With the advent of big data, businesses today are managing databases of unprecedented size and complexity. With that size and complexity comes myriad legal and compliance challenges.
Foremost among them, the almost insurmountable task of complying with an alphabet soup of privacy and data security laws and regulations. In addition to local, state, national, and, even, international laws and regulations, there are many other potentially applicable standards and guidances.
In the financial services and healthcare industries, there are many non-binding, but strongly recommended, guidances from a variety of regulators. There are also contractual standards, such as the Payment Card Industry Data Security Standard (“PCI DSS”), which governs cardholder information in credit card transaction. Finally, there are various industry standards for information security published by organizations like the Computer Emergency Response Team (“CERT”) at Carnegie Mellon and the families of standards from the International Standards Organization (“ISO”).
Reconciling all of these laws, regulations, standards, and guidances can be, at best, a full-time job and, at worst, the subject of fines, penalties, lawsuits, and, frequently, very adverse publicity and loss of business. In many instances, these obligations are vague and ambiguous, with little specific guidance as to compliance. Worse yet, the laws of different jurisdictions may be, and frequently are, conflicting. One state or country may require security measures that are entirely different from those of another state or country. Finally, the creation and use of the extremely large databases constituting “big data” is a relatively new phenomenon that has not yet been fully tested in the courts, particularly with regard to privacy and security issues.
The challenges of compliance with this ever increasing morass of laws, regulations, standards, and contractual obligations can be overwhelming. Even if no personally identifiable information is at risk, businesses have obligations to implement appropriate security measures to protect other highly sensitive information relating to, for example, their trade secrets, marketing efforts, business partner interactions, etc. All too often, businesses become fixated on a single tree or branch in the forest of laws, regulations, standards, and guidances and fail to appreciate, or even see, other nearby trees and their relationship and, certainly, seldom step back a sufficient distance to gain an overall view of the compliance forest.
We have sifted through various privacy and security laws, regulations, and standards to identify three common, relatively straightforward “threads” that run through many of them. By understanding these common threads, businesses can better understand their overall information security and compliance obligations with regard to big data. With this understanding, businesses may more readily address not only their current obligations, but have a framework for assessing new laws, regulations, and standards that may arise in the future.
Common misconceptions about information security compliance
There is much confusion and many misconceptions when it comes to information security and compliance with regard to big data. The two biggest misconceptions are that “it’s all about the data” and “it’s all about confidentiality.” While data and confidentiality are certainly of critical importance, a more holistic approach is required. A business must be concerned about its data, but it must be equally concerned about the systems on which the data resides. In addition, confidentiality is only one of three key protections required for true security. Those three protections are frequently referred to by the well-known acronym “CIA,” standing for Confidentiality, Integrity, and Availability. For data to be truly secure, each of these three elements must be satisfied.
“Confidentiality” is the most obvious of the three elements in CIA. It means the data is protected from unauthorized access and disclosure.
“Integrity” means the data can be relied upon as accurate and that it has not been subject to unauthorized alteration. Data integrity is likely the least obvious of the elements necessary for achieving good information security. Consider the importance of the integrity element in the context of a medical information system used in a hospital. If the data in a patient record cannot be relied upon (e.g., to identify a drug allergy, recent medical treatments, results of blood tests, etc.) because certain elements may have been altered, the entire database is rendered suspect.
Finally, “Availability” means data is available for access and use when required. It does no good to have data that is confidential and for which integrity is maintained if that data is not actually available when a user requires it. Consider, again, the example of the healthcare information system. If a patient record is unavailable because of a system failure when a patient comes into the emergency room in critical condition, it is useless. Hackers understand the substantial impact unavailability may have on a business, particularly online businesses. Denial-of-service attacks are frequent. In these attacks, hackers inundate a target business’ services with fake requests in an effort to overwhelm them, preventing real users from accessing and using the systems.
The importance of CIA cannot be overstated. It is not just a well-worn concept in information security treatises. Lawmakers have directly incorporated that very language into certain information security and privacy laws and regulations. Businesses that fail to achieve CIA with regard to their data, may be found in violation of those laws.
A final misconception about information security and privacy laws is that they require perfection (i.e., any breach, regardless of how diligent the business has been, will create liability). This is not true. The laws and regulations in this area are directed at having businesses do what is reasonable and appropriate. If the business achieves that standard and a breach nonetheless occurs, it will generally not have a compliance problem. Liability will turn on whether the business has thoughtfully attempted to address the security of its data.
Finding common threads in compliance laws and regulations
The sheer number and variety of laws, regulations, and other standards governing the handling of sensitive information can be daunting, if not overwhelming. The problem escalates exponential when extremely large databases are involved – databases that may contain data from individuals residing in dozens of jurisdiction around the world. In some instances, it may be almost impossible for even a large, sophisticated organization to identify all applicable requirements, reconcile inconsistencies, and then implement a compliance program.
In this section, the goal is not to discuss any specific laws, regulations, or standards, but to identify three common threads that run through many of them. By understanding those common threads, businesses can more easily understand their baseline compliance obligations and obtain at least a glimpse of the compliance forest.