Deriving Due Care Practices from HIPAA and GLBA

Recent years have shown a trend in corporations being held responsible for information security negligence. In particular, the Federal Trade Commission (FTC) and the Attorney General of New York have been actively pursuing companies that fail to follow effective security practices. Many high-visibility cases illustrate how companies are being required to implement stronger security controls, the Guess case being a good example.

In June 2003, Guess, Incorporated agreed to settle FTC charges that it exposed consumers' personal information to commonly known attacks by hackers, contrary to the company's claims. "Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's Bureau of Consumer Protection. The settlement required that Guess implement a comprehensive information security program that would be certified as meeting or exceeding the standards in the consent order by an independent professional within a year.

The Problem

A key reason why corporations demonstrate poor or inconsistent information security controls is the lack of a widely accepted and comprehensive set of good security practices. Standards bodies such as the U.S. National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) publish security standards with varying degrees of corporate acceptance and use. The Information Systems Security Association (ISSA) has identified the need for a universally agreed-upon collection of essential security practices and is currently developing the Generally Accepted Information Security Principles (GAISP)--although how well accepted these principles will be upon publication remains to be seen.

The Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule and the Gramm Leach Bliley Act (GLBA) Interagency Guidelines are customer privacy laws specifying the security rules that must be followed by the healthcare and financial services industries respectively. If entities covered by these laws fail to follow the required security practices they may not only be exposing their customers' private information but may also be subject to regulatory penalties and fines. These laws, in essence, define information security due care standards--the security practices that must be followed to avoid liability--for the healthcare and financial services industries. The entities covered by these laws, however, only represent approximately 25% of the U.S. Gross Domestic Product. Other industries must rely upon their best judgment to protect customer information--clearly not an effective approach as the cases mentioned earlier demonstrate.

Most companies certainly want to do the right thing and protect their customers' information, but avoiding legal liability and harm to their reputation are also factors that motivate them to implement appropriate information security controls. While most corporate information security professionals probably think they understand how to protect customer information, many wouldn't be comfortable attesting that their practices would protect their employer from liability. Lacking a commonly accepted set of security practices, many corporate information security professionals are uncertain how to secure customer information in a way that also limits their company's liability.

Proposed Solution

The best approach for companies that wish to protect their customer's information and potentially avoid liability is to implement the security practices required by both HIPAA and GLBA. There are 12 security practices in common between these two customer privacy laws. By following these 12 practices, companies will be practicing information security due care and can potentially avoid liability. Indeed, all of the security requirements mandated in the settlement of the cases mentioned earlier are among the 12 practices in common between HIPAA and GLBA.

What is Due Care?

Companies that handle the personal information of their customers may be breaking the law and not know it, as evidenced by the Guess case. This ignorance may partly stem from substantial gaps of prosecutable computer crimes that exist in federal criminal code and individual state criminal statutes. Federal and state criminal statutes are slow to evolve to adequately prosecute crimes based on the fast-changing technology of information systems. Companies and information security professionals may find little direction in criminal codes and statutes to help them avoid inadvertently breaking the law when it comes to protecting their customers' personal information.

Since there is little guidance for companies to follow when it comes to avoiding criminal or civil liability or harsh settlements from the FTC, they need to consider how legal standards are created in the first place. Legal standards are developed based on the concept of due care, which is the care that an ordinarily prudent person would have exercised under the same or similar circumstances. Failure to practice due care is equivalent to demonstrating negligence. Companies that demonstrate negligence relative to their information security practices are susceptible to lawsuits, fines, and other sanctions, whereas companies that practice due care should be largely protected from such punishments.

Where to Find Due Care Information Security Practices

Companies that wish to find due care information security practices need look no further than to two major federal laws that regulate the protection of customer information: HIPAA and GLBA. While both HIPAA and GLBA enacted a lot more than just customer privacy requirements, they both have spawned substantial regulatory guidance on security controls for protecting customer information. The regulations for HIPAA are called the Final Security Rule and those for GLBA are referred to as the Interagency Guidelines.

While some of the requirements in these regulations are industry-specific, there is a lot of commonality between the two. In particular, 12 security practices were found in both the HIPAA Final Security Rule and the GLBA Interagency Guidelines. The fact that these two sets of regulations intersect in 12 places is no coincidence. This is a clear signal from the federal government of the level of due care it expects the country's health care providers and financial institutions to practice. If these are the standards of due care that must be practiced by industries that represent about a quarter of the country's GDP, it stands to reason that other industries will be expected to follow these same practices.

HIPAA & GLBA Security Due Care Practices in Common

The 12 security practices in common between HIPAA and GLBA are all "high-level" practices. There are no specific technology controls. Some practices are required while others are required only if a risk assessment conducted by the entity determines that the practice is appropriate.

The HIPAA Final Security Rule and the GLBA Interagency Guidelines were designed to provide guidance to senior management. How the practices are implemented is left largely up to the companies to determine.

Following is the list of the 12 security practices in common between HIPAA and GLBA (please refer to the HIPAA/GLBA Due Care Practice Matrix in the Laws and Regulations section of the OpenCSOProject for detailed analysis and references):

 

1. Assess and Control Risk
2. Assign Security Responsibility
3. Appropriate Access and Authorization
4. Security Awareness and Training
5. Incident Response and Reporting
6. Disaster Recovery
7. Security Evaluation
8. Vendor Contracts
9. Facility Access Controls
10. Data Integrity Controls
11. Encryption
12. Security Monitoring Procedures

 

Validation from Recent Enforcement Actions

If the companies in the FTC settlement cases mentioned earlier had faithfully implemented these 12 practices, they would not have suffered any penalties and their customers’ information would have been protected. For instance, in the Guess case, the FTC ordered Guess to:

 

• Designate an employee or employees to coordinate and be accountable for the information security program (HIPAA/GLBA Due Care Practice #2: Assign Security Responsibility);
• Identify material internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment must include consideration of risks in each area of relevant operation. (HIPAA/GLBA Due Care Practice #1: Assess and Control Risk);
• Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards' key controls, systems, and procedures. (HIPAA/GLBA Due Care Practice #7: Security Evaluation);
• Evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that Guess knows or has reason to know may have a material impact on its information security program. (HIPAA/GLBA Due Care Practice #7: Security Evaluation)

 

These four requirements would have been fulfilled by following just three of the 12 HIPAA/GLBA Due Care Practices: Assess and Control Risk, Assign Security Responsibility, and Security Evaluation. The other settlement cases had similar requirements, also covered by the HIPAA/GLBA Due Care Practices. It is clear that the security practices required by both HIPAA and GLBA establish a basis of due care.

Conclusion

Companies are finding that they will pay the price for not maintaining strong security controls and protecting their customers' information. They must proactively implement and maintain prudent security processes to demonstrate that they are practicing due care. Until a universally accepted set of information security practices is produced, the best approach for companies is to implement the security practices required by both HIPAA and GLBA.

Marc R. Menninger is a Certified Information Systems Security Professional (CISSP) and is the founder and site administrator for the OpenCSOProject, a knowledge base for security professionals. To download security policies, articles and presentations, click here: Security Officer Forums.