By now every compliance officer has already heard the warning that it’s a matter of when you suffer a cyber-security breach, not if. Then comes compliance with breach disclosure rules—and those demands are becoming as perplexing as the cyber-threat itself.
Virtually every state in the country has its own breach notification law, and seven states have their own laws for data security standards. A host of federal agencies have their own regulations protecting consumers’ financial data, health records, data collection, and more; each with its own disclosure requirements. Then there are the frameworks, such as those from the Committee of Sponsoring Organizations and the National Institute of Standards and Technology, that offer guidance on how to build strong security controls.
Hence companies constantly try to consolidate and simplify training, policies, and internal controls. The task is not easy.
“Businesses that must comply with multiple regulations often find themselves overwhelmed,” says Silka Gonzalez, CEO of the Florida-based consulting firm Enterprise Risk Management.
She gives large universities as an example. Because they have medical clinics, they are covered by the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health (HITECH) Act. Providing student loans means compliance with the Gramm-Leach-Bliley Act. Government research triggers the Federal Information Security Management Act. Credit card processing brings Payment Card Industry Data Security Standard (PCI DSS) compliance. All have their own requirements for data protection and post-breach recovery.
To navigate multiple privacy and cyber-security compliance obligations, Gonzalez suggests seeking out commonalities. “When you start reading the requirements of many of these regulations, they are often very similar. Some of the standards, like PCI DSS or ISO 27001, are looking for very similar types of controls and measures,” she says.
One practical first step is to create a matrix of all compliance obligations and what they specifically require, to see where they overlap. “When you know the things that are common, you can test them once instead of 10 times,” Gonzalez says. “It’s easier to do a comprehensive review of all the areas where they overlap, find major problems, create an action plan, and go and fix them.”
“You don’t need to reinvent reporting mechanisms, or even dashboards, for cyber-security. You simply need to leverage them. Rather than reinventing training, it can be bolted onto what is already in place.”
Johnny Lee, Managing Director, Grant Thornton
Companies in sectors with heavy government regulation may need to prioritize federal standards and guidance. “Look first to what your primary regulator requires you to do,” says Scott Vernick, head of the data protection and privacy practice at law firm Fox Rothschild. “First and foremost, you are going to adhere to the prescriptions and dictates of a primary federal regulator like the Office of Civil Rights if you are talking about protected healthcare information, or the Federal Energy Regulatory Commission if you are a utility.”
Just because a federal agency is on the beat, however, that doesn’t mean individual states can be ignored. “Look at the states that are the most aggressive when it comes to these issues, both in terms of what their statute say and what their reporting and breach notification requirements are,” Vernick says. “That doesn’t get you out of complying with technical requirements that are applicable to other states, but it will help in terms of planning.”
Among the states with the most challenging privacy and data breach notification laws are Massachusetts, California, New York, and Minnesota. Florida even requires the submission of a written incident response plan, Vernick notes.
IT Meets ERM
The growing focus on privacy and cyber-security, and the inherent complexity of having multiple regulatory regimes, is prompting companies to rethink their approach, moving away from IT ownership and toward integration with risk management efforts. It all reminds Johnny Lee, a managing director at Grant Thornton, of the angst that followed implementations of the Sarbanes-Oxley Act.
MANY STATES, MAY RULES
The following is a sampling of the variety of state privacy, data, and breach notification laws.
Anyone who notifies more than 500 California residents as a result of a single breach must electronically submit a single sample copy of the notification letter to the Attorney General.
Requires any party that collects Social Security numbers to create a privacy protection policy, posted online, that outlines steps to protect the confidentiality of that information, prohibit unlawful disclosure, and limit access.
Breach notification is triggered upon unauthorized access to, or acquisition of, electronic files, media, databases, or computerized data containing personal information when the data has not been encrypted.
Prohibits the disclosure of personally identifying information and browsing history by internet service providers without consent.
Requires non-financial businesses to disclose to customers, in writing, the types of personal information the business shares with or sells to a third party.
Breach notification is required upon the discovery of unauthorized access to electronic files, media or data containing personal information that was not encrypted.
If an entity determines after an investigation that the breach does not create a reasonable likelihood of harm to consumers, it must document this determination and provide notice of the determination to the Attorney General. The state also maintains an encryption safe harbor in its breach notification law.
A covered entity must provide notice to the Attorney General’s Office of any breach of security affecting 500 or more residents no later than 30 days after determination of the breach or reason to believe a breach has occurred.
If a breach involves over 1000 persons, the Hawaii Office of Consumer Protection must be notified of the timing, content, and distribution of the breach notification notice.
The Attorney Generaland Director of Consumer Affairs must be notified when a breach occurs.
The Attorney General, Consumer Protection Board, and the state Office of Cyber Security and Critical Infrastructure must be notified regarding a breach.
The breach notification statute does not cover personal information if it is “encrypted, redacted, or otherwise altered in such a manner that the name or data elements are unreadable” unless the keys to unencrypt, unredact, or otherwise read the data have been obtained.
Source: Baker & Hostetler.
“There are cyber-security analogues to any other major category of risk that has registered on the enterprise risk management radar over the last 30 years,” he says. With SOX, “there was a lot of noise, but ultimately it shook out.” Companies eased into the rhythm of using the right frameworks and committing to the needed level of reporting and internal scrutiny. It might not have been easy, Lee says, but it was far from the envisioned nightmare.
Despite the myriad state and federal laws, and competing frameworks addressing cyber-security and privacy, Lee expects history to repeat as companies develop sustainable protocols and view cyber-security as an additional category of risk from an ERM perspective.
“It is imperative to have an enterprise-wide response,” he says. “You don’t need to reinvent reporting mechanisms, or even dashboards, for cyber-security. You simply need to leverage them. Rather than reinventing training, it can be bolted onto what is already in place.”
In looking for a more manageable risk management process, some companies are cherry picking from the various frameworks available. “All have useful roles and relative strengths, but businesses often see both over-engineering and under-representation in them,” Lee says. “What they are trying to do, as they did with SOX, is pick a mandatory minimum set of controls and focus all of their efforts on them because they speak most directly to their greatest risks.”
Once companies choose the relevant frameworks and standards that best apply to them, they need to map and classify data, conduct vulnerability assessments, develop an incident response plan, and get a handle on vendor populations and the risk associated with those relationships. “You need to understand your compliance obligations, the specific triggering obligations you have, and create a tailored risk profile and strategy,” Lee says.
Cyber-security issues may be unique, but they still can fit within traditional risk strategies, says Yo Delmar, a vice president at software vendor MetricStream. To simplify and align the risk management process, making it more manageable, a company needs a common risk and control framework, she says.
Recent guidance from federal regulators, especially those overseeing financial institutions, is pushing front-line units to take on more responsibility for risk assessments. “You will see less of the second line units giving advice and advisory support to the front line, and more risk management functions moving out of it and into the front line,” Delmar says. For a company to keep up with this and rationalize all potential conflicts across different regulations, it will need to map those conflicts to the sections of policy and control regulations and best practices of the frameworks that are in scope.
It’s a matter of curating that content and mapping it to common controls, risks, and policy sections, Delmar explains, adding that a regulatory change management system is needed to be aware when you might need to rewrite a section of policy, tighten controls, or conduct a risk assessment on a completely new business area.