Thomas Smedinghoff: Information Security Laws and Regulations Insights
RICHARD SWART: Hi, this is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today weâ€™ll be speaking with Thomas J. Smedinghoff, a partner in a privacy data security and information law practice at the law firm of Wildman Harrold in Chicago. His practice focuses on the emerging legal issues of e business and the corporate use and management of information with an emphasis on electronic transactions, information security and privacy issues. Mr. Smedinghoff has been actively involved in developing e business and information legal policy both in the U.S. and globally. Well, Tom, thank you for agreeing to be interviewed by us today.
TOM SMEDINGHOFF: Thank you.
RICHARD SWART: Letâ€™s start with this question. Your recent article referred to the patchwork of federal and state laws and regulations regarding corporate obligations to provide information security appear to becoming together to provide ever expanding coverage of corporate activity. Could you tell us more about these recent developments?
TOM SMEDINGHOFF: Basically if you survey the legal landscape and you look at the state laws, the federal laws and even international laws, there are literally hundreds and hundreds of different laws that focus on information security obligations but when you stand back and look at those from a distance there are basically three trends that emerge from those laws.
The first as weâ€™re seeing I think a general duty the imposition of a general duty on companies to provide security to protect their own data and I think itâ€™s important to recognize that this obligation goes beyond personal data and looks at corporate financial data, corporate tax data, corporate transaction data, corporate trade secrets and so forth.
The second major trend is basically the definition of the legal standard that is developing with respect to information security. When people ask the question well exactly what do I have to do. The law is starting to provide the answer to that question.
Then the third basic trend is basically the imposition on companies of a duty to warn, a duty to warn individuals or others who may be adversely affected by a security breach. So itâ€™s basically a breach disclosure obligation, and I think itâ€™s important to recognize that while weâ€™re all very familiar with some of the more popular security statutes and regulations like the Gramm-Leach Bliley regulations and the HIPAA regulations there are many, many other laws and regulations, some of which donâ€™t even use the word security but that nonetheless impose security obligations. And so as you look at this legal landscape you need to consider all of that and sort of look at the big picture to get a sense of whatâ€™s happening here.
RICHARD SWART: I was wondering if you could tell us what a couple of those regulations and laws might be that our listeners might not be familiar with.
TOM SMEDINGHOFF: If you look at it by different types of data weâ€™ve got a variety of laws dealing with personal data like Gramm-Leach Bliley, HIPAA, COPA dealing with childrenâ€™s privacy. Youâ€™ve got federal trade commission activities dealing with personal information and so forth. With respect to financial information, you have the Sarbanes-Oxley legislation, youâ€™ve got IRS regulations as just two examples dealing with obligations to protect financial information.
Youâ€™ve got other laws dealing with protecting trade secret information for example, funds transfer information, Social Security Number records or information and a variety of other statutes that are out there at the federal and state level. Another good example is statutes dealing with electronic transactions. The federal e-Sign statute and the state level Uniform Electronic Transactions Act which both deal with security issues relating to electronic transactions. Youâ€™ve got insurance industry specific statutes. Youâ€™ve got statutes in the food and drug area. Youâ€™ve got statutes in obviously the financial and the healthcare sectors. Youâ€™ve got sector specific laws. Youâ€™ve got more general statutes. Another good example is that states are enacting general laws imposing obligations with regard to security on companies that basically collect personal information whether through websites or other means. So youâ€™ve got a variety of different laws all coming at the question of security with respect to different types of data.
RICHARD SWART: I know one of the concerns that a lot of banks and financial institutions have right now is the representations theyâ€™re making to their customers about the adequacy of their information security. Are there specific obligations that banks and credit unions or financial institutions regarding these representations?
TOM SMEDINGHOFF: Basically whenever you make a representation about your data practices you are imposing an obligation on yourself. I mean essentially an obligation to comply with that representation. If you are making statements that are not true, that becomes an unfair or deceptive trade practice and can land a company in trouble. Weâ€™ve seen quite a bit of action over the last few years by the Federal Trade Commission and by the State Attorney Generals going after companies who in one form or another have made representations about their data security practices that the government agencies felt they did not live up to.
So you know the bottom line is youâ€™re defining an obligation for yourself when you make a representation so as the saying goes only say what you do and do what you say.
RICHARD SWART: Good advice. Youâ€™ve also recently written a course where weâ€™re beginning to develop a legal definition of reasonable information security. What is this definition and what implication does it have for the banking and finance industry?
TOM SMEDINGHOFF: Basically when you look at the laws dealing with security they generally require reasonable security or adequate security or something some phrase along those lines and frequently they donâ€™t tell you much more in terms of what it is you have to do. So as a result, companies are often asking the very fundamental question if I have a legal obligation to do something what is it I have to do. And again if we step back from all these laws, all the regulations, we look at the enforcement actions and court decisions that are out there what emerges is a legal definition of reasonable security. Now the good news is a definition is emerging. The bad news is it doesnâ€™t tell you specifically what to do. For example, it doesnâ€™t say you have to install a firewall or you have to encrypt data or you have to use virus software or you have to use you know eight digit passwords or two factor authentication or some of those more detailed types of requirements. What it tells you you have to do is basically go through a process and really the key here is the process and that process is geared toward determining what is reasonable for a company in its particular situation. So for example you know if you outline that process it starts with a very basic analysis of what information does a company have, where is it, who controls it, how is it stored and what laws is it subject to and so forth. From there the process requires that you engage in a risk assessment. You know what are the threats to that information, what are the vulnerabilities in the companyâ€™s operations and if something bad happens you know how likely is it something bad will happen and you know what are the damages that could result. Based on that risk assessment, companies have to design and implement a system of security controls that are designed to respond to that risk assessment. So to take a very simple example putting guards at the front door of your building might be a good security measure but if the threat that you face is somebody accessing your data through the internet well those armed guards arenâ€™t going to do you much good.
On the other hand, implementing firewalls, intrusion protection software and access controls are important for keeping out the bad guys who might access your data through the internet but if the threat you really face is dishonest employees well then those controls while theyâ€™re important for you know keeping out the bad guys through the internet arenâ€™t going to address the threat you face from dishonest employees. So you have to really tie the individual security measures to the threat you face.
From there, you need to obviously implement those controls, monitor them, make sure they actually work, they do what theyâ€™re intended to do and achieve the intended result and then you also need to continually reassess. Have the threats changed? Has the technology changed? Has your business changed in ways that will affect the security of your data. If it has, then you need to go back and repeat the process.
Then thereâ€™s finally one other very important element to the legal standard for security and that is you have to address the third party situation, the out source of providers who process your data remotely at another location. You need to ensure that they provide appropriate security. Itâ€™s sort of you know the basic rule here is that you can outsource the work but you canâ€™t outsource the responsibility with the security of your own data. So thatâ€™s sort of a general very quick overview in terms of what that legal process requires.
Now once or let me restate that - in terms of the implication of that for banks and financial institutions and really for any company I think the first and most important point to remember is that youâ€™re never done. This is a process that must be continual, must be an ongoing thing that you continually re-examine and re-evaluate and test and monitor so that you can make sure that youâ€™re always as up date as is reasonable under the circumstances given the particular nature of your business. It also means quite simply that there are no hard and fast answers to your specific questions such as you know do I need to apply a particular type of security measure. Do I need to encrypt my data? Is it okay to allow Wi Fi access? Can I let my employees take laptops home?
Those kinds of questions are not going to be answered directly. Theyâ€™re only going to be answered in the context of going through that process and determining whatâ€™s appropriate for a particular business and its individual circumstances.
RICHARD SWART: Now is this risk assessment process a developing best practice or is it something thatâ€™s actually required under GLBA or the FFIEC guidelines?
TOM SMEDINGHOFF: Actually it is required under GLBA and it is required under the FFIEC guidelines as well and I think itâ€™s important, in fact I think in terms of defining the legal standard what I think is the very best definition of the current legal standard is what appears in the GLB security regulations and those regulations arenâ€™t that long. Theyâ€™re only I want to say four or five pages, and I think itâ€™s very well worth reading those regulations because I think theyâ€™re just an excellent statement of that legal standard for information security.
The FFIEC guidelines also make how can I say this the FFIEC guidelines also emphasize the importance of a risk assessment. In fact thereâ€™s a very interesting section of the FFIEC guidelines that points this out. As you may be aware, those guidelines basically state that the FFIEC has taken the view that single factor authentication for online banking activities is no longer an appropriate method if authentication and many have interpreted those guidelines as requiring two factor authentication. They donâ€™t literally say that but in any event theyâ€™ve generated a lot of controversy and a lot of questions and so as a result the FFIEC put out an FAQ on how to interpret that guidance. One of the questions they responded to came from someone who basically said how about if we just go ahead and implement two factor authentication and skip the risk assessment process would that be okay? And the FFIEC was very clear in response. It said no. It said you have to do a risk assessment and the type and the level of authentication that you use has to be responsive to that risk assessment. So they were very clearly stating that itâ€™s not just implementing two factor authentication thatâ€™s going to solve the issue here itâ€™s a requirement that you do a risk assessment and that what you implement is responsive to that risk assessment.
RICHARD SWART: Very interesting. It almost sounds like the laws evolve into what the consultants have been saying all along that security truly is a process and not a product and that one solution isnâ€™t going to solve all of our problems.
TOM SMEDINGHOFF: I think thatâ€™s absolutely correct. There is no single solution here.
RICHARD SWART:Thank you for your time today, Tom. We appreciate you and excellent information for our listeners.
TOM SMEDINGHOFF: Thank you.
RICHARD SWART: Thank you for listening to another podcast with Information Security Media Group. To listen to a selection of other pod casts or find other educational content regarding information security for the banking and finance community you can visit www.bankinfosecurity.com.