies, has defined -- and is very happy to enforce -- very definite obligations, and financial services where, among others, the Commodity Futures Trading Commission (CFTC) is more than willing to flex its muscles. Then there are the states, which have mostly (47 have signed on in one way or another) created their own set of rules and procedures regarding information security, with particular attention to those parties that need to be notified in the event of a security breach. (For a complete list, click here. )
Here's what you need to know:
- Identify what information is retained -- It's absolutely essential that any entity that has access to client information (note the lack of the word "confidential") know what it has. This may sound simple, but it's not. In fact, many entities may not even realize what information is retained from customers, clients, vendors or others. Are social security numbers, tax IDs, banking information, or credit card numbers stored somewhere? Protecting the information is impossible until the storer (whether intentionally or un) knows what it has.
- Identify where the information is stored -- In house? In the cloud? How secure is it? Has the security been verified? How often is it tested? Has there ever been a breach? What are the steps in the event of a breach?
- Be aware of and compliant with applicable state and federal regulations -- Most levels of government have taken a keen interest in protecting the security of confidential data. If you're unfamiliar with the general and particular rules that apply to data security in your work environment, get familiar with them. In a hurry. As always, cluelessness is not a viable defense.
- Be aware of and compliant with international regulations -- if applicable.
A WISP is a written information security program/plan. If your firm and your clients don't have one, they should. In some states, they're required, but in all states, they're certainly advisable. A WISP is an essential tool not only in the actual protection and management of data. More importantly, it is an essential tool in the defense of claims related to data breaches. A well-constructed WISP will address not only what's done "in-house," but also how data that's been shared beyond the home location (with vendors, employees and other outsiders) is protected. An effective WISP should be a carefully crafted document that is both industry-specific and clearly oriented toward the entity that it's seeking to protect. As always, writing it is only part of the challenge. Adopting it, modifying it, and relying upon it is the other. An effective WISP is a living, breathing document.
In the interest of space, I won't be able to fully address the international issues associated with data protection. For now, suffice it to say that the October 2015 decision of Schrems v. Data Protection Commissioner (Case C-362/14) made it clear that the mechanism historically used by U.S. businesses to comply with existing safe harbor protections is now insufficient to meet EU standards. Stay tuned for the next installment.