Scaling security measures to reflect the nature of the data and threat. A concept that is closely related to acting reasonably or doing what is appropriate is the idea of scaling security measures to reflect the nature of the threat and sensitivity of the data. That is, a business need not spend its entire security budget to address a low risk threat. But, if the risk is substantial, particularly in light of the volume and/or sensitivity of the data, the level of effort and expenditure by the business to address that risk must increase. A database with only names and physical addresses may not require as much security as a database of names, addresses and Social Security numbers. To better understand this concept, the following are excerpts from two laws that incorporate and define the concept of ''scaling'':
First example: The Massachusetts Data Security Law: ". . . safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information."
Second example: HIPAA Security Rule: Factors to consider:
(i) The size, complexity, and capabilities of the Covered Entity.
(ii) The Covered Entity's technical infrastructure, hardware, and software security capabilities.
(ii) The costs of security measures.
(iv) The probability and criticality of potential risks to ePHI.
While the number and complexity of privacy and information security related laws, regulations, and other standards is ever increasing, businesses should look for and appreciate common threads running through them. In this article, three of the most common and most important threads are presented. By understanding current law does not require perfection, but only due care, reasonableness, and scaling measures to reflect the sensitivity of the data being placed at risk, businesses can go a long way to achieving compliance. This same framework can be used to understand and assess laws, regulations, and standards implemented in the future.
Sign up for CIO Asia eNewsletters.