The Quest for “Reasonable Security” Part Two: Using International Law, Federal Legislation, and Executive Orders to Illuminate Reasonable Security
Data security is imperative to an organization’s reputation with consumers and national security. And although many laws require organizations to implement “reasonable security,” it is not defined. The first post of this series explored how reasonable security is obtained by viewing state legislation and state enforcement outcomes. Similarly, this post will explore how international law, federal legislation, and past executive orders (EOs) approach organizations’ ability to obtain reasonable security. Exploring these different bodies of law can help entities better assess what constitutes reasonable security and how to avoid liability proactively.
International Law
While not minimizing the impact of other international privacy and security frameworks, this segment will explore the European Union’s (EU) approach to data security because, since its enactment, it has spurred global compliance. The EU recognizes privacy as a fundamental human right and relies on a comprehensive privacy law—the General Data Protection Regulation (GDPR). Although several articles of the GDPR touch on data security (Article 5, 24, 25, 35, 42), Article 32 is the primary article that explicitly addresses data security measures. Largely, it allows data processors and controllers to set appropriate technical and organizational measures to maintain security appropriate for the risk. This includes pseudonymization, encryption, and regular testing of security measures.
The GDPR has a robust enforcement mechanism, implementing a hefty two-tier fine structure. Organizations violating Article 32 have already felt the impact. In 2018, British Airlines announced they suffered a significant data breach in which the personal data of nearly 500,000 customers was compromised. In 2019, the United Kingdom’s data protection authority, the Information Commissioner’s Office (ICO), announced that it was fining British Airways £183 million ($225 million) for failing to implement adequate technical measures and protect personal data. The ICO ultimately fined British Airways £20 million ($26 million) for failing to implement security measures that were readily available and could have prevented the breach. These failures included not implementing multi-factor authentication and storing non-encrypted credit card information and domain administrator’s and employee login credentials. The ICO noted that a company with the size and profile of British Airlines should have known they would be a potential target and ensured that their customer’s personal data was adequately protected.
The enforcement and reputational fallout that followed the British Airlines’ data breach suggests that compliance is no longer just a technical issue, it is a business necessity.
Federal Legislation
The United States does not have a comprehensive federal data privacy and security law like the GDPR. Instead, the United States takes a sectoral-specific approach to privacy law, with the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) standing out because of their data security rules.
The HIPAA Security Rule applies to digitized health data and requires covered entities to implement administrative, physical, and technical safeguards to protect it. Similar to the GDPR, a tiered approach for penalties is used for covered entities that violate HIPAA, and penalties are based on the severity of the violation and the level of culpability. But unlike most states’ comprehensive data privacy and security laws, HIPAA is more prescriptive, and any questions on how to be in compliance are readily available. The U.S. Department of Health and Human Services publishes vast amounts of guidance, and many HIPAA enforcement resolution agreements help organizations understand what is required.
The HIPAA Security Rule does not aim to dictate an entity’s security measures. Instead, it affords smaller- and medium-sized covered entities flexibility and scalability. For example, some of the rule’s adopted security standards, like unique user identification for access control, are required—and all covered entities must implement the required standards into their security measures. However, other security standards are “addressable,” like procedures for creating, changing, and safeguarding passwords. This allows a covered entity to assess whether a password security measure is a reasonable and appropriate safeguard for themselves when weighing the measure’s likely contribution to protecting electronic protected health information (ePHI). For example, an entity may opt to use key fobs instead of passwords to access systems with ePHI.
The GLBA governs financial institutions and has a Safeguards Rule to ensure covered entities secure customer information. The Safeguards Rule is likely the most robust data security law in the United States. While it is a prescriptive law, it does not aim to control specific security techniques an entity must implement. Instead, it focuses on the desired outcomes, which include confidentiality, security, integrity, and availability of the collected data.
The Federal Trade Commission enforces the GLBA and has issued guidance on a reasonable security program. Among many other requirements, a reasonable security program includes designating a qualified individual to implement and supervise the information security program, conducting risk assessments, having access controls, conducting periodic data inventory, implementing encryption, using multi-factor authentication, and continuously monitoring and testing the program’s effectiveness.
Executive Orders
Businesses can also take cybersecurity guidance from how the federal government determines reasonable security for federal agencies, including through EOs. For example, the U.S. Government Accountability Office has released several reports on the federal government’s cybersecurity readiness. The most recent report’s noted shortcomings might have spurred the Biden administration to issue an EO to usher the federal government into implementing a robust cybersecurity program and ensuring reasonable security.
President Joe Biden’s EOs have illuminated the increasing threats to national security from cybersecurity breaches, including EO 14110 and EO 14028. While not explicitly addressing reasonable security, some of the language in the EOs touches on what a reasonable security program might include. For example, Biden’s EO on “Improving the Nation’s Cybersecurity” mandated that the federal government implement best cybersecurity practices. This includes adopting and advancing toward zero-trust architecture, accelerating the migration to secure cloud services, and conducting cybersecurity analytics. It further mandated that all executive agencies adopt multi-factor authentication and encryption for data at rest and in transit.
Exploring these different bodies of law illuminates a baseline for reasonable security measures. Specifically, multi-factor authentication, encryption, and continuous monitoring of a security program’s effectiveness will help protect against the threat of rapidly changing landscapes. While these might be some of the baseline measures implemented, the expectation of reasonable security rises when the organization’s size or complexity increases or as it collects more sensitive data.
PREVIOUS POSTS
New Series: The Quest for “Reasonable Security”
FUTURE POSTS
Part 3: Deducing Reasonable Security from Federal Regulations, Rulemaking, and Enforcement Action