security

Some weeks ago I experienced that sinking feeling that comes with locking your keys in the car. Fortunately, I was only a phone call and a 20-minute wait away from rescue. But how can that happen, you ask, given all the modern safeguards built into automotive key technology? Don’t cars these days alert you or automatically unlock the doors when you leave the key inside?

It’s a dangerous world for protected information, with major breaches in the news and a challenging cyber-threat environment behind the scenes. Organizations must be prepared to respond to data breaches, but effective response is no small matter. There are 10 different channels of response activity for an organization that has suffered a security breach: Security, Legal, Forensic, Law Enforcement, Regulators, Insurance Coverage, Public Relations, Stakeholders, Notification, and Personnel Management. Most of these activities are involved in every breach, and all must be dealt with in significant breaches. These activities are not sequential. They play out in parallel, with interrelated effects… and with the response clock ticking.

In 2012, the Federal Trade Commission filed suit in federal court against hotelier Wyndham and its various subsidiaries (“Wyndham”), claiming that Wyndham’s allegedly unreasonable data security practices allowed hackers to steal personal information and payment data of Wyndham’s customers. The FTC’s claims were not unusual – by 2012 the FTC had spent a decade pursuing companies for unreasonable data security in administrative actions under Section 5 of the FTC Act, which forbids unfair or deceptive acts or practices in or affecting commerce.  In each of these prior enforcement actions the company settled with the FTC, agreeing to comprehensive data security controls, program monitoring, and reporting, usually extending for 20 years.

But Wyndham’s response was highly unusual – it pushed back, and continues to do so, challenging the FTC’s authority to enforce “reasonable” data security under the FTC Act.

In its motion to dismiss, Wyndham argued that the unfairness prong of FTC Act Section 5 does not empower the FTC to regulate cybersecurity, and also that the FTC has not provided constitutionally adequate notice of what cybersecurity practices are required to satisfy a “reasonableness” standard.

The federal district court denied Wyndham’s motion to dismiss, but later allowed an interlocutory appeal on Wyndham’s arguments. The stage is now set for the Third Circuit Court of Appeals, in a case of first impression, to decide whether the FTC has authority under the unfairness prong of FTC Act Section 5 to enforce reasonable data security. Will the Third Circuit resolve this issue, or will it dodge the question?

I met this grumpy fellow in Sabi Sands, South Africa, and took this picture with my phone (nope, no zoom… wish he’d been further away). The experience reminded me of the fable about the Blind Men and the Elephant, a classic allegory for how we often do not perceive the big picture, but instead only the part we directly encounter. This fable has become a useful metaphor for Information Governance. In so many organizations, individual departments and functions have their own, limited perspectives on information, seeing only the issues and objectives with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk. Information Governance is the means through which organizations can bridge across such silos and perceive the big picture of information compliance, risk, and value.

Actually, I prefer a different version, restyled as the Blind Elephants and the Man.

The Target data breach disrupted the 2013 holiday shopping season, shook the retail industry, and shocked many who assumed that a nationwide retailer would have the security controls in place to prevent such an attack. The breach exposed credit card data of 40 million individuals and personal data of approximately 70 million consumers. A quarter billion dollars and a slew of lawsuits later, lessons have emerged and questions remain.

After years of debate, Congress last December passed three bills focused on combating cybercrime. President Obama quickly signed each bill into law.

They include:

  • National Cybersecurity Protection Act of 2014. The most notable piece of legislation for the private sector, this Act establishes a framework for private entities and government authorities to share intelligence about cyber threats and incident response plans. However, much to the dismay of many private entities, this stripped-down version of an earlier House bill lacks the liability protections that many companies had desired.
  • Federal Information Security Modernization Act. This Act creates a structure for maintaining safeguards to protect federal government data. It encourages government agencies to use automated security tools to identify and correct security deficiencies, building upon the risk management framework originally established by the Federal Information Security Management Act of 2002. It also requires that agencies report major cyber incidents to Congress within seven days of discovery.

While governing my information (yep, cleaning up old email and files), I came across one of my early white papers on Information Governance, from 2010:  The Information Governance C Change. It can be cringe-inducing to revisit old material, but this piece seems as valid today as five years ago:

“Companies are awash in an ocean of data. E-mail servers are overflowing, troves of legacy data and documents are accumulating, rogue IT is proliferating, and social media and other Web 2.0 usage is seeping into the workplace. These same companies are also experiencing a sea change in their information compliance environment. E-discovery costs and exposures continue to mount, while courts’ expectations are escalating for compliant preservation, collection, and production of ESI. And new laws and regulations are expanding the reach of information privacy and security requirements to a broader range of entities and business operations.

Healthcare is trending toward value-based payments. Back in January, Sylvia Burwell of the of the U.S. Department of Health & Human Services announced Medicare’s move toward paying providers based on quality, rather than quantity, of care they give to patients. Secretary Burwell emphasized the importance of alternate payment models, including accountable care organizations (“ACOs”). Regardless of whether you are for or against value based payments, ACOs are will play a big role in the future of healthcare, and many providers will find themselves involved in an ACO. So, what are the privacy and security issues associated with being an ACO participant?