Legal Foundations
Security is a huge part of any privacy program.
Some privacy laws, like the GDPR, are explicit in addressing security. For example, Article 5 provides that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Article 32 then requires “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
Other laws, such as the CCPA and state breach notification laws, address security requirements in an indirect way. For example, Section 1798.150 of the CCPA permits a consumer private right of action and enforcement by the Attorney General if there is a breach of nonencrypted or non-redacted personal data as a result of the failure to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.
(There’s that word again – “appropriate!”)
In addition to the CCPA, all fifty U.S. states require notification to regulators and to consumers if certain types of personal data are breached. So while specific security standards are not required by state laws, the failure to implement reasonable security measures can result in noncompliance.
Defining Appropriateness
But how do we know what is reasonable and appropriate? There is a misperception that this is subjective, with too many diverging standards to follow; but the truth is that while there is certainly room for subjectivity, it is not subjective.
Rather, we have concrete resources for defining reasonableness such as U.S. Federal Trade Commission enforcement actions that are summarized in their Start with Security video series.
I strongly encourage you to watch the videos, but as a preview, the FTC wants to see that companies have a thoughtful information security program with written policies and procedures.
Another great resource is the 2016 California Data Breach Report which is considered a gold standard for this area of interpreting reasonableness. The report references 20 Critical Security Controls established by the Center for Internet Security.
Specific Guidance
The takeaway here is that while there are many different legal regimes, their stance on security measures is consistent. And while Europe has a reputation for being more privacy and security focused than us ‘Mericans, the truth is that the FTC has issued decades of consistent detailed guidance around network security, secure application development, log monitoring, multi-factor authentication, data handling and secure destruction, program management, and the like.
For instance, vulnerability scanning and risk assessments are considered the most basic measures that companies need to be taking. In addition, it’s advisable to encrypt personal data that if breached, would trigger the need to notify regulators or consumers.
It’s also worth mentioning that the FTC has brought actions against companies for disabling a third party’s default security settings without implementing compensating security measures.
The FTC has also required businesses to engage a qualified third party professional to conduct annual security risk assessments. This is because doing an in-house review is not likely to be effective if the same person who implemented a program is evaluating the effectiveness of that program.
Lastly, aligning with the NIST framework is almost always going to set you up for success when it comes to security compliance. The FTC has a video and blog post that explains why in great detail but in short, they write “The types of things the Framework calls for organizations to evaluate are the types of things the FTC has been evaluating for years in its Section 5 enforcement to determine whether a company’s data security and its processes are reasonable.” It really doesn’t get any clearer than that!
Legal Responsibilities
As lawyers or non-technical folks, we are not expected to know everything about information security. However, regulators do expect us to identify what we don’t know and to bring in the appropriate expertise.
This means that if your company doesn’t have a written information security program, you don’t need to pick up a pen and start writing (in fact, please don’t do that). However, you do need to identify this gap and make sure it’s remediated by someone with information security expertise.
It’s also helpful to remember that at the end of the day, effective information security is about people and processes much more so than technology. Through that lens, it makes sense that as lawyers we should be engaged in information security efforts.