The "Reasonable Security" Standard For Data Privacy Revisited, Again

I have let my opinions about personally identifiable information (PII) security be known in many blogs, webinars, and podcasts. These have focused on emerging US State data privacy laws and how they describe the protections companies must take to secure sensitive PII. Examples include: What is reasonable data security? Has "Reasonable Security" Finally Been Defined for Privacy Laws?: My observations have centered around the use of the term "reasonable" to define the required security practices companies must take to comply with the new data privacy laws. My bottom line has been and remains that data privacy laws must become more prescriptive in defining the data security technologies and practices companies are required to use when collecting, using, and storing sensitive PII.

With that in mind, I wanted to call out a particular federal regulation that goes beyond the weak use of the term "reasonable security" to highlight the need to specify standard data security technologies such as data encryption and multi-factor authentication (MFA) in all data privacy laws.

16 CFR Part 314 – Standards for Safeguarding Customer Information (Safeguards Rule)

The US Federal Safeguards Rule, originally published in the federal register on May 23, 2002, implements sections 501 and 505(b)(2) of the Gramm-Leach-Bliley Act for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. The Safeguards Rule was amended on December 9, 2021, to strengthen the protections for consumer financial information following widespread data breaches and ransomware. It applies to handling customer information by all financial institutions over which the Federal Trade Commission (FTC) has jurisdiction.

Under the Safeguards Rule, covered financial institutions include mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the SEC, and entities acting as finders – defined as companies that bring together buyers and sellers of a product or service.

The amended Safeguards Rule provides covered financial institutions with additional guidance on developing and implementing specific aspects of an overall information security program, such as network and system access controls, user authentication, and - wait for it… data encryption.

Before I get into the specifics of the Safeguards Rule security guidance, I wanted to set the stage on how the Safeguards Rule defines a security event – also known as a security breach.

The Safeguards Rule defines a "security event" as an incident resulting in unauthorized access to, disruption, or misuse of an information system, data stored on information systems, or customer information held in physical form.

When looking at electronically stored information (ESI), a security event or breach occurs when electronically stored PII is accessed (or could have been) by unauthorized individuals. However, one important question CISOs should ask themselves is; legally, did the breach occur (and are breach notification requirements triggered) if the stored PII was encrypted and the encryption keys were not stored in the same system (or cloud)? Note that the GDPR (hailed by some as the current gold standard for consumer data protection) mentions that the loss of a state-of-the-art encrypted mobile storage medium that holds PII is not necessarily considered a data breach because the sensitive data could not have been viewed or misused. Data encryption is a well-known, non-vendor-specific technology that has been around for decades. In fact, data encryption technology has been around since 600 BC (check out cipher wheels if you’re interested) – granted only for hardcopy content, but computer-based data encryption has been available since the 1970s. Most data encryption capabilities within computer systems are not vendor specific. So there is no good reason for lawmakers not to include data encryption requirements of PII in the emerging data privacy laws.

The fact that non-vendor-specific data encryption technology underlies my main argument for including data encryption requirements in the new state data privacy laws. But more on that topic in a bit.

314.4 Elements for safeguarding customer information

This section of the Safeguards Rule calls out several specific requirements companies should include in their data security capabilities to be in compliance. They include:

1. Conduct periodic risk assessments that measure the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of the information systems and PII that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of such information, and reassess the sufficiency of any safeguards in place to control these risks. Most privacy laws already include this requirement.
2. Implement access controls to ensure only authorized users have audited access. System access controls that programmatically check to see if a specific user trying to gain access to a system has been authorized to access specific documents have been widely available for many years. Yet surprisingly, this popular security capability is not directly addressed in most privacy regulations.
3. Implement multi-factor authentication for any individual accessing information systems and applications – again, state privacy laws do not address this requirement. However, President Biden's Executive Order (EO) 14028 for updated cybersecurity practices for all federal agencies does require it. You can also check out my blog on EO 14028.
4. Encrypt all PII during transmission and while at rest. President Biden's Executive Order requires all federal agencies to encrypt all sensitive data. In the previous section, I mentioned data encryption as an essential best practice for data security/data privacy. The pushback I receive from some pundits (especially politicians) is that they don't want to require a specific technology that could tie the data collector (or organization holding the PII) into particular technology vendors. This is a spurious argument based on the facts described above namely, many versions of encryption technology have been available for decades. Also, many data encryption programs, besides being considered standard, have been built on open-source code and can be easily incorporated into computer applications.
5. Develop, implement, and maintain procedures for the secure deletion of customer information – this requirement has also been a focus for me. None of the current data privacy regulations, including the GDPR, address the need to delete PII in an unrecoverable process. One of the data subject rights that appear in all data privacy laws is the right to deletion – also known in the GDPR as the right to be forgotten. In speaking with subject matter experts in the US, Canada, and the EU, in all cases, the right to deletion implies an unrecoverable erasure. Does your records management, information management, or archiving system provide for permanent deletions?

An additional cybersecurity defense not called out in the Safeguards Rule is the implementation of Zero Trust design for applications and networks. The fact that this security capability is relativity new explains why it has not yet made it into the Safeguards Rule. However, the May 2021 Presidential Executive Order 14028 also requires ALL Federal agencies to begin implementing zero trust design in all agency systems, including all on-premises and cloud–based applications.

Zero Trust is the next cybersecurity frontier for data security

Zero Trust design is a developing set of cybersecurity concepts that move enterprise cybersecurity defenses from static, network-based perimeters to concentrate on users, assets, and resources.

Zero Trust uses specific principles to design and implement enterprise infrastructure and applications. The basis of the Zero Trust concept assumes there is no implicit trust granted to users based solely on their physical or network location.

Zero Trust is known in the security industry as "least privilege." The concept of least privilege is a fundamental principle of next-generation cybersecurity designed to limit user access to the minimum levels of access needed to perform a function. Users are given no more authorizations than necessary, so authorized users get access only to the resources they need to perform their duties but nothing else.

The 16CFR Part 314 data security requirements mentioned above exemplify how state governments can create more prescriptive, common-sense data security requirements that any organization collecting PII could meet. Now we need to convince politicians, corporate boards, and executive management to become more educated on these basic cybersecurity concepts and include them in their future data privacy laws. On a side note, I am surprised that cyber-liability insurance providers have not made data encryption a requirement for coverage.

How Archive360 is pushing the boundaries of data security

The Archive360 Open Archiving and information management platform provides complete records management, information management, archiving, and case management/eDiscovery capabilities with auto-categorization and retention/disposition for ongoing data minimization in the industry's only true cloud-first solution.

Based on a Zero Trust PaaS-based intelligent information management and archiving platform, the Archive360 solution is installed in the customer's own cloud tenancy. As a security by design and default software platform, customers can implement additional levels of security, including fully private, isolated enclaves, and create and store their own encryption keys – on-premises for additional security. As a PaaS solution, our customers retain complete control and direct ownership of their sensitive data and encryption keys.

Unlike the common SaaS, third-party shared cloud model, the Archive360 cloud platform can support and be a part of Zero Trust security architecture, i.e., a private/secure enclave, to ensure there are no shared resources, shared encryption keys, or standard security certificates. 

Archive360 also offers the industry's only locally-based Cloud Security Gateway, which provides encryption of all data before movement to the cloud, on-premises encryption key storage, access controls, and homomorphic and field-level encryption for total data security in transit, at rest, and WHILE IN USE. 

These security capabilities ensure data collectors, data processors, and government agencies can meet or exceed the new privacy compliance standards.

For more information on emerging data privacy laws and new data security requirements, please get in touch with the experts at Archive360 by emailing us at info@archive360.com or calling us at +1 (212) 731-2438.