Peter Sloan is the Managing Attorney at the law firm Information Governance Group, LLC.  Peter advises clients on how best to retain, secure, preserve, and dispose of information. He helps clients throughout the United States create, validate, and update retention schedules; implement compliant information management policies and processes; and defensibly dispose of information. Peter also counsels clients on data security compliance and breach response readiness, and he works with clients to manage data breach response.

Peter has served clients across a broad range of industries, including energy, financial services, healthcare, engineering and construction, manufacturing, retail, technology, and transportation.

For more information about the Firm, please visit www.infogovgroup.com, or the Firm's blog, Information Bytes.

 

In this series on defining your company’s information security classifications, we’ve already looked at Protected Information under state PII breach notification statutes, and PHI under HIPAA. What’s next? Customer information that must be safeguarded under the Gramm-Leach-Bliley Act (GLBA), a concern for any “financial institution” under GLBA.

GLBA begins with an elegant, concise statement of congressional policy: “each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” Sounds straightforward, doesn’t it? Things get complicated, though, for three reasons: (1) the broad scope of what constitutes a “financial institution” subject to GLBA; (2) the byzantine structure of regulators authorized under GLBA to issue rules and security standards and to enforce them; and (3) the amorphous definition of nonpublic customer information.

In this series on establishing security classifications for your company’s information, last week’s post looked at one aspect – the widely varying definitions of Protected Information under state PII breach notification statutes. But if your organization is a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA), the definition of Protected Health information (PHI) is also a key puzzle piece for your classification scheme.

HIPAA establishes national standards for the use and disclosure of PHI, and also for the safeguarding of individuals’ electronic PHI, by covered entities and business associates. Merely having information commonly thought of as “protected health information” does not mean that HIPAA applies. And there are some surprises in which organizations are – and are not – covered by HIPAA. So, that’s the first question to answer – is your company a HIPAA covered entity or business associate?

When governing information, it works well to identify and bundle rules (for legal compliance, risk, and value), identify and bundle information (by content and context), and then attach the rule bundles to the information bundles. Classification is a great means to that end, by both framing the questions and supplying the answers. With a classification scheme, we have an upstream “if-then” (if it’s this kind of information, then it has this classification), followed by a downstream “if-then” (if it’s information with this classification, then we treat it this way). A classification scheme is simply a logical paradigm, and frankly, the simpler, the better. For day-to-day efficiency, once the rules and classifications are set, we automate as much and as broadly as possible, thereby avoiding laborious individual decisions that reinvent the wheel.

Easy so far, right? One of the early challenges is to identify and bundle the rules, which can be complicated. For example, take security rules. Defining what information fits in a protected classification for security controls can be daunting, given the various overlapping legal regimes in the United States for PII, PHI, financial institution customer information, and the like. So, let’s take a look, over several posts, at legal definitions for protected information, starting with PII under state statutes.

I’m here at RabbitHole, Inc., talking with the company’s Manager of Money in his office, which is buried in the Facilities Department, down in the building’s basement. I’m interviewing him to get a better sense of how RabbitHole manages money as a corporate asset.

Pardon my asking, but how much money does RabbitHole have?

“Frankly, no one knows – we don’t really keep track of that. We have boxes of paper currency stored off-site, but as for ‘active’ money, our employees keep that pretty much wherever they choose – in the network money systems, in their individual offices, in mobile wallets, and probably some stashed at home.”

But isn’t that your job? I mean, your title is “Manager of Money,” right? 

2015 was quite a year for Information Governance, and it’s now time for a year-end post.  I’ve neither the prescience nor patience for making predictions, and after briefly flirting with a Star Wars/Holiday mash-up, I remembered that’s been done before, with tragic results. So, all that’s left is a single question, which may be the only question that matters  – over a tumultuous year for privacy, data security, information management, and e-discovery, what did we learn about governing information?

Today the FTC announced a $100-million settlement of its most recent data security lawsuit against LifeLock, the ubiquitous B2C provider of credit monitoring and identity theft protection to consumers.  Despite years of litigation with the FTC and 35 states’ attorneys general, LifeLock has continued with a business model that taps into consumers’ visceral fear of identity theft, and also consumers’ persistent belief that such exposure can magically disappear… all for “less than $10/ month.” But while “Nobody can conceive or imagine all the wonders there are unseen and unseeable in the world,” LifeLock’s settlement with the FTC is a reminder that there is no perfect protection against identity theft.

The FTC has pursued enforcement actions against more than 50 companies for inadequate data security, and to date only two, Wyndham Hotels and LabMD, have pushed back. On the heels of a Third Circuit victory in its Wyndham litigation, the FTC recently suffered a blow when its administrative complaint against LabMD was dismissed – by an FTC administrative judge, no less.

As the FTC pursues an appeal to its commissioners, are there lessons to be learned? First, reports of the death of the FTC’s Section 5 data security enforcement authority have, once again, been greatly exaggerated – the FTC will remain in the data security enforcer role post-LabMD, as strong as ever. And second, the real lesson of LabMD is what it teaches us about grey hat security firm tactics, and how businesses need to trust their gut and do their homework.

As we anticipate the calorie-bomb of Thanksgiving dinner, let’s face it – litigation preservation is overweight, obese, and corpulent, torpidly dazed in a fat/sugar coma of way too much data. But effective Dec. 1, amended Rule 26 of the Federal Rules of Civil Procedure strikes back, limiting the scope of discovery to what is “proportional.” Will the amended rule tip the scales toward leaner litigation preservation, or is this simply another FRCP fad diet, doomed to fail?

Only minutes passed between first learning of the Paris attacks and confirming that our son, studying abroad in France, was safe. But it seemed to last a lifetime. My wife and I were with him in Paris just two weeks earlier, strolling happily a few blocks from where slaughter would soon visit the Bataclan Concert Hall and La Belle Equipe. Then, like a sick, twisted Groundhog Day, it felt like 9/11 all over again.

The Paris terrorism has rekindled an ongoing debate over government surveillance power, personal privacy, and cybersecurity. In this crucial, consequential debate, it behooves us to remember that terrorism’s goal is to trigger emotional, extreme reaction, and that perspective and balance are the antitheses of violent radicalism.

Wow, our group health plan premiums are crushing us. Wait a minute—what if we ramped up our company’s wellness program, using cool technology to help get our workforce in shape? Let’s get all our employees to use those wearable fitness tracker gizmos! We can fold those into our BYOD program, offer a device subsidy, and then have our employees report their stats and progress in some kind of fitness competition, with cool stuff as motivating rewards. Premium costs down, flab down, fitness up, profits up… what could possibly go wrong?

Plenty will go wrong, unless the company takes a breather and checks the pulse of information-related risks and compliance issues. So, let’s run a quick information governance circuit drill.