Better than a Checklist of Minimum Requirements
By what legal standard should the holder of PII be held? PII means personally identifiable information like social security numbers and medical information.
I argue the standard should be this: A data holder must have an on-going process for devoting professional attention to security.
Under this standard, a sizable data holder like a hospital or a retail chain deploys a team of professionals to work all the time, every day. Any legal review of the data holder is an enormous amount of work . . . an utterly massive amount of work. Under this standard courts, insurers or regulatory authorities must undertake an exhausting analysis to conclude whether a data holder met the standard.
“Minimum Technical Requirements” Is a Common But Flawed Standard.
But the professional attention standard that I advocate is not universally acknowledged by authorities.
Instead, a commonly-articulated standard is that the data holder must achieve some “minimum requirements.” Those minimum requirements amount to a prescriptive checklist of specific technical measures the data holder must take. The authority promoting the minimum requirements argues that each and every requirement is easy to do, so failure to do any one of them merits some kind of penalty.
Here are two examples of a legal authority arguing that a data holder failed to meet minimum, easy requirements for data security:
One: Cyber-insurer Denies Coverage Because Hospital Failed to Do Everything on Minimum Checklist.
In Columbia Casualty Company vs. Cottage Health System a hospital had paid for cyber insurance. Then a breach happened. The insurer sued the hospital, seeking to deny coverage because – in good part – the hospital failed to satisfy some specific minimum requirements like installing patches on servers.
Two: FTC Says Medical Laboratory Violated Law Because It Missed Some Specific Checklist Points.
The Federal Trade Commission is locked in an epic struggle against the victim of a cyber attack, LabMD. In this proceeding FTC’s lawyers maintain that LabMD violated data security law because LabMD failed to implement specific low-cost checklist items, such as adoption of written security policy (which is different from an unwritten policy), formal training of employees, destruction of data on people for whom no healthcare was performed and failure to update operating system.
See Footnotes 5-14 and accompanying text, Complaint Counsel’s Opposition to Respondent’s Motion to Dismiss. Public Document Number 9357, filed May 6, 2015.
It is important to observe that FTC’s lawyers give no credit to LabMD for what it did right; LabMD did in fact have a substantial, on-going InfoSec program. But FTC’s lawyers simplistically say: You missed some specific technical points in our checklist; therefore, you violated the law. No deeper analysis is necessary. [See update below.]
The Minimum Requirements Checklist Does Not Align with Reality.
The minimum requirements approach is easy for an authority like FTC to enforce. An audit will always find that a data holder did not meet some specific minimum requirement. That is reality. So any time the FTC looks, it will find that the data holder failed to meet this requirement or that requirement, even if the data holder maintained a substantial, professional, good faith InfoSec process.
But the minimum requirements approach is ineffective.
Every day, major data breaches happen. The reason is that data security is astonishingly hard to achieve in a functioning organization. As I write this post today, the big breach in the news is US Office of Personnel Management. Breaches are routine. Breaches are normal.
According to InfoSec pundit Bruce Schneier:
“In general, it is far easier to attack a network than it is to defend the same network. This isn’t a statement about willpower or budget; it’s a statement about how computer and network security work today. A former NSA deputy director recently said [link omitted] that if we were to score cyber the way we score soccer, the tally would be 462456 twenty minutes into the game. In other words, it’s all offense and no defense. … In this kind of environment we simply have to assume that even our classified networks have been penetrated.”
In practice, achieving all of the minimum, low-cost requirements – 24 hours a day, 365 days a year -- is exceedingly hard to do. Each little requirement viewed in isolation might be “low cost,” but collectively they are not low cost. More importantly, striving for minimum requirements is not the most effective approach to security. As a multitude of institutions have proven, the data holder can invest great resources in security and still be breached.
InfoSec is a fierce competition, and you might not win that competition even if you work hard at it. Like a rugby game, security invariably involves tradeoffs, judgment calls and good faith mistakes.
|Cyber Defense as competition.|
The Better Standard Is Professional Attention.
So the better standard is not that the data holder meet specific minimum requirements on a prescriptive checklist. The better standard is that the data holder maintain a professional program to attend to security.
To understand that standard, let’s look at an example. A hospital (Massachusetts Ear and Eye Infirmary) lost a laptop containing patient data. The Department of Health and Human Services investigated. HHS concluded that the hospital violated HIPAA data security requirements and imposed a $1.5 million fine.
But the analysis by HHS was telling. HHS emphasized the violation and fine were not about a specific security measure, i.e., encryption on a laptop. HHS did not say, "Encryption is easy. You did not encrypt. Therefore you broke the law."
Instead, said HHS, the violation was that the hospital failed over time to maintain an effective, on-going process for evaluating the security of portable devices and responding to that evaluation. See Resolution Agreement September 13, 2012.
Perfection in Information Security Will Never Be Achieved.
If data holders like hospitals must achieve perfect minimum data security – if they must always meet all the “low-cost” measures that can be dreamed up -- then they should cease operating. They will never get to legal compliance, and they will owe infinite fines and infinite compensation to victims like patients. That outcome is absurd.
A better approach is to motivate data holders to maintain a process, a responsible on-going program. It is like motivating a sports team to train rigorously and play its heart out on the field.
That approach includes recognizing that oftentimes organizations with good programs will be breached. Organizations with good programs should be rewarded for having the programs. They should be spared penalty when a breach happens.
Data holders, like sports teams, should be cheered for playing hard, even when they lose.
This topic keeps me humble. I'd be pleased to hear comments.
Disclosure: Mr. Wright has performed work for LabMD.
Update on LabMD: Administrative Law Judge ruled against FTC and the standard of liability it was advancing.