A great article was published on Law.com today written by Ryan Sulkin, “First Line of Defense Against Data Security Breaches: Employees.”
There are several points made that I hope business leaders read and take to heart.
“Yet developing law is increasingly requiring administrative or procedural controls, particularly those directed at employees, as a component of a legally compliant security program.”
If you are not yet aware of it, HIPAA and GLBA very clearly have these personnel procedural and administrative requirements. The FTC has often named lack of personnel procedural and administrative requirements as a significant component in their penalties decisions using the FTC Act. Business leaders must understand that creating formal policies and procedures, and then providing ongoing training and awareness for them, is a key compliance activity they must pony up to.
The following excerpt nicely outlines some of these regulatory requirements:
“Implementing regulations for the Gramm-Leach-Bliley Act (GLB) requires covered financial institutions to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information. That assessment, at a minimum, must include employee training and management. See, e.g., FTC Safeguards Rule, 16 CFR 314.4(b)(1).
Likewise, implementing regulations for the Health Insurance Portability and Accountability Act requires covered entities to take a number of actions regarding employees under the heading of “administrative safeguards.” The regulations require covered entities to (among other requirements):
“(1) apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity; (2) identify the security official who is responsible for the development and implementation of the policies and procedures required; (3) implement policies and procedures to ensure that all members of its work force have appropriate access to electronic protected health information and to prevent those members who do not have access from obtaining access to electronic protected health information.” HIPAA Security Regulations, 45 CFR 164.308(a)(1)(ii)(C), (a)(2) and (a)(3)(i).
The Purchase Card Industry Data Security Standards (PCI Standards) require companies to “[m]aintain a policy that addresses information security for employees and contractors.” Purchase Card Industry Data Security Standards, Version 1.1, Requirement 12. Under PCI Standards Requirement 12, companies must, for example, “develop usage policies for critical employee-facing technologies (such as modems and wireless devices) to define proper use of these technologies for all employees.”
The FTC, in an enforcement action against Nationwide Mortgage Group Inc., found that the company violated the GLB Safeguards Rule in part by “stor[ing] customer information on a computer network accessible to all employees” and failing to “train employees on information security issues, or oversee the collection and handling of customer information by its loan officers.” In the Matter of Nationwide Mortgage Group, Inc. and John D. Eubank, File No. 042-3104, Docket No. 9319 (FTC 2005).
In a similar GLB Safeguards Rule action brought against Sunbelt Lending Services Inc., the FTC found that Sunbelt failed “to implement reasonable policies and procedures in key areas, such as employee training and appropriate oversight of the security practices of loan officers working from remote locations.” In the Matter of Sunbelt Lending Services, Inc., File No. 042-3153 (FTC 2005).
The Federal Financial Institutions Examination Council (FFIEC), a formal interagency body of the five key federal banking regulatory agencies empowered to prescribe uniform principles and standards for the federal examination of financial institutions, has created an IT Examination Handbook for use by examiners when evaluating a financial institution’s risk management process. The handbook addresses the requirements for employee security in multiple areas. See Federal Financial Institutions Examination Council IT Examination Handbook, July 2006, available at www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf. Likewise, ISO 17799, an international standard for information security, requires multiple employee-related security controls. See BS ISO/IEC 17799: 2005.”
Have you made your business leaders aware of these legal requirements for information security and privacy awareness and training? Have you made sure the companies to whom you’re outsourcing activities involving personally identifiable information (PII) have good awareness and training programs?
Wouldn’t it be nice if we could get our CxOs to make a 2007 resolution to devote as much time and resources in the organization’s information assurance awareness and training efforts as they do in their golf game? Or, better yet, as much as is devoted to the corporate intramural sports teams and recreation events?
Make 2007 your year for awareness and training. Done right, and on an ongoing basis, it will pay huge dividends resulting from fewer incidents occuring from mistakes, successful social engineering, insider fraud, and other results of inappropriate information or systems use. In fact, look at 2006, establish your baseline values for such categories as lost laptops, compromised passwords, misdirected emails, accidental PII postings to websites, posted passwords on workstations, confidential papers left unsecured on desks, successful phishin ploys, personnel fraud and abuse, and so on, then be diligent throughout 2007 with your awareness and training efforts. You will see how effective your efforts have been when Baby New Year 2008 arrives!
Tags: awareness and training, FFIEC, FTC, GLBA, government, HIPAA, Information Security, IT compliance, PCI, privacy