What Does It Really Take to Be Data Security Compliant?

Cameron G. Shilling
Director, Litigation Department & Chair of Cybersecurity and Privacy Group
Published: New Hampshire Bar News
December 20, 2016

Most businesses know (or should know by now) that they must comply with state and federal data security laws and regulations. But business leaders often are unaware of what it really takes to do so. That is understandable. Data security seems complex, and technology consultants and vendors rarely try to demystify it for their customers.

Data security is just like any other legal or business risk management issue. The risk is managed through a process of collaboration between business leaders, information technology professionals, and qualified legal counsel. The process involves the following steps:

  1. Perform a risk assessment of the business’ physical, technological and administrative systems using the requirements and standards of applicable laws.
  2. Generate a report that identifies areas of non-compliance and risk, including a prioritization and chronological plan for remediation.
  3. Remediate vulnerabilities that can feasibly and financially be fixed within a reasonable amount of time.
  4. Create a written data security plan tailored to the procedures of the business.
  5. Train employees about data security compliance generally and the business’ procedures under the written data security plan.
  6. Perform periodic reassessments, including sub-assessments if new or different physical, technological or administrative systems are adopted.

 

Step 1 – the risk assessment – involves identifying the information a business has that is legally protected, for example, under state data security laws or under federal laws or regulations such as HIPAA, the Gramm-Leach-Bliley Act, or SEC or FCC regulations. The information is then mapped through its lifecycle (e.g., from receipt and creation, through use and transmission, to disposal and destruction), and areas of non-compliance or risk are identified using the legal requirements and standards of applicable laws and regulations.

This is a highly collaborative process between the leaders of the business, competent IT professionals (inside or outside the business, or both), and legal counsel experienced with this area of the law and qualified to understand technological and physical security matters.

Step 2 – the report – flows naturally from the areas of non-compliance and risk identified in the assessment. Priority is assigned to items that are relatively easy to remedy, do not comply with applicable law or entail significant risk, and a timeline is created for addressing the issues.

Step 3 – the remediation – is the process of identifying and implementing solutions to the vulnerabilities identified during the assessment and in the report. Remediating vulnerabilities often depends on the availability of technological or physical systems, and budgetary constraints of the business. It is common for a business to need 12-18 months to properly address all of the vulnerabilities identified in an initial data security risk assessment.

Step 4 – the written plan – is a policy created from the information gathered during the risk assessment and the remedies implemented or anticipated for the vulnerabilities. A plan created in the absence of a comprehensive risk assessment is a pure shot in the dark, and does not comply with state or federal law or accepted practice. No two data security plans are the same because no two businesses are the same, and there is no competent boilerplate form.

Step 5 – the training – is an integral component of data security compliance. Employees handle protected data on a daily basis, and thus need to be taught about data security generally as well as the business’ specific procedures as set out in the written plan. Likewise, properly trained employees know better how to avoid breaches, how to recognize an actual or potential breach, and how to properly respond in such circumstances.

Step 6 – the reassessment – is required and natural for any business committed to data security. Reassessments are used to address vulnerabilities from new or different technology, physical or administrative systems or external threats. Also, as a business that becomes data security aware, it frequently identifies previously unknown vulnerabilities and adopts remedies that enhance security beyond the measures implemented after the initial risk assessment and report.

Data security is not something that can or should be overlooked simply because a business does not understand how to become compliant. Just like any other risk management issue, security is accomplished through an established process of business leaders, IT professionals, and qualified counsel working collaboratively to implement an established process under applicable law.