Reasonable, appropriate, adequate…security (Part I)

June 30th, 2009 by Olga Koksharova
Category: «Did you know that...?», «General», «Legal Questions», «Security», «Tips & Tricks»

Most laws define security obligations as reasonable, appropriate, suitable, necessary, adequate etc. without giving more precise directives to follow. Is it good or bad? And what should be known about these standards?

Let’s see what major security standards say about recommended security measures.

Data Protection Directive in Europe

…implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing

http://www.enisa.europa.eu/rmra/lr_privacy.html

HIPAA Security Standards: Technical Safeguards

It is important, and therefore required by the Security Rule, for a covered entity to comply with the Technical Safeguard standards and certain implementation specifications; a covered entity may use any security measures that allow it to reasonably and appropriately do so.

A covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization.

Determining which security measure to implement is a decision that covered entities must make based on what is reasonable and appropriate for their specific organization, given their own unique characteristics, as specified in § 164.306(b) the Security Standards: General Rules,Flexibility of Approach.

Read more: "Security Standards: Technical Safeguards"

The LGB Security Regulations

Effective security management requires your company to deter, detect, and defend against security breaches. That means taking reasonable steps to prevent attacks, quickly diagnosing a security incident, and having a plan in place for responding effectively.

http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus54.shtm

Does it seem to you pretty ambiguous at first reading? No, it is not law inconsistence that there are no more precise prescriptions/measures to be followed. On the contrary, they show security as a relative and flexible concept. The set of security measures and technologies (like approved passwords, password managers, or encryption …) is not universal for all cases, organizations, or industries – they can differ and each company has to understand its own industry-, company-, situation-, or else-specific dangers and accordingly protect sensitive information and maintain its protection.

Pretty wisely, security laws do not impose security measures, but require organizations to be involved in an ongoing and repetitive process*, which consequently presupposes both understanding of computer security development and taking timely measures. Otherwise, in the light of technologies constantly taking great strides forward, data security would bump into red tape and necessity to establish, introduce, and follow precise security measures.

*Information Security Law: The Emerging Standard for Corporate Compliance by Thomas J. Smedinghoff.