Complying with a plethora of US state privacy laws is tough. Focus
on their common elements.
All the time, it seems, another state is coming up with a new
law for protecting consumers' sensitive data. At least 23 have
passed a security breach notification law, and these laws are far
from uniform. The result is a bevy of regulations du jour and a
daunting challenge for information security and compliance
professionals.
More than a few times I have been well on my way to meeting the
privacy requirements for one state, only to find out another state
has passed similar rules, but with additional mandates. Security
breach laws vary as to who should be notified, what constitutes
personal information, and most importantly, when notification
should occur. Do we notify each time data has been accessed without
authorization, or only when we believe the data is at risk?
In the midst of all this, there is the development of federal
regulation to preempt all the individual state regulations, with at
least four bills under consideration. This is a great next step to
eliminate the confusion, but will a national law have teeth or fall
short? When will it be passed into law and when will businesses
have to comply?
What we end up with is a regulatory environment that's in a
constant state of flux, where on any given day you are abiding in
one state and non-compliant in another. As a security professional,
I am not big fan of variation. It can increase the potential for
security threats, plus cause confusion and frustration in IT
departments and with customers. Yet doing nothing and waiting for a
national standard is a risky and costly proposition for most IT
departments. So how do we move forward with developing safeguards
and processes in this ever-changing regulatory environment?
A good start might be to look at the similarities in the myriad
regulations. All have two general requirements in common:
communicate with customers and secure their information. The
communication should be proactive and reactive--telling clients
what you are doing with their information, and notifying them when
a breach occurs. Securing information focuses on access control and
protection of data at rest and in transit. Sounds simple, but as
many of us can attest, it is a very challenging task.
One approach for meeting these requirements is to conduct a risk
assessment and develop a control framework and notification
process. Start with a risk assessment to determine where your risks
are and to what degree. Many tools are available from ISACA and
other security organizations. Next, develop a control framework to
build and implement mitigation solutions that are measurable and
auditable. The most common frameworks are COBIT and ISO 17799,
which can be used in conjunction with each other.
Lastly, develop your process for breach notification. This is
one of the most difficult tasks because each state requires
notification to be handled differently. Using the "prudent man"
theory might help here. In essence, implement compliance safeguards
and processes based on the strictest regulations.
By focusing on meeting the regulations concerning communication
and securing personal information, we can concentrate on building
the trust and confidence of our customers, rather than continuously
navigating through the various regulations.
There is no perfect solution. But as Patton's Law states, "A
good plan today is better than a perfect plan tomorrow."
David A. Meunier, CISSP, is vice president and CISO of CUNA
Mutual Group.