top of page
Writer's picturePaul Hugenberg

Understanding Data Security Legal Obligations: Does It Really Apply to Me?

Data Privacy laws vary broadly across the United States, because, to a large extent, there’s not one single, comprehensive federal (or state/local) law that dictates and/or regulates how most companies are to collect, store, or share customer data.  This is mainly because of the disparate laws across both the federal and state/local legislatures that cover industry-specific data rather than treat data as a general asset (i.e. HIPAA, ECPA, FedRAMP, FCRA, FERPA, GBLA, COPPA, VPPA, etc.). Courts across that nation are concluding, in one fashion or another, that it is incumbent on the defendant company or organization to have precautions and data security policies in place to protect consumer data that is deemed sensitive in nature.  


Does it apply to me?

Case in point: The FTC's settlement with X-Mode Social and its successor firm Outlogic emphasizes the importance of consent and transparency in data handling, and the requirement to delete sensitive data. This is significant from a legal data security perspective because it highlights the U.S. Federal Trade Commission's proactive stance on data privacy, setting a precedent for how location data can be handled and shared by data brokers.



Let us take a quick look over what we would consider to be the fundamental patchwork of data security obligations. The coverage is far more extensive than most realize. 


  • Statutes and Regulations impose obligations to provide data security and may use exact verbiage such as “security” and/or “safeguards," or less specific language like “authentication,” “integrity,” “confidentiality,” or “availability.” 

    • Privacy laws: Typically focused on personal, nonpublic data that is collected or used (in any way) by the subject organization. 

    • Security laws: Most states now maintain security laws related to their citizens and require a general business obligation to protect that information. Some states provide additional safe-harbor protections based on the documented adoption of acceptable programs to address the requirements. For example, California and NY have extremely specific laws governing their citizen data no matter where it is stored across the US

    • E-Transaction laws: Targeted towards compliance with electronic documents and electronic records of online transactions. Enforceability of these documents can fall on the obligations to secure and store records appropriately.  

    • Corporate governance legislation and regulations: For publicly traded companies or those subject to investment rules, the SEC, FTC, and AICPA require compliance with specific information security controls and practices; via attestation and reporting. 

    • Unfair business practice laws: States and federal agencies retain enforcement action for failure to provide reasonable security over data. Some will compel reasonable steps, such as the FTC Act §5

    • Sector-specific regulations: Industry specific requirements that fall under compliance (finance, banking, insurance, healthcare, DoD contracting, credit cards, etc.) or frameworks (TISAX, ISO, etc.). 

  • Common Law Obligations: Starting in 2005 and carrying through very recent years, Courts are adopting the view and accepting affirmative arguments that there is a common law duty to provide reasonable and appropriate security for corporate and personal data, even employee data. Mostly, the courts are expecting measures based on foreseeable circumstances. 

  • Rules of Evidence: Admission of electronic records into evidence for any legal proceeding can be subject to the implementation of appropriate security measures over that information. Of specific concern is the “original form requirement” and “authentication.”   

  • Rules of Professional Responsibility: The most overlooked obligation by business or individuals subject to professional organizations standards (such as ABA, AICPA, etc.) governing the rules of conduct. In almost every circumstance, these rules would subject all client and client-related data to security protections as a matter of ethics. 

  • Contractual Obligations: Many times, the legal obligations of one company are pushed down to third and fourth parties who must also adopt appropriate security measures. For example, the Managed IT Services Provider (MSP or MSSP) that provides IT or IT Security services to a bank is subject to GLBA; to a dental practice is subject to HIPAA; to a client who services DoD contracts is subject to CMMC; and so on. 

  • Self-Imposed Obligations: Often, internal policy and procedures provide for a security expectation that is self-imposed. Privacy policies on websites and public documents create an obligation to comply with the stated standards. Such actions expose companies and individuals to liabilities in legal proceedings and in compliance matters.  

What can you do if you have a duty for any of the foregoing reasons? First, document your environment in a Written Information Security Program (WISP). This document will address the technical, physical and administrative controls you have in place over your information systems (hardware, software, data, people, networks) to protect data Confidentiality, Integrity and Availability. 


An outline of your WISP: 

  1. Establish your Governance Program. 

  2. Assign responsibility. 

  3. Create oversight processes. 

  4. Put it in writing. 

  5. Identify the information system assets to be protected. Inventory the data you have a duty to protect. This step is often overlooked but is the most critical. 

  6. Identify the risks to those assets, which expose the data assets to a loss of confidentiality, integrity and availability. 

  7. Identify the technical, physical and administrative controls in place over those assets to reduce those risks. 

  8. Train your employees!

  9. Monitor (audit, review, assess) your controls for their sufficiency and effectiveness. Sometimes, this must be performed independently. 

  10. Put your security expectations and requirements in your contractual documents with third and fourth-party relationships. Establish processes to oversee all of those relationships when they have access to your sensitive data or assets. 

  11. Put data disposal policies in place to properly discard and/or destroy any data deemed sensitive in nature. 

  12. Revisit your Program whenever there is a notable change, or annually, whichever comes first. 

Please reach out to us at any time for help with these responsibilities. Without any obligation, we are happy to offer our time to ensure you and your organization are on the right path, with the right tools, and right instruction.  


Welcome to Pelican3. 


Strategic Tech. Financial Growth. Harmonized. ©


36 views0 comments

Comments


SUBSCRIBE TO OUR BLOG!

Thanks for submitting!

bottom of page