Developing Effective Information Security Programs

For many years, financial institutions and other entities that collect personal information focused on privacy as an emerging legal doctrine presenting compliance challenges and an array of business implications. These issues, while still important and subject to ongoing debate and tinkering, have become, for many financial institutions, an automatic component of ongoing business activities. Now, with all of the attention focused on security of customer information driven by the recent flood of news stories concerning security breaches in numerous industries, privacy's ugly stepchild ' the security of consumer information ' has moved to the forefront of concern, both for financial institutions and the various entities that regulate and oversee them. News stories reporting security breaches are an almost daily occurrence. New legislation is being introduced almost constantly, at both the state and national level. While financial institutions already face a raft of security-related compliance obligations, including the Gramm-Leach-Bliley Act and others, financial institutions and their important business partners have been a focus of many of the most highly publicized breaches.

With this background, financial institutions (and other companies across America and globally) should be re-evaluating their information security programs. In reviewing the various legal requirements, what are the primary components of an effective security program? And what are the most difficult challenges facing companies in trying to move from a security “best practices” environment to one requiring compliance with specific legal obligations?

Understanding the Legal Landscape

While the security best practices emphasis has moved to a legal requirement, most security-based laws and regulations still identify reasonable and appropriate security practices, rather than dictating specific technological fixes for security threats. Accordingly, for financial institutions and other entities, it is critical to understand the full complement of legal requirements, so that entities can utilize the best practices from other industries as a component in building a reasonable information security program.

As with most privacy rules, the various security standards that are emerging through legislation and regulation are not exclusive ' they neither pre-empt other security rules, nor provide that they are the only rules that an entity needs to follow. Accordingly, whether through direct regulation or pass-through requirements for those who act as vendors under certain legislation (such as HIPAA or the Gramm-Leach-Bliley Act), companies likely will be faced by multiple rules dictating particular practices or approaches. Fortunately, so far, there have been few conflicts between the various rules; instead, the level of detail and the specific components often vary, creating a need for an integrated approach to security requirements.

To date, the primary information security legal requirements stem from the following laws and regulations:

• Gramm-Leach-Bliley Act ' applicable to financial institutions and their vendors;
• HIPAA ' applicable to the health care industry and related vendors (banks and other financial institutions may face increasing scrutiny, as both “business associates” and, perhaps “covered entities” under the HIPAA rules (see Nahra, “Financial Institutions and the New HIPAA Rules,” The Review of Banking and Financial Services (June 2004));
• Emerging state laws ' in California and elsewhere, dictating specific steps in certain situations (such as where there has been a security breach);
• Sarbanes-Oxley “financial controls” provisions ' applicable to publicly traded companies (and various companies through other similar laws); and
• A multitude of “best practices” materials across industry lines ' originating from industry groups, standards-setting organizations and the like (eg, International Organization for Standardization (“ISO”), National Institute of Standards and Technology (“NIST”), etc.).

Recent Developments: The FACTA Disposal Rule

There have been several important additions to this list of legal obligations in recent months. The Federal Trade Commission, as part of its FACTA rulemaking authority, has dictated specific procedures for the disposal of consumer report information. The major requirements of the rule (codified at 16 C.F.R. 682, effective on June 1, 2005) are relatively straightforward. The Rule defines compliance as “taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” Examples of these reasonable measures include:

• Implementing and monitoring compliance with policies that require burning, pulverizing, or shredding of physical documents, so that the information cannot practically be read or reconstructed;
• Implementing and monitoring compliance with policies that require the destruction or erasure of all electronic media, so that the information cannot practically be read or reconstructed; and
• After due diligence, entering into and monitoring compliance with a contract with a third party engaged in the business of information destruction to dispose of consumer information in a manner consistent with these principles.

In addition, companies must implement and monitor compliance with policies that protect against unauthorized or unintentional disposal of customer information. Companies covered directly by the Gramm-Leach-Bliley Act must also incorporate their disposal policies into their G-L-B appropriate safeguards policies.

The disposal rule applies specifically to “consumer information,” which means any information about an individual, regardless of the form of the information, “that is a consumer report or is derived from a consumer report.” Accordingly, at one level, the rule does not appear to have broad general application, because the concept of a “consumer report” is somewhat limited. However, the rule also states that “any person” who “maintains or otherwise possesses consumer information for a business purpose” must properly dispose of this information, using the reasonable measures discussed above. So, any company that receives, uses, or discloses consumer information must be concerned about this rule, as well as service providers who may receive this information, including information “derived from a consumer report.”

What conclusions can be drawn about this rule?

First, the rule is clearly limited to certain consumer report information and information derived from this report. Is there any reasonable basis for companies to know whether personal information that they have fits this definition? Can companies that possess “some” consumer report information effectively separate this consumer report information from other information, much of which will look very similar? The rule does not create any “reason to know” standard or other means of cutting off liability if a company is not acutely aware of the information being considered a consumer report. Therefore, unless a company can assess with confidence whether it has any information that “is or is derived from” a consumer report, it should be very cautious concerning this rule.

Second, aside from direct application, should companies perceive this rule as setting a new national standard? Given the recent explosion of reports about security breaches, both high tech and low tech, it certainly is reasonable for companies that maintain any kind of information about individuals to focus on their disposal practices, using this rule at least as a guideline. Certain other privacy rules, such as the HIPAA privacy and security standards, set similar guidelines for disposal of information. The general requirements of the rule are not particularly difficult ' they encourage a reasonable program to dispose of certain information. This “disposal” component should be a factor in the security and privacy practices of any company. The primary difficulty of this rule may be in the ongoing monitoring that is required, particularly for third-party vendors. Recent stories concerning certain document storage companies should raise awareness of this issue as well.

Therefore, while it may be possible for companies to limit the formal applicability of this rule, it will be difficult to determine whether particular information is covered by the rule and, perhaps, unwise to avoid dealing with these issues even if a company can have confidence that its information is not covered by the Rule. Disposal practices must be added to the growing list of security areas that need to be addressed in today's information security-conscious age.

The BJ's Wholesale Decision

The Federal Trade Commission's recent settlement with BJ's Wholesale Club makes an effective security program a national requirement for any company that holds personal information, regardless of industry or specific statutory or regulatory requirements. To the FTC, a failure to develop and implement an effective information security program constitutes an “unfair and deceptive” trade practice, independent of any specific statutory or regulatory requirements.

In the BJ's Wholesale case (announced June 16, 2005), the FTC took enforcement action despite the fact that BJ's Wholesale apparently made no representations whatsoever to its customers concerning security protections. Instead, the FTC alleged that BJ's Wholesale's information security practices, taken together, did not provide “reasonable security for sensitive customer information.” Specifically, the FTC alleged that BJ's Wholesale violated the FTC Act because it:

• Failed to encrypt consumer information when it was transmitted or stored on computers in BJ's Wholesale stores;
• Created unnecessary risks to the information by storing it for up to 30 days, even when it no longer needed the information, in violation of bank security rules;
• Stored the information in files that could be accessed using commonly known, default user IDs and passwords;
• Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
• Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.

These problematic practices apparently came to light because of a large number of false or fraudulent charges posted to BJ's Wholesale customer accounts, which the FTC determined to have been derived from hacker access to this poorly secured information (including through in-store wireless networks).

As a result of these alleged failures, BJ's Wholesale settled the FTC allegations, without admitting any wrongdoing. This settlement includes not only a requirement to implement “a comprehensive information security program that is reasonably designed to protect the security, confidentiality and integrity of personal information collected from or about consumers,” but also requires the company to have an independent third-party assessment of this program, every other year for the next 20 years, subject to ongoing FTC oversight.

In effect, the FTC required BJ's Wholesale to implement a security program mirroring the requirements set out by the FTC for entities regulated under the Gramm-Leach-Bliley Act. This comprehensive security program, which must be “fully documented in writing” and be “appropriate” to the company's “size and complexity, the nature and scope of [the company's activities, and the sensitivity of the personal information collected,” must include the following components:

1) The designation of an employee (or employees) to coordinate and be accountable for the information security program;

2) The identification of “material internal and external” risks to the security of this personal information (with this risk assessment to include employee training and management; information systems and prevention, detection and response to attacks, intrusions or other system failures);

3) The design and implementation of reasonable safeguards to control the risks identified in this risk assessment; and

4) The evaluation and adjustment of the program in light of the results of testing and ongoing monitoring of the program, material changes to the company's operations or business arrangements, or “any other” circumstances that may have a material impact on the effectiveness of the security program.

Requirements of an Integrated Security Plan

In order to develop an integrated security approach, what are the primary components of these rules ' or what principles should companies, in any industry, be utilizing ' to develop and implement effective security practices?

Risk Assessment

Identification of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in its unauthorized disclosure, misuse, or alteration is the critical first step for any security program. This assessment needs to focus not only on traditional security programs (eg, fighting off hackers) but also on newer concerns (such as destruction of computers and other information media upon disposal), as well as business-continuity and disaster-recovery planning.

Risk Management and Risk Mitigation

Once a company's risks are identified, it must develop an appropriate strategy for managing and reducing these risks. Note that this step does not require elimination of risks. Essentially all security laws recognize, despite the occasional use of words like “ensure,” that elimination of all risk is neither practical nor possible. Accordingly, risk management means bringing risks down to “acceptable” or “appropriate” levels. One of the biggest challenges is defining this level of acceptable risk ' and having effective documentation of the selection rationale in the event that the acceptable level of risk in fact results in a security problem. While cost is a factor in this risk management, it should not be the only consideration.

Vendor Management

An increasing number of laws require review and oversight of vendor practices. This typically involves due diligence at the contracting stage, as well as ongoing meaningful oversight. Companies need to develop a strategy that allows oversight of the most significant vendors and vendor risks, without forcing the company into an oversight program requiring a disproportionate commitment of resources.

Policies and Procedures

Once the company has evaluated and managed its security risks, it must develop policies and procedures that effectively document choices and instruct employees on how to behave in connection with security risks. This focus on documentation and training is one of the newer components of security laws ' and often takes these security principles one step beyond what many companies developed in a best practices environment.

Mitigation

Because of the focus on “appropriate” risk levels, and the resulting possibility that security breaches will occur no matter what precautions are taken, it is critical that companies have an effective mitigation plan in the event of a security breach. This plan should involve not only how to correct the particular situation, but also an assessment of how to revise existing policies to prevent recurrences. This mitigation plan is very important, because it kicks in when the rubber meets the road ' you have had a breach and need to fix it immediately in the eyes of your customers, regulators, and management.

Reporting

An effective mitigation plan also needs a reporting component ' evaluating whether reporting (to regulators or customers) is required, and whether reporting should be undertaken independent of any specific legal requirements. This analysis should include consideration of what to say about a breach and when to say it. Again, because of the tensions and pressures created when a security breach takes place, these reporting decisions typically are made under intense business pressure and (perhaps) public scrutiny. Reporting is neither required nor appropriate with every security breach, but senior management should consider it in any circumstance where there is any realistic likelihood of customer impact.

Centralized Leadership

Most security rules require centralized management of the information security function. Like a Chief Privacy Officer, this means that there should be a single designee within a company to manage and coordinate information security functions. This does not require such a person to act in isolation. In fact, a critical component of this role is a corporatewide responsibility to bring together the various parts of a company affected by security issues.

Key Challenges

Once companies have recognized the need to re-evaluate their security program, what are the primary challenges that they face in implementing a security program that meets these legal requirements?

1) Recognizing that security has moved from a business-driven “best practice” environment to a legal requirement. Most companies are not starting from scratch on developing security programs (if they are, they may have a much more substantial set of problems). However, developing a program that is driven by legal compliance requirements rather than best practices involves more focused consideration and often requires the participation of a broader range of personnel within a large company. In addition, the compliance focus on appropriate documentation and development of companywide policies and procedures has often been given short shrift in a best practice environment.

And, if an industry is not regulated today on security practices, the odds are that it will be in the short term, with new regulation coming quickly on both a general and industry-specific basis. In addition, the variety of regulations ' most of which cross-reference “reasonable and appropriate” standards ' require companies in any industry to understand not only what their peers are doing but also the emerging practices in other industries.

2) Knowing when you have enough security. Most security laws have recognized that security technology ' both in terms of fighting and causing security breaches ' changes constantly with technological developments. Accordingly, in recognition of the need for continuous re-evaluations of technological choices, most laws do not mandate specific security practices, but instead dictate a process for analysis of specific questions.

In addition, as discussed above, these laws do not require security perfection. Instead, the concept of reasonable and appropriate is prominent in virtually every significant security law.

For most companies, these requirements are a double-edged sword. They give companies needed flexibility in developing security techniques that are appropriate to the particular environment of the company. However, at the same time, this flexibility creates uncertainty in assessing when a company has made the right choices and whether a level of risk is acceptable or appropriate. Accordingly, knowing when you have made the right choices remains a substantial challenge. In addition, with technological evolution, it is critical for companies to be re-evaluating their security choices on a regular basis to keep pace with these changes.

3) Developing a common language on security issues. For many companies, information security often has been viewed as a purely IT function, with little interaction between information technology staffs and others in developing security standards. This approach is no longer acceptable. First, most security laws extend beyond computer security to address physical security, business continuity, and disaster planning, which by their very nature must involve other kinds of personnel. More significantly, however, the movement from best practices to compliance requirements also requires the involvement of a broader range of legal and compliance staff, from the privacy officer, to the general counsel, to the compliance officer, to senior management.

In bringing these other areas into the security dialogue, one of the primary areas of confusion has involved the language of security ' moving the kinds of choices and discussions held by technical personnel into a language and environment where laymen with compliance and risk management responsibilities can understand the choices and evaluate the appropriate decisions. This language confusion is real and requires involvement of legal and compliance staff at an early stage so that the right discussions can take place from the start.

4) Developing an appropriate vendor strategy. The recent news stories on security issues have highlighted the importance of vendor management ' when vendors are involved in major security problems, problems are not theirs alone but also those of their customers. Therefore, the companies must have an approach for evaluating the security practices of vendors and managing the risk involving vendors in essentially the same way that they manage internal risk.

This involves several steps. First, it is critical to identify those vendors who perform “high-risk” activities for a company based on sensitivity of the information they have, volume of activity, client-facing operations, or essentially any reasonable benchmark that the company chooses to use. Given the large number of vendors used by most companies, it simply will not be practical to treat all vendors alike ' such an approach will under-evaluate the high-risk vendors. So, it is important to focus attention on the vendors that are most likely to create problems.

Another highly visible component of this evaluation involves “off shoring,” or sending personal information overseas. Most companies do not have a good handle on where their information goes, either because vendors do not visibly disclose their practices, or the vendors may themselves subcontract to others. Companies need to evaluate how concerned they are about off shoring, bearing in mind the substantial legislative debate as to whether off shoring should be regulated to a higher degree than other vendor relationships.

The last key piece for vendor management involves contract language ' a source of substantial debate in the financial services and health care industries, where vendor contracts are required. The laws prescribe a certain minimum set of requirements. Many companies have been reluctant to impose additional requirements. At the same time, many vendors have had a knee-jerk reaction against taking on additional contractual requirements. However, companies should think aggressively about the contractual requirements that are appropriate and develop a strategy to mandate these practices for their vendors.

Conclusion

While these thoughts attempt to identify the key challenges in the emerging debate over security requirements, these requirements are changing on a regular basis, and regulation of security practices is increasing at a steady pace. Keeping track of these requirements and developing appropriate strategies to implement effective security programs takes a substantial effort from companies, across all industries, and a wide range of personnel within each company. For financial institutions, facing not only direct Gramm-Leach-Bliley Act regulations, but also a wide range of other requirements and enormous pressure because of the sensitive customer information held by these institutions, the challenge to stay abreast of this evolving field keeps growing even as compliance efforts expand.

For many years, financial institutions and other entities that collect personal information focused on privacy as an emerging legal doctrine presenting compliance challenges and an array of business implications. These issues, while still important and subject to ongoing debate and tinkering, have become, for many financial institutions, an automatic component of ongoing business activities. Now, with all of the attention focused on security of customer information driven by the recent flood of news stories concerning security breaches in numerous industries, privacy's ugly stepchild ' the security of consumer information ' has moved to the forefront of concern, both for financial institutions and the various entities that regulate and oversee them. News stories reporting security breaches are an almost daily occurrence. New legislation is being introduced almost constantly, at both the state and national level. While financial institutions already face a raft of security-related compliance obligations, including the Gramm-Leach-Bliley Act and others, financial institutions and their important business partners have been a focus of many of the most highly publicized breaches.

With this background, financial institutions (and other companies across America and globally) should be re-evaluating their information security programs. In reviewing the various legal requirements, what are the primary components of an effective security program? And what are the most difficult challenges facing companies in trying to move from a security “best practices” environment to one requiring compliance with specific legal obligations?

Understanding the Legal Landscape

While the security best practices emphasis has moved to a legal requirement, most security-based laws and regulations still identify reasonable and appropriate security practices, rather than dictating specific technological fixes for security threats. Accordingly, for financial institutions and other entities, it is critical to understand the full complement of legal requirements, so that entities can utilize the best practices from other industries as a component in building a reasonable information security program.

As with most privacy rules, the various security standards that are emerging through legislation and regulation are not exclusive ' they neither pre-empt other security rules, nor provide that they are the only rules that an entity needs to follow. Accordingly, whether through direct regulation or pass-through requirements for those who act as vendors under certain legislation (such as HIPAA or the Gramm-Leach-Bliley Act), companies likely will be faced by multiple rules dictating particular practices or approaches. Fortunately, so far, there have been few conflicts between the various rules; instead, the level of detail and the specific components often vary, creating a need for an integrated approach to security requirements.

To date, the primary information security legal requirements stem from the following laws and regulations:

• Gramm-Leach-Bliley Act ' applicable to financial institutions and their vendors;
• HIPAA ' applicable to the health care industry and related vendors (banks and other financial institutions may face increasing scrutiny, as both “business associates” and, perhaps “covered entities” under the HIPAA rules (see Nahra, “Financial Institutions and the New HIPAA Rules,” The Review of Banking and Financial Services (June 2004));
• Emerging state laws ' in California and elsewhere, dictating specific steps in certain situations (such as where there has been a security breach);
• Sarbanes-Oxley “financial controls” provisions ' applicable to publicly traded companies (and various companies through other similar laws); and
• A multitude of “best practices” materials across industry lines ' originating from industry groups, standards-setting organizations and the like (eg, International Organization for Standardization (“ISO”), National Institute of Standards and Technology (“NIST”), etc.).

Recent Developments: The FACTA Disposal Rule

There have been several important additions to this list of legal obligations in recent months. The Federal Trade Commission, as part of its FACTA rulemaking authority, has dictated specific procedures for the disposal of consumer report information. The major requirements of the rule (codified at 16 C.F.R. 682, effective on June 1, 2005) are relatively straightforward. The Rule defines compliance as “taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” Examples of these reasonable measures include:

• Implementing and monitoring compliance with policies that require burning, pulverizing, or shredding of physical documents, so that the information cannot practically be read or reconstructed;
• Implementing and monitoring compliance with policies that require the destruction or erasure of all electronic media, so that the information cannot practically be read or reconstructed; and
• After due diligence, entering into and monitoring compliance with a contract with a third party engaged in the business of information destruction to dispose of consumer information in a manner consistent with these principles.

In addition, companies must implement and monitor compliance with policies that protect against unauthorized or unintentional disposal of customer information. Companies covered directly by the Gramm-Leach-Bliley Act must also incorporate their disposal policies into their G-L-B appropriate safeguards policies.

The disposal rule applies specifically to “consumer information,” which means any information about an individual, regardless of the form of the information, “that is a consumer report or is derived from a consumer report.” Accordingly, at one level, the rule does not appear to have broad general application, because the concept of a “consumer report” is somewhat limited. However, the rule also states that “any person” who “maintains or otherwise possesses consumer information for a business purpose” must properly dispose of this information, using the reasonable measures discussed above. So, any company that receives, uses, or discloses consumer information must be concerned about this rule, as well as service providers who may receive this information, including information “derived from a consumer report.”

What conclusions can be drawn about this rule?

First, the rule is clearly limited to certain consumer report information and information derived from this report. Is there any reasonable basis for companies to know whether personal information that they have fits this definition? Can companies that possess “some” consumer report information effectively separate this consumer report information from other information, much of which will look very similar? The rule does not create any “reason to know” standard or other means of cutting off liability if a company is not acutely aware of the information being considered a consumer report. Therefore, unless a company can assess with confidence whether it has any information that “is or is derived from” a consumer report, it should be very cautious concerning this rule.

Second, aside from direct application, should companies perceive this rule as setting a new national standard? Given the recent explosion of reports about security breaches, both high tech and low tech, it certainly is reasonable for companies that maintain any kind of information about individuals to focus on their disposal practices, using this rule at least as a guideline. Certain other privacy rules, such as the HIPAA privacy and security standards, set similar guidelines for disposal of information. The general requirements of the rule are not particularly difficult ' they encourage a reasonable program to dispose of certain information. This “disposal” component should be a factor in the security and privacy practices of any company. The primary difficulty of this rule may be in the ongoing monitoring that is required, particularly for third-party vendors. Recent stories concerning certain document storage companies should raise awareness of this issue as well.

Therefore, while it may be possible for companies to limit the formal applicability of this rule, it will be difficult to determine whether particular information is covered by the rule and, perhaps, unwise to avoid dealing with these issues even if a company can have confidence that its information is not covered by the Rule. Disposal practices must be added to the growing list of security areas that need to be addressed in today's information security-conscious age.

The BJ's Wholesale Decision

The Federal Trade Commission's recent settlement with BJ's Wholesale Club makes an effective security program a national requirement for any company that holds personal information, regardless of industry or specific statutory or regulatory requirements. To the FTC, a failure to develop and implement an effective information security program constitutes an “unfair and deceptive” trade practice, independent of any specific statutory or regulatory requirements.

In the BJ's Wholesale case (announced June 16, 2005), the FTC took enforcement action despite the fact that BJ's Wholesale apparently made no representations whatsoever to its customers concerning security protections. Instead, the FTC alleged that BJ's Wholesale's information security practices, taken together, did not provide “reasonable security for sensitive customer information.” Specifically, the FTC alleged that BJ's Wholesale violated the FTC Act because it:

• Failed to encrypt consumer information when it was transmitted or stored on computers in BJ's Wholesale stores;
• Created unnecessary risks to the information by storing it for up to 30 days, even when it no longer needed the information, in violation of bank security rules;
• Stored the information in files that could be accessed using commonly known, default user IDs and passwords;
• Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
• Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.

These problematic practices apparently came to light because of a large number of false or fraudulent charges posted to BJ's Wholesale customer accounts, which the FTC determined to have been derived from hacker access to this poorly secured information (including through in-store wireless networks).

As a result of these alleged failures, BJ's Wholesale settled the FTC allegations, without admitting any wrongdoing. This settlement includes not only a requirement to implement “a comprehensive information security program that is reasonably designed to protect the security, confidentiality and integrity of personal information collected from or about consumers,” but also requires the company to have an independent third-party assessment of this program, every other year for the next 20 years, subject to ongoing FTC oversight.

In effect, the FTC required BJ's Wholesale to implement a security program mirroring the requirements set out by the FTC for entities regulated under the Gramm-Leach-Bliley Act. This comprehensive security program, which must be “fully documented in writing” and be “appropriate” to the company's “size and complexity, the nature and scope of [the company's activities, and the sensitivity of the personal information collected,” must include the following components:

1) The designation of an employee (or employees) to coordinate and be accountable for the information security program;

2) The identification of “material internal and external” risks to the security of this personal information (with this risk assessment to include employee training and management; information systems and prevention, detection and response to attacks, intrusions or other system failures);

3) The design and implementation of reasonable safeguards to control the risks identified in this risk assessment; and

4) The evaluation and adjustment of the program in light of the results of testing and ongoing monitoring of the program, material changes to the company's operations or business arrangements, or “any other” circumstances that may have a material impact on the effectiveness of the security program.

Requirements of an Integrated Security Plan

In order to develop an integrated security approach, what are the primary components of these rules ' or what principles should companies, in any industry, be utilizing ' to develop and implement effective security practices?

Risk Assessment

Identification of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in its unauthorized disclosure, misuse, or alteration is the critical first step for any security program. This assessment needs to focus not only on traditional security programs (eg, fighting off hackers) but also on newer concerns (such as destruction of computers and other information media upon disposal), as well as business-continuity and disaster-recovery planning.

Risk Management and Risk Mitigation

Once a company's risks are identified, it must develop an appropriate strategy for managing and reducing these risks. Note that this step does not require elimination of risks. Essentially all security laws recognize, despite the occasional use of words like “ensure,” that elimination of all risk is neither practical nor possible. Accordingly, risk management means bringing risks down to “acceptable” or “appropriate” levels. One of the biggest challenges is defining this level of acceptable risk ' and having effective documentation of the selection rationale in the event that the acceptable level of risk in fact results in a security problem. While cost is a factor in this risk management, it should not be the only consideration.

Vendor Management

An increasing number of laws require review and oversight of vendor practices. This typically involves due diligence at the contracting stage, as well as ongoing meaningful oversight. Companies need to develop a strategy that allows oversight of the most significant vendors and vendor risks, without forcing the company into an oversight program requiring a disproportionate commitment of resources.

Policies and Procedures

Once the company has evaluated and managed its security risks, it must develop policies and procedures that effectively document choices and instruct employees on how to behave in connection with security risks. This focus on documentation and training is one of the newer components of security laws ' and often takes these security principles one step beyond what many companies developed in a best practices environment.

Mitigation

Because of the focus on “appropriate” risk levels, and the resulting possibility that security breaches will occur no matter what precautions are taken, it is critical that companies have an effective mitigation plan in the event of a security breach. This plan should involve not only how to correct the particular situation, but also an assessment of how to revise existing policies to prevent recurrences. This mitigation plan is very important, because it kicks in when the rubber meets the road ' you have had a breach and need to fix it immediately in the eyes of your customers, regulators, and management.

Reporting

An effective mitigation plan also needs a reporting component ' evaluating whether reporting (to regulators or customers) is required, and whether reporting should be undertaken independent of any specific legal requirements. This analysis should include consideration of what to say about a breach and when to say it. Again, because of the tensions and pressures created when a security breach takes place, these reporting decisions typically are made under intense business pressure and (perhaps) public scrutiny. Reporting is neither required nor appropriate with every security breach, but senior management should consider it in any circumstance where there is any realistic likelihood of customer impact.

Centralized Leadership

Most security rules require centralized management of the information security function. Like a Chief Privacy Officer, this means that there should be a single designee within a company to manage and coordinate information security functions. This does not require such a person to act in isolation. In fact, a critical component of this role is a corporatewide responsibility to bring together the various parts of a company affected by security issues.

Key Challenges

Once companies have recognized the need to re-evaluate their security program, what are the primary challenges that they face in implementing a security program that meets these legal requirements?

1) Recognizing that security has moved from a business-driven “best practice” environment to a legal requirement. Most companies are not starting from scratch on developing security programs (if they are, they may have a much more substantial set of problems). However, developing a program that is driven by legal compliance requirements rather than best practices involves more focused consideration and often requires the participation of a broader range of personnel within a large company. In addition, the compliance focus on appropriate documentation and development of companywide policies and procedures has often been given short shrift in a best practice environment.

And, if an industry is not regulated today on security practices, the odds are that it will be in the short term, with new regulation coming quickly on both a general and industry-specific basis. In addition, the variety of regulations ' most of which cross-reference “reasonable and appropriate” standards ' require companies in any industry to understand not only what their peers are doing but also the emerging practices in other industries.

2) Knowing when you have enough security. Most security laws have recognized that security technology ' both in terms of fighting and causing security breaches ' changes constantly with technological developments. Accordingly, in recognition of the need for continuous re-evaluations of technological choices, most laws do not mandate specific security practices, but instead dictate a process for analysis of specific questions.

In addition, as discussed above, these laws do not require security perfection. Instead, the concept of reasonable and appropriate is prominent in virtually every significant security law.

For most companies, these requirements are a double-edged sword. They give companies needed flexibility in developing security techniques that are appropriate to the particular environment of the company. However, at the same time, this flexibility creates uncertainty in assessing when a company has made the right choices and whether a level of risk is acceptable or appropriate. Accordingly, knowing when you have made the right choices remains a substantial challenge. In addition, with technological evolution, it is critical for companies to be re-evaluating their security choices on a regular basis to keep pace with these changes.

3) Developing a common language on security issues. For many companies, information security often has been viewed as a purely IT function, with little interaction between information technology staffs and others in developing security standards. This approach is no longer acceptable. First, most security laws extend beyond computer security to address physical security, business continuity, and disaster planning, which by their very nature must involve other kinds of personnel. More significantly, however, the movement from best practices to compliance requirements also requires the involvement of a broader range of legal and compliance staff, from the privacy officer, to the general counsel, to the compliance officer, to senior management.

In bringing these other areas into the security dialogue, one of the primary areas of confusion has involved the language of security ' moving the kinds of choices and discussions held by technical personnel into a language and environment where laymen with compliance and risk management responsibilities can understand the choices and evaluate the appropriate decisions. This language confusion is real and requires involvement of legal and compliance staff at an early stage so that the right discussions can take place from the start.

4) Developing an appropriate vendor strategy. The recent news stories on security issues have highlighted the importance of vendor management ' when vendors are involved in major security problems, problems are not theirs alone but also those of their customers. Therefore, the companies must have an approach for evaluating the security practices of vendors and managing the risk involving vendors in essentially the same way that they manage internal risk.

This involves several steps. First, it is critical to identify those vendors who perform “high-risk” activities for a company based on sensitivity of the information they have, volume of activity, client-facing operations, or essentially any reasonable benchmark that the company chooses to use. Given the large number of vendors used by most companies, it simply will not be practical to treat all vendors alike ' such an approach will under-evaluate the high-risk vendors. So, it is important to focus attention on the vendors that are most likely to create problems.

Another highly visible component of this evaluation involves “off shoring,” or sending personal information overseas. Most companies do not have a good handle on where their information goes, either because vendors do not visibly disclose their practices, or the vendors may themselves subcontract to others. Companies need to evaluate how concerned they are about off shoring, bearing in mind the substantial legislative debate as to whether off shoring should be regulated to a higher degree than other vendor relationships.

The last key piece for vendor management involves contract language ' a source of substantial debate in the financial services and health care industries, where vendor contracts are required. The laws prescribe a certain minimum set of requirements. Many companies have been reluctant to impose additional requirements. At the same time, many vendors have had a knee-jerk reaction against taking on additional contractual requirements. However, companies should think aggressively about the contractual requirements that are appropriate and develop a strategy to mandate these practices for their vendors.

Conclusion

While these thoughts attempt to identify the key challenges in the emerging debate over security requirements, these requirements are changing on a regular basis, and regulation of security practices is increasing at a steady pace. Keeping track of these requirements and developing appropriate strategies to implement effective security programs takes a substantial effort from companies, across all industries, and a wide range of personnel within each company. For financial institutions, facing not only direct Gramm-Leach-Bliley Act regulations, but also a wide range of other requirements and enormous pressure because of the sensitive customer information held by these institutions, the challenge to stay abreast of this evolving field keeps growing even as compliance efforts expand.