Safeguarding Personal Information: What Washington Businesses Need to Know about Data Security Standards
By Charles E. Harris II, Laura R. Hammargren, and Rebecca M. Klein
It was recently reported that, prior to the end of the year, there had been 717 data breaches in 2015, exposing an estimated 176 million records. Thirteen of the breaches targeted Washington-based organizations.1
The hefty financial costs and reputational harm that usually attend these attacks have raised awareness about the importance of data security at the highest levels in organizations. But, with no national law establishing mandatory, uniform data security measures, many organizations are unsure about whether they are legally required to employ specific safeguard standards.
This article discusses safeguard standards under: (i) federal law; (ii) the Revised Code of Washington (RCW); and (iii) laws from other states. The article also discusses certain established data security standards and why Washington entities — even those subject to statutory safeguard standards — might consider complying with one of these standards.
U.S. businesses in only a few sectors have traditionally been subject to specific data security standards under federal law. The two primary examples are “financial institutions” and companies that handle health care information. If a business is not part of or dealing frequently with these sectors, there are generally no specific safeguard standards that a business must implement pursuant to federal statute.
Some state statutes, however, require specific safeguards for companies that do business in the state or that handle personal information of the state’s residents. Moreover, companies may be contractually required to implement specific data security standards. For example, credit card brands, including Visa, MasterCard, American Express and Discover, require businesses that store and transmit payment card data to comply with the Payment Card Industry Data Security Standard (PCI-DSS).
Data Security Standards
The Gramm-Leach-Bliley Act (GLBA)2 declared it a public policy that each “financial institution” has an affirmative obligation to “protect the security and confidentiality of [its] customers’ nonpublic personal information.”3 A “financial institution” under the GLBA includes any entity “engaging in financial activities.”4
The GLBA does not contain specific data security standards. Instead, it tasks certain federal and state agencies with establishing appropriate standards for financial institutions subject to their jurisdiction.5
The FTC, for example, promulgated the “Safeguards Rule” under the GLBA.6 The Safeguards Rule, which applies to any business covered by the GLBA that is “significantly engaged” in providing financial products or services,7 mandates that these businesses develop a written information security program (or WISP) containing the following elements:
• Identification and assessment of the risks to customer information in relevant company operations, and evaluation of the effectiveness of the current safeguards;
• Implementation of safeguards to control the risk identified in the assessment;
• Regular testing and monitoring of the WISP’s effectiveness;
• Oversight of the handling of customer information by service providers and the selection of service providers that can maintain appropriate safeguards;
• Evaluation and adjustment of the program in light of relevant circumstances, including changes in operations or the results of security testing and monitoring; and
• Establishment of procedures to properly dispose of personal information.8, 9
Businesses in the Health Care
or Medical Industry
...login to read the rest of this article.