In speaking to Corporate executives who are responsible for building information security programs, it has become evident that the requirements for those who lead their programs have become more complex. One of the issues security officers are faced with is the need to understand the legal and regulatory requirements that affect the security, governance and compliance of their organizations.  In order to give security professionals a legal perspective of some of the challenges they face, I had a discussion with Tanya Forsheit.
 
Tanya Forsheit is an attorney with the InfoSecCompliance LLC law firm; she is based in Los Angeles, California.  Prior to joining InfoSecCompliance, she was the Co-Chair of Proskauer Rose LLP’s Privacy and Data Security practice group, where she launched the Firm’s Privacy Law Blog in 2007.  Certified as an information privacy professional by the International Association of Privacy Professionals (IAPP), Tanya works with clients to address legal requirements and best practices for protection of customer and employee information.  In 2009, she was named one of the Los Angeles Daily Journal’s Top 100 women litigators in California.
 
How are the laws shaping company’s responses to privacy requirements?

The emergence of state breach notification laws beginning seven years ago shed light on the frequent occurrence of data security breaches resulting from intentional wrongdoing (hacks, cybercrime) and internal employee neglect or mistake.  The new requirement to publicly disclose such incidents created an impetus for companies to improve internal policies and procedures for safeguarding the growing stores of personal data relating to both customers and employees.  As the number of reported incidents has increased, year after year, legislators have now turned their attention to crafting legislation designed to require companies to safeguard the information in order to prevent such breaches from occurring in the first instance.  Although nine different states have such requirements, the most recent and dramatic example is Massachusetts.  The Massachusetts regulations, currently set to go into effect on January 1, 2010, require the creation and implementation of a detailed written information security program and computer security measures including encryption of personal data residing on mobile devices and transmitted over public or wireless networks.  These laws – breach notification and data security – apply to any and all organizations that hold personal information (as defined by the particular state statute) of consumers and employees.  That means every single organization out there has compliance obligations.
 

• How can corporate information security officers better work with their General Counsel?

 
Information security professionals and the legal department can and must work together to implement effective data security programs.  The good news is that your average General Counsel today understands information security and technology much better than the same General Counsel 5-10 years ago, largely due to these legal developments.  Information security officers should keep the legal department up to date on recent developments in this area of the law, and remind the GC of the cost savings inherent in ensuring compliance up front (instead of incurring economic damages and reputational cost associated with a breach).
There are three important components of the information security and legal relationship:  (1)  awareness of each other’s problems and issues; (2)  open communication regarding those problems and issues to foster understanding; and (3)  translation of those problems/issues into action on both sides.  Sometimes it helps to have a security-savvy lawyer serve as a “translator” in this process between the professions.
 

• Protection of customer and employee information is paramount to global enterprises, what advice would you give security officers?

 
Every organization, large or small, must understand and analyze the federal, state and international data security laws that apply to it.  Information security officers should look at business processes, data flow, and system and network setup, and should inventory personal identifying information (or PII) of consumers and employees flowing through the organization.  Once an organization knows which laws apply, it should stay on top of developments.  The law in this area is changing on a weekly basis.  This year alone we are witnessing dramatic changes in breach notification requirements (HITECH Act at the federal level), state data security requirements (Massachusetts regulations), and rules to detect and prevent identity theft (FACTA Red Flag Rules), not to mention a growing body of case law in class actions filed in connection with breach incidents and heightened FTC scrutiny.
 
 

• How do you advise security officers to best stay on top of the ever changing regulations, laws and requirements for notification of breaches?

 
See, you read my mind.  Yes, staying on top of the law is key.  Security officers can do so by partnering with their General Counsel and legal department to circulate articles on key developments, summarize new regulations for executives, and regularly meet to discuss practical steps for implementing new requirements in a timely fashion.  Outside counsel can help, as well.  There are lots of excellent free resources out there, including www.infoseccompliance.com.