November 17, 2014

The Practical Tech Lawyer: Advising a Company on Data Security Compliance

Theodore F. Claypoole

JPMorgan Chase, Target, Home Depot, Lockheed Martin, the University of Hawaii, the States of Texas and South Carolina, TJX, Cedars-Sinai Medical Center, BNY Mellon, eBay, the U.S. military, T-Mobile, Sony. These are the type of clients that nearly all business lawyers would covet and fight to protect, and each has recently suffered a large and embarrassing data breach, likely to cost millions. How do you keep your clients off of this list? What will you say when your clients ask for your help in protecting their prized information? 

Information security is a relatively new problem for many businesses. Over the past 20 years and accelerating over the past five, new burdens, technologies, enemies, and interested parties have forced businesses to invest larger budgets and more personnel toward protecting their data. These companies will ask their business lawyers to help to comply with the companies’ legal, regulatory, payment system, and contractual obligations. Some of the compliance complexity is based in technology, and therefore is outside of a lawyer’s reasonable realm of expertise. But much of the problem is structural, policy-based risk management which an attorney can and should manage. 

This article will help you understand the broad strokes of danger, complication, risk, and protection for data security in business, health, educational, or governmental entities. Breaking the topic into discrete and practical viewpoints, the article can help the business lawyer better advise clients and minimize risks.

The Client           

We start with an exploration of which entities should be committing significant resources to data security. All businesses, governments, and schools should be concerned that a serious cyberattack could shut down their operations. The more dependent a business is on databases or networked machines to perform its functions, the more vulnerable it is to cyberwarfare or other malicious attacks. Every modern business should have crisis management and disaster recovery plans to minimize these risks. 

However, while acknowledging this problem, this article is primarily concerned with data protection, not with business stoppage. Any entity with customers, employees, benefit plans, patients, students, constituents, valuable research, or trade secrets must protect its data. One of the most important drivers of data protection has been the rise of identity theft, where a criminal assumes the financial, tax, health insurance, or immigration identity of an innocent person. Laws and regulations have arisen from the desire to limit identity theft. Therefore, any company holding identity-establishing information for individuals (known as “Personally Identifiable Data” or “PII”) must take steps to protect this information. 

And this is especially true for financial data. Entities that take, hold, or process payment and financial account data are held to an especially high standard. Retailers, hospitals, colleges, personal or home service providers (like lawyers), and state licensing agencies all accept direct payments and will be responsible for protecting this data from exposure and loss. Banks and other financial institutions hold the mother lode of personal data, as well as holding people’s money itself (primarily in digital form), so they are tightly regulated in their use and protection of this information. 

Health-care data, children’s information, student records, and video rental information are also specially regulated and protected under U.S. law, so companies that hold this data must meet the requirements of regulators. Nearly every U.S. state and territory has a law regulating treatment of consumer data and imposing obligations upon businesses who expose such data, so that anyone regularly interacting with consumers should be aware of the applicable laws and what these laws require. States interpret these laws to protect the data of their residents, so the residency of the affected consumer will determine which laws apply, not the location of the business exposing the data. 

Any business with employees has obligations on how to treat sensitive information about them. Employee health information or benefit plan data can fall within the health-care data protection laws. Businesses without a consumer contact may still be required to implement data security systems to protect their employee information. 

Finally, many companies have secrets of their own. Trade secrets will only be protected under U.S. federal and state laws where the holder of those secrets takes steps to protect the secrets from exposure. In addition, some businesses hold technology and research of national importance to the defense and advancement of the nation. Companies like these should consider keeping such information completely off-line, where prying eyes half-way around the world could not reach them through electronic channels. 

If a client falls into any of these categories, then the client should be considering how to protect the data it holds. As a lawyer, you can advise your client of the special risks and realities surrounding information management. 

The Problem

Data security is a misunderstood term. Nothing in a business is entirely secure, and no one can guaranty absolute protection. In order for information to have value to a business, the company must be able to reach it and use it. If the company executives can reach the valuable information, then a motivated attacker can also reach it, even if the attacker cleverly disguises him or herself as the executive who is allowed access. Data security cannot be an exercise in hermetically sealing off data so that it can never be accessed. Instead, it is an exercise in making the data so hard to reach for unauthorized people that the unauthorized people find easier targets elsewhere, walking away frustrated and leaving your clients alone. A business is only secure relative to the sophistication of the threats against it and relative to other businesses. 

Information security is also about resources. Since a business cannot spend all of its money trying to secure data (the business would bankrupt itself), and since no amount of money will absolutely secure a company’s data, the company must carefully allocate enough funds to data security and carefully choose the most efficient expenditures of those funds. A business can always be made more secure with more money and more manpower defending information, but like nearly all business expenses, data security spending creates diminishing returns. At a certain point, your dollar buys you less and less security than the early dollars purchased. For this reason, a lawyer’s best advice may protect data with cost-efficient but highly effective solutions like risk-reducing policies, practices, training, and organizational structure. 

When your client is the victim of a successful cyberattack, the client is publically humiliated and treated no better than the criminal attacker. The business victim of a successful data theft suffers official fines and class action lawsuits. The U.S. Federal Trade Commission (FTC) has starkly argued that failure to protect consumer data is “an unfair and deceptive” act on behalf of a business, and state attorneys general have also sued to compensate the consumer victims of data theft. Banks and credit card companies nearly always fine a business for exposing card data. 

Some of the reason for this harsh treatment of corporate and government attack victims arises from our society’s refusal to see the complexity and impossibility of absolute data protection. People need to feel that their data can be protected or they would lose faith in the entire system, so we heap abuse on the company unlucky enough to provoke a brilliant attack by a dedicated criminal, even where the attacker is as rich and sophisticated as the army of the People’s Republic of China. We assume that this business should be able to protect our information no matter what happens, so the fact that it did not protect our data is an obvious failure. 

But some of the business blame arises from the fact that our legal system, referencing the underlying tenets of the Uniform Commercial Code, tends to allocate business risk to the party who dealt most closely with the wrongdoer. We know that if someone gets away with a theft of money in our commercial legal system, one of the innocent parties will be stuck with the loss, unless and until that thief may be brought to justice. The innocent parties in commercial banking transactions tend to be the account holder (consumer), the account holder’s bank, the person the account holder was paying, and the payee’s bank. Our system tends to protect the consumer, who has the least control over protection of the funds: if the money was stolen from the consumer’s account, we allocate the loss to the consumer’s bank; and if the money is stolen from the payee’s bank before it reaches the payee, that bank will be accountable. Similarly, we expect companies holding consumer information (and other valuable data) to be responsible for protecting it, and we penalize those companies for a data breach. 

This system feels particularly unfair to a business held responsible for the loss, but this system of commercial blame is grounded in policy. Such a system encourages companies to take steps to protect data and avoid losses, and it encourages consumers to use the commercial systems that facilitate modern commerce. 

The Complications

Protecting digitized information is infinitely complicated. As noted above, nothing valuable can ever be totally secure. In addition, the technology holding and protecting our data changes rapidly, so one method of securing the data cannot be relied up as a permanent solution. Important data was once kept on paper in filing cabinets. Next, we kept it in databases in mainframe computers accessed only from our offices. We spread the access out to Internet enabled devices, and eventually to handheld mobile devices. Now we store important data with contractors in the cloud. Each of these changes requires a shift in security methods, technology, and philosophy. 

Furthermore, the threats keep changing as well. Attackers are constantly attempting new methods of breaking into data files. One of the lessons learned in Target’s data breach was that sophisticated tools for hacking into companies are invented by brilliant hackers and then sold to average criminals, who only have to be pointed to the target to create a devastating attack. This trend is the cyber-equivalent of providing top-of-the-line military tanks at a low cost to anyone who wants to physically break into a bank vault. Our protections grow more sophisticated, but so do the attackers. Companies constantly change defenses to stay ahead of the hackers, but the hackers are constantly evolving their own models as well. 

Finally, a business can only pay for a certain amount of security, and so its data protection should be a factor of the amount and type of data it must protect with consideration of the amount it can spend on security. We would not expect a one-branch corner bank to build the same data security scheme as Wells Fargo or Bank of America. All are banks, but each has different security profile, and therefore different amounts spent on information protection. The big banks are likely to be aggressive and pay for monitoring services searching the hacker’s message boards for signs of an upcoming attack. The small bank can only afford to build a defensive perimeter and to encrypt its data. All companies can afford protective policies and procedures, but the more employees a company hires, the more expensive and complicated are its plans. 

A bank would have a different security profile from a government entity or from a retailer, even if they are protecting the same amount of data. The kind of access and contact allowed to customers/stakeholders is another differentiator for how a company organizes its data defenses. 

The Adversaries

When data was stored in physical filing cabinets, a thief would need to place him or herself at physical risk to take the information. Upon connecting all of our databases to the Internet, hackers could steal data from a distance. At first these hackers were talented amateurs, often students looking to test themselves or to find the thrill of solving a complicated puzzle. No more. The people attacking company files now are professional gangs connected to the highest levels of organized crime. Some are even sponsored and protected by state actors, like Russia and China. In addition, some nations, like China and France, use the full power of their governments to help national industries by taking secrets from U.S. companies and research labs. 

A world of support functions has also grown up around the data theft industry to help those people who break into businesses. We talked about the democratization of hacking tools above. But there are also secondary markets, found on the Internet, where people who steal consumer information can sell that data to ready buyers. An entire industry of finding and using data has grown around the practice of hacking into businesses. 

The Obligations

If a client asks its lawyer to build an appropriate data security regime, the lawyer’s first step should be to examine the client’s specific data protection obligations. For example, hospitals, pharmacies, and doctor offices in the United States are regulated by the Health Insurance Portability and Accountability Act (HIPAA), which describes what patient care data must be protected. HIPAA includes a data security rule which provides instructions for certain required protective actions. Similarly, any financial company (Gramm-Leach-Bliley and FFEIC regulations) or school (FERPA) must follow a set of legal regulations written for one kind of data. 

The FTC acts as data protection regulator for those businesses that do not fall under another set of regulations. The FTC requires companies to comply with their own privacy policies, website terms of use, end user license agreements, and other consumer contracts. State attorneys general enforce the data protection rules, like those in Massachusetts that require written information security policies. 

Pursuant to its long-standing requirement that companies report material developments to investors, the Securities and Exchange Commission (SEC) has issued cyber-risk and security guidelines requiring public companies under its purview to better control and report on cyber-protection issues, and the SEC will hold a company’s board of directors responsible for lapses in information security. New audit guidelines from the SEC bring this requirement into focus for many businesses, and new fines are likely to follow. 

Some of the most important data obligations are not written into U.S. law. If a business wants to accept credit or debit cards as payment it must comply with the Payment Card Industry Data Security Standards. This set of standards is required and enforced through a retailer’s contract with its merchant bank. Companies have been fined millions of dollars for failing to comply with these contractual standards, and the payment card industry holds out the threat of banning a business from the payment card system for repeated and egregious failure to follow these rules. 

Many businesses are obligated to protect data through contracts with other companies. For example, a business that processes information for a regulated entity will be required by contract to comply with the data regulations that apply to its commercial customers. A company processing certain types of patient health data will be required to sign a business associate agreement that passes data protection obligations on to the processor. In addition, all types of businesses, regulated or not, protect their own data and have been aggressively applying similar standards to the companies that hold or process data for them. 

Sometimes data obligations arise through the transfer of information across borders. For example, Canada and the European Union have legal schemes that are, in many ways, more protective of personal data than the laws of the United States. These jurisdictions limit the type of information that can be transferred to the United States, and limit the entities that can receive such data. Many U.S. companies with customers in foreign countries are subject to data obligations arising in those countries. 

A lawyer should find all of the sources of sensitive and protectable data that his or her client possesses, and examine all the obligations that apply to this data, whether those obligations arise from U.S. law or regulation, foreign law or regulation, contracts that are part of the payment system, or individual agreements with customers. 

The Solutions

Once a client’s data obligations are identified and understood, then a lawyer should help his or her client devise security solutions to meet those data obligations. Many data protection rules provide road maps to compliance. For example, the Payment Card Industry Data Security Standards provides a framework for developing a security program around payment card data. The website for the Payments Card Industry Security Standard Counsel includes self-assessment questionnaires, specific requirements for PIN transaction security, and a list of validated applications that meet their standards. Its website also includes reference guides for merchants to learn how to be compliant with their rules. 

The laws requiring information security have published audit guidelines to describe how the laws will be enforced. Federal Financial Institutions Examination Council (FFIEC) standards for the financial industry are created by a collection of the most important federal financial regulators, and address all aspects of data security in the financial services industry, from call center fraud to bank branch security. FFIEC publishes white papers describing the likely threats to financial data and how to address them, and it publishes direct security guidance to regulated entities and the audit handbook for making certain that regulated entities. Similarly, HIPAA audit standards are published by by the U.S. Department of Health and Human Services (HHS). The HHS website includes protective documents on meeting the standards of the HIPAA Security Rule like “Security 101 for Covered Entities” and “Basics of Risk Analysis and Risk Management,” as well as specific data on physical safeguards, technical safeguards, and administrative safeguards. HHS also addresses the special needs of smaller providers who might not have the resources to implement all of these safeguards. 

A lawyer can use these road maps and audit guidelines as baselines to develop data protection plans to meet the related obligations. It should be a necessary first step toward meeting data obligations that the lawyer and client analyze specific compliance material and guidance offered by the regulator or entity charged with enforcing certain data security obligations. Whether the PCI DSS, SEC, FFEIC, HHS, FCC, or FTC, these entities will give the most specific instructions on how to comply with relevant data security requirements. In addition, the U.S. government publishes its own set of standards for protecting data, published by the National Institute for Standards in Technology (NIST), especially its Computer Security Division. NIST provides useful protocols, sample security regimes, and white papers on important data protection practices. While often too detailed and expensive to be implemented in whole cloth by smaller companies, the NIST standards are a good place to learn how to think about data security, and to see how to protect vulnerable aspects of your client’s systems. Some of the helpful NIST publications include guidelines for securing wireless local area networks, supply chain management practices, and how to use cryptographic key management systems. 

A lawyer should remind clients that businesses are required to have sensible, logical, industry-standard solutions for data security and to seriously consider the protection of sensitive information. Companies will not be expected to have perfect security in all cases. A client must demonstrate the logic behind its data security plan, so some consultation with lawyers and technical specialists familiar with data protection will be important. A business can use this consultation to demonstrate that it built protection on solid industry standards. Equally as important is documenting the security regime and the reasons for making certain investments over others. Resource choices will be examined in an investigation following data loss, and well-considered choices can keep a business from suffering penalties or punitive damages upon losing customer information. 

Attacks on client business will continue, and some will be successful. The lawyer’s job should be to prepare a client not only to fight these attacks, but to manage expectations and prove the logic of its plans when an incident turns into a data exposure. Lawyers are risk management professionals, and data security is an act of risk management. The attorney’s voice is valuable in building a protection plan that meets the client’s obligations, including preparation of the policies, procedures, and worker/executive training necessary to implement the plan, and documenting the decisions that underlie that plan.

Additional Resources

For other materials on this topic, please refer to the following.

Business Law Today

There Has Been a Data Security Breach: But is Notice Required?
By Ronald I. Raether, Jr.
August 2011

From Private to Public Ordering: An Expanding Federal Role for Regulating Privacy and Data Security?
By Edward A. Morse
July 2011 

Theodore F. Claypoole

Theodore F. Claypoole is a partner at Womble Carlyle Sandridge & Rice, LLP, in Charlotte, North Carolina.