What are reasonable security practices?
Privacy policies always state that the data holder will use “reasonable” and “appropriate” measures to keep the data they collect secure. This language is used because almost all state laws and regulations require that the data holder use “reasonable measures”, “appropriate measures”, or both to keep the data secure. What are reasonable and appropriate measures? One could look to Federal standards or third-party standards. Alternatively, a few states have addressed this issue. Massachusetts has the most detailed data security regulation, 201 CMR 17.00. This regulation applies to any person who owns or licenses “personal information” concerning Massachusetts’ residents. This regulation requires that every person:
develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.
201 CMR 17.03(1). The regulation requires the creation of a written information security program (WISP) with elements, such as, (1) designating persons to maintain the information security program, (2) identifying internal and external risks and evaluating and improving safeguards, (3) developing security policies concerning transportation of personal information, (4) at least annual reviews, and (5) overseeing service providers. Additionally, the regulation requires the WISP to include a section concerning one’s security systems that should address “at a minimum, and to the extent technologically feasible”: (a) secure user authentication protocols, (b) secure access control measures, (c) encryption of all personal information, (d) reasonable monitoring of systems, and (e) the education and training of employees. 201 CMR 17.04. Due to the breadth of this regulation, Massachusetts released a compliance checklist to assist with complying with this regulation. Rhode Island recently addressed this issue, with its amended Identity Theft Protection Act, which becomes effective on June 26, 2016. This statute applies to any person who has “personal information” about a Rhode Island resident. Rhode Island General Laws 11-49.3-2; 3-3(8). Under the statute, everyone
shall implement and maintain a risk-based information security program which contains reasonable security procedures and practices appropriate to the size and scope of the organization, the nature of the information and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction or disclosure and to preserve the confidentiality, integrity, and availability of such information.
R.I. Gen. Laws § 11-49.3-2 (effective June 26, 2016). While this statute requires the creation of a “risk-based information security program”, it doesn’t detail the substance of that program. Thus, the program could be modeled after the Massachussetts program or, possibly, after a HIPAA program. A couple of other states, Nevada and Connecticut, have limited data security statutes. Nevada’s statute applies to any “data collector” that maintains “personal information” concerning Nevada residents. Nevada Revised Statute 603A.210(1). The statute requires that any data collector who receives payment card information must comply with the Payment Card Industry (PCI) Data Security Standard. NRS 603A.215(1). Alternatively, if a data collector does not collect payment card information, it must encrypt personal information. NRS 603A.215(2). Connecticut’s statute applies only to state contractors and health care related businesses. State contractors are required to “implement and maintain a comprehensive data-security program”. Conn. Gen Stat. § 36a-701b, 2015 S.B. 949, Public Act 15-142. That statute then enumerates a few elements to be included in the program, such as: security policy for contractor employees related to the storage, access and transportation of data containing confidential information, at least an annual review of policies and security measures, requiring electronic data be stored “(A) in a secure server; (B) on secure drives; (C) behind firewall protections and monitored by intrusion detection software….” The statute also prohibits the storage of confidential information on removal storage media unless approved by the contracting state agency. Health care related businesses are required to “implement and maintain a comprehensive information security program”. Conn. Gen Stat. § 36a-701b, 2015 S.B. 949, Public Act 15-142. The program must be in writing and “contain administrative, technical and physical safeguards appropriate to (A) the size, scope and type of business of such company, (B) the amount of resources available to such company, (C) the amount of data compiled or maintained by such company, (D) and the need for security and confidentiality of such data.” The statute goes on to require the program to include at least: secure computer and Internet user authentication protocols, secure access control measures, identification and assessment of reasonably foreseeable internal and external risks, at least annual reviews of the program, and reasonable restrictions on physical access to personal information in paper format. Finally, we would be remiss not to mention California’s entry into the data security field. California’s Attorney General in its 2016 Data Breach Report (see this older blog post - Security - What are "reasonable" information security practices?) provided a recommendation concerning what would constitute “reasonable” security. Although the AG’s recommendations are not law or regulations, they influential. In the report, the AG stated that:
Report, at page 30. The 20 Controls can be broken down as follows:
Report, at page 31.
If your business collects personal information from visitors, users or customers, then you need to assess the information you collecting. What information is being collected? Which state laws and regulations do you need to comply with? Is that information "personal information"? Are you providing reasonable and appropriate security measures?$ Be forewarned, the bar for what is considered reasonable and appropriate is rising.