Is Your Data Security Policy and Process Reasonable?

gavel-1There are many data protection regulations, including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) of 1999 (Financial Modernization Act of 1999), and the European Data Protection Directive. These all have language regarding how an entity mustprotect personal information. Other regulations specify the destruction discarded personal information, as is the case with the Final Disposal Rule of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) and 29 state data destruction requirements.All data protection regulations have one thing in common; they are based on the principle of “reasonableness.”

The advantage of this approach is that it allows flexibility in compliance strategies for many types and sizes of organizations that have varying needs and resources. However, some people suggest that allowing every organization to determine what is reasonable is a weakness. But, in fact, the reasonableness approach actually challenges an organization to put a lot of thought into their particular compliance strategy. You see, while the organization must determine what it reasonable for themselves, they are not the final judge. In the event of an audit or data breach, the final judge of what is reasonable is the regulator. The challenge is developing a reasonable approach to compliance that reflects what regulators consider reasonable. The good news is those regulators have provided plenty of guidance.

Reasonable approaches and responses to data protection laws include creating written data protection policies and procedures and providing training to employees. Or, stated another way, not having written data protection policies and training programs would be considered unreasonable and, therefore, noncompliant. Also, not having a written selection criteria and process for hiring data-related vendors would be considered by regulators as unreasonable and noncompliant.

The lack of written policies, employee training and vendor selection criteria remain the weakest links in most data destruction practices. In the last few years, virtually every one of the thousands of data breach investigations ultimately exposed one or more of these critical shortcomings, which usually constituted severe consequences and large fines. Therefore, when reviewing the data protection laws, remember to determine what is reasonable for your organization to remain compliant and safe from penalty.

In short, by relying on the “reasonableness principle” in determining compliance, the regulators are ensuring the data custodian demonstrates due diligence in all areas related to data protection without being overly prescriptive.

Data protection laws have a number of provisions to promote such diligence on the part of the original data controller. First, they do not allow the data controller to pass on the regulatory liability to protect the data to the downstream service provider. While the regulators understand that the use of such subcontractors is a modern day necessity, they hold the data controller responsible for the actions of those vendors, as described in this excerpt from the “Proposed Modifications to HIPAA under HITECH.”

“…The covered entity remains liable for the acts of its business associate agents, regardless of whether the covered entity has a compliant business associate agreement in place. This change is necessary to ensure, where the covered entity has contracted out a particular obligation under the HIPAA rules, that the covered entity remains liable for the failure of its business associate to perform that obligation on the covered entity’s behalf.”

Similar provisions appear in all major data protections laws currently enforced around the world. The data controller may, and often does, assign financial responsibility to the downstream vendors for financial damages they cause. However, they cannot pass on the responsibility. For example, if service provider causes a data breach notification event, their only responsibility under the law is to inform the data controller. The data controller is responsible for making and paying for the actual breach notification.

But that is not the only way data protection laws ensure data controllers keep their eye on the ball. The laws make it illegal to select a vendor without doing the proper due diligence. This excerpt from the Security and Exchange Commission’s Regulation S-P is typical.

“…The ‘reasonable measures’ standard will generally require the covered entity to take reasonable steps to select and retain a service provider that is capable of properly disposing of the consumer report information at issue.”

So, while data protection regulations do not have specify criteria such as destruction method, access control, employee screening, material disposition, or other details, NAID Certification does so in a manner that both ensures reasonable levels of security combined with a robust third-party audit methodology. In selecting a company subject to the security specification and robust auditing system including in the NAID Certification program, an organization exhibits it has exercised  due diligence in the selection process, thus fulfilling both the word and the spirit of all data protection regulations.  Choosing a NAID Certified vendor is reasonable, and will protect your company and your data.