Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

Colorado HB 11-1225 – An Information Security Carrot

Regulation is achieved via the “carrot” or the “stick” (and sometimes both). This is true in the information security context as well. For example, to incentivize encryption of personal information, breach notice laws use a stick: those that fail to encrypt may have to provide notice to affected individuals in the event of a security breach. In the credit card breach context, a Washington state law provides banks with a stick (e.g. the right to seek fraud and reissuance expenses from breached merchants), but also provides those merchants with a shield to block that stick (e.g. validation of PCI compliance blocks a bank’s ability to recover). In HB 11-1225, Colorado state legislator, Dan Pabon, apparently wants to give the carrot a chance. In the process, I am told that part of the goal is to make Colorado the “Delaware” of data storage. Here is how it works.

Immunity from Liability. Under HB 11-1225, if certain conditions are met (discussed below) a person or entity operating in Colorado that owns, licenses or maintains computerized data that includes “personal information” shall not be liable for civil damages resulting from a breach of data security due to its acts or omissions that are in good faith, and not grossly negligent or willful and wonton.  So essentially, this would provide immunity from negligence claims. In order to receive this protection, two conditions must be satisfied: (1) the breach must have been caused by an unauthorized third party, or an employee or agent acting outside the scope of his employment; and (2) the person or entity must have been certified by a “qualified information technology auditor or assessor” as having used “best practices of data security and meeting information technology standards” established by an authorized state entity.

Rebuttable Presumption of Non-Negligence. Even if a breached organization has not been certified as compliant with best practices/information technology standards, it can achieve certain protections under the bill. In court, an organization can establish a rebuttable presumption that it was not negligent if it can produce evidence that the organization implemented best practices and was compliant with technology security standards established pursuant to the bill.

Consumers’ Right to Petition Court for Subpoena. The bill provides persons whose personal information was compromised or who are victims of a computer crime, to seek a petition from a court impelling the breached organization or any third party to produce “any” information concerning the unauthorized access to personal information or the computer crime. This information may be obtained in order to facilitate the detection, apprehension and prosecution of the computer crime or breach.

Key Definitions. “Personal information” as defined under the bill is broader than definitions in most breach notice laws. One defined category of personal information is information that can be used, alone or in conjunction with any other information, to obtain cash, credit, property, services, or any other thing of value, or to make a financial payment, including personal identification number, credit card number, banking card number, checking account number, etc. Personal information is also defined as information that can be used, alone or in conjunction with other information, to identify a specific individual, including name, date of birth, social security number, government ID, passport number, etc.

In order to be a “qualified information technology auditor or assessor” one must be certified by a nationally recognized organization or association as having expertise in data security, and cannot have any convictions involving moral turpitude offenses. The bill indicates that the CIO of the State of Colorado is required to establish an entity to maintain a list of the nationally recognized IT associations that may certify a person’s qualifications in data security systems for purposes of the bill.

Establishing Best Practices and Information Technology Security Standards. One of the key challenges for implementing this HB 11-1225 (should it become law in its current form) is going to be the establishment of best practices and IT security standards. On this issue the bill requires the CIO of the State of Colorado to create an “entity” to establish these best practices and standards for commercial entities and persons that own, license or maintain computerized data that includes personal information. The bill does not provide additional guidance as to how those best practices shall be determined, or whether there will be one set of best practices that will apply to all entities (regardless of size, complexity or resources).

Analysis and Observations

Novel approaches to information security and privacy legislation are, of course, welcomed. The questions remain, however. Will it work? Will it pass? Unclear at this point. Below are a few observations pertaining to these questions.

• Does a duty exist to safeguard personal information under common law negligence principles? Surprisingly, at this point we have very little case law directly on point that delves into this issue. However, a recent Illinois appellate court recently ruled that a common law duty to safeguard personal information did not exist. In contrast, we are aware of cases that did find a duty to secure personal information, but both were in the banking context and were arguably based mainly on the expectations that arise in that context (e.g. banking customers are specifically providing their money to banks for safeguarding, among other reasons). If indeed, no case law establishing such a duty exists in Colorado, the question becomes whether the existence of a law providing immunity for negligence implies that the duty exists. Worse (from the company point of view), it is possible that the best practices established under the bill could end up establishing a standard of care, in and of themselves (where one may arguably not exist).

• Even if such a duty does exist, do the “good faith” and “gross negligence “exceptions” effectively eat the immunity? In the wake of a data breach where a plaintiff’s attorney has filed a lawsuit, you can bet that any and all potential theories of liability will be alleged. That of course may include allegations of gross negligence and “bad faith.” One of the benefits of HB 11-1225, assuming only a negligence claim is alleged, would be the ability of defendants to have lawsuits dismissed early, perhaps in a motion to dismiss or motion for summary judgment phase. However, if gross negligence, bad faith or other non-negligence claims are alleged, the plaintiff may have a better chance to get past early motions to dismiss. If that is the case, plaintiffs will still have litigation leverage (regardless of whether they have a truly winning case).  In fact, we are aware of one case in Federal court in Michigan that allowed a case to go to trial based on the issue of "good faith" behavior in the context of security. These “exceptions,” therefore, could undermine the effectiveness of the immunity granted in HB 11-1225. Of course, much more research is necessary to look into these issues.

• Is the jurisdictional scope of the immunity too narrow? At this stage in the game a large percentage of companies, big and small, conduct business with residents of more than one state (and in many cases all 50 states), and even with people residing outside of the United States. While HB 11-1225 may provide immunity from negligence claims for cases contained in Colorado, it may not help with lawsuits, for example, filed in other jurisdictions or Federal court where Colorado law is not the choice of law. So, if the goal of the law is to become the "Delaware of data storage", it may not be effective to shield companies that deal with personal information from non-Colorado states.  That all said,  there may be jurisdictional arguments that would preclude plaintiffs residing in other states from pursuing a company storing data in Colorado (although making and prevailing in such arguments in court can be an expensive process in and of itself). In addition, a choice of law provision in contracts with out-of-state counter parties might also do the trick to keep the immunity intact.

• Can the “entity” established by the State actually establish best practices that can work universally and result in good security? Legislating security controls is not an easy task. Two general approaches are used typically. One approach does not require specific controls, but rather mandates “reasonable” “adequate” “comprehensive” or “appropriate” security. The other method is more prescriptive in its approach, and seeks to require specific controls that certain entities must implement (e.g. Massachusett’s and Nevada’s personal information security laws). The risk of a prescriptive approach is the “check list” mentality whereby organizations simply address the specific requirements and don’t actually worry about truly securing themselves (this is a criticism of PCI, the ultimate prescriptive standard). However, even those taking a prescriptive approach may reference various risk factors that relate to the sensitivity of the data and the size, complexity and resources of the company trying to comply. The challenge for the entity developing these best practices is to provide enough clarity/certainty so companies have confidence that they are truly in the safe harbor, and yet to provide enough flexibility to allow companies of all shapes and sizes to get into the safe harbor in a relatively cost-efficient and realistic fashion. The failure to solve this problem could undermine the efficacy of the legislation if it is perceived to be unfair or discriminatory to small and medium-sized businesses who may have neither the expertise nor resources to implement a highly prescriptive set of controls.
   
• A Shift of Liability to the Auditors? On the one hand, this bill may serve as a business bonanza for IT security auditors who are called into validate compliance with the best practices laid out by the act. On the other hand, a mistake in validating the compliance of a company that suffers a breach could potentially lead to a lawsuit against not only the breached company, but the auditor as well. While a third party affected individual may have difficulty holding an IT security auditor liable without a contract, precedent may exist by analogy to accountants. Moreover, there is at least one known case (Merrick Bank v. Savvis) where an IT assessor (in this case a payment card security assessor) was sued by a party that allegedly relied on its compliance findings. So, from a “passability” point of view, does the IT security assessment community get on board or do they demand some of their own immunity in exchange for supporting this bill?

Conclusion

Overall, Representative Pabon’s bill represents a very interesting approach to data security regulation, and we applaud his efforts and creativity. There may be some hurdles to overcome to see this passed, and a vigorous debate on its mechanics is necessary. We will keep you up to date on its progress.
 

In contracting for IT services, it’s tempting to simply refer to an information security standard and perhaps require a warranty or third-party certification. But that is sometimes overkill, given the nature of the data and risks involved in the project. And in any event, the customer needs to know if the warranty or certification actually covers the measures that the customer would take itself to protect its business and manage its compliance and liability risks.

One Size Does Not Fit All

It is significant that information security laws and standards typically require a risk-based assessment of threats, harm, and mitigation measures, rather than prescribing, for example, a specific form of encryption for all protected data.

This suggests that customers and vendors should be realistic about assessing what the customer legitimately requires in the way of security for a particular project or application. We have seen outsourcing and cloud services contracts where the vendor’s standard contract offers only “reasonable and appropriate” security measures, with no details and no mention of who does what (and at whose expense) in the event of a suspected security breach. When you use free web apps to publish the schedule for your kid’s soccer team, you can live with terms of service that include the phrases “as is” and “as available.” An organization might need only minimal security and service level guarantees for a wiki or social networking application designed to facilitate online brainstorming, or for a software development “sandbox.” But if the outsourcing or cloud vendor is handling highly confidential information or mission-critical transactions, the customer should insist on stronger assurances and specify any particular compliance requirements for relevant functions such as processing credit card details, Social Security numbers, electronic health records, or HR data transferred from Europe. If the vendor cannot or will not offer sufficient details or assurances, the customer should look elsewhere, because the customer’s business, liability, and reputation are at stake.

Some large customers take this too far, however, routinely demanding security certifications that may add considerably to the cost of the contract or eliminate many potential vendors, in circumstances where there is little actual risk. I was recently involved in a contract for a software implementation project that entailed creating a specialized organizational database including photos and business contact information of the customer’s relevant personnel. Because the vendor would be required to work with some form of personal data (none of it sensitive or subject to personal information security or breach notice laws), the customer insisted, at the last minute, on including its “standard” personal information security annex. This included a provision for control by the customer, and indemnification by the vendor, in the event of a security breach involving the personal data. That makes some sense, since the customer, in the end, will be held accountable. The vendor was not concerned about this provision, however, since it would not be handling data covered by personal information security laws. But the annex also required the vendor to produce a SAS 70 Type II certificate, as well as a third-party certification of conformance to the ISO 27002 standard. These typically require tens of thousands of dollars and at least six months to obtain. A BPO vendor serving the financial services or government markets might already have this in place, but not a small firm of specialized IT consultants. In this case, it turned out that the cost of complying with these requirements would have exceeded the value of the contract. And all this to protect publicity photos and business contact details?

When conducting due diligence and contracting with an IT vendor, the customer should focus on the sensitivity of the data and functions at issue and then satisfy itself that the vendor will meet the classic “CIA” requirements for information security: confidentiality, integrity, and availability. Where those requirements are linked to legal standards, such as HIPAA compliance or contractual PCI-DSS obligations, the customer should call those out in the contract and make sure the vendor has the capability and commitment to meet them.

Information Security Standards and Certifications

There are some very specific published standards for security measures and devices, usually in areas where interoperability is required, such as chip cards, point-of-sale terminals, and WiFi. But customers are usually concerned more generally with a vendor’s security controls and procedures, and those are addressed in several widely used standards. These are typically risk-based, procedural approaches, essentially providing a checklist of issues and considerations that the organization is to take into account in selecting and monitoring security measures.

If a vendor asserts that it uses one of these security frameworks or standards, it indicates a level of awareness and sophistication about assessing security risks and implementing appropriate measures. But it does not reveal what measures the vendor has chosen to adopt, nor its track record in actually securing customer data. Customers should consider asking in addition for the vendor’s written information security policy or policies, and for contracts involving sensitive processing customers might ask as well for audit results or third-party certification.

Prompted by the focus on internal controls for financial reporting under the Sarbanes-Oxley Act (SOX), publicly traded companies in the US often employ CobiT, Control Objectives for Information and Related Technology, a standard framework for IT governance and information management controls published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA) . A vendor might refer to its use of the CobiT framework, but this offers little specific assurance about how the company secures customer data, and so it is generally not a sufficient point of reference for an IT contract.

US federal agencies are required under FISMA (the Federal Information Security Management Act of 2002) to refer to security standards and guidelines published by the National Institute of Standards and Technology in designing information systems and procuring IT services. Some of this guidance is general and largely procedural, prominently FIPS 200 (“Minimum Security Requirements for Federal Information and Information Systems”) and NIST Special Publication SP 800-53, "Recommended Security Controls for Federal Information Systems". Many government contracts refer to FIPS 200 and SP 800-53, as well as to more specific NIST guidelines on particular applications such as laptop security, voice over internet services, and secure data deletion. Some vendors familiar with the government market refer to relevant FIPS standards in their private-sector contracts as well. This can offer a high level of assurance to customers with relevant security needs.

Internationally, the most commonly referenced information security management standard is ISO 27002 (formerly ISO 17799), which has evolved from the BS 7799 standard developed by the UK government in the 1990s. ISO/IEC 27002:2005 (which can be purchased from ISO) is a code of best-practice recommendations for information security management. It contains recommended information security controls and objectives in twelve areas (risk assessment, security policy, security organization, IT asset management, HR security, physical and environmental security, communications and operations management, access controls, information systems acquisition and maintenance, business continuity, and compliance with relevant laws and policies). A contractual reference to ISO 27002 helps ensure that the vendor is aware of security management issues, but it does not indicate exactly what the vendor does to secure customer data or systems. Moreover, since it is a compilation of best practices rather than a statement of mandatory control procedures, ISO 27002, on its own, does not lend itself to certification or audit.

In circumstances where the customer requires greater assurance through third-party verification of security measures, the customer should consider requiring a certification of compliance with ISO 27001, which states management control requirements for information security management systems. ISO 27001 requires management to systematically assess the organization’s security risks and impacts, design and implement security controls to address unacceptable risks, and adopt management procedures to review and revise those controls over time. When an organization self-certifies compliance with ISO 27001, or obtains certification from a third party, it normally refers as well to ISO 27002, because that provides implementation guidance for the selected controls. Certification under ISO 27001 is typically a three-stage process of initial review of applicable systems and policies, a detailed compliance audit of the organization’s Information Security Management System (ISMS), and periodic (usually annual) reviews. In many countries, third-party certifications are provided by “accredited registrars” or “accredited certification bodies” recognized by a government-authorized accrediting body. In the US, the typical practice is to retain an information security consultant to conduct a security audit with reference to ISO 27001 and 27002. References to ISO 27001 / 27002 are common in international service contracts, although costly and time-consuming third-party certification is required in the minority of cases. ISO 27001 / 27002 seems to be catching on in the US as well, although it is still rare to see US contractual requirements for certification of compliance with ISO 27001.

The relatively new ISO 27005 (derived from BS 7799-3) deals specifically with security risk management in the outsourcing context. This is mostly seen in UK contracts so far, but it is becoming familiar among major outsourcing vendors in India, South Africa, and Jamaica.

In the regulated financial services industries in the US, it is common to require vendors to submit a SAS 70 service provider audit (AICPA Statement on Accounting Standards No. 70: Service Organizations). This usually addresses preventive and detective internal security controls, as well as business continuity. The SAS 70 Type II audit requires an evaluation of the effectiveness of security controls over the review period, usually six or twelve months. The equivalent in the UK is the AAF 01/06 "assurance report" (replacing FRAG 21/94) on internal controls for outsourced service providers. Similar forms for the assessment of service providers’ internal controls are published by the accounting and audit professional associations in Australia (Auditing Guidance Statement 1042 - Reporting on Control Procedures at Outsourcing Entities), Canada (CICA Handbook Assurance and Related Services 5900), Hong Kong (HKCPA Statements Auditing Practice Note 860.2), and Japan (Audit Standards Committee Report No. 18).

Traditionally required by bank and insurance regulators to control risks in outsourcing material operations to a service provider, the SAS 70 and its foreign equivalents are now sometimes used outside the financial sector, because it is an established method for obtaining third-party certification of security controls. The SAS 70 is most meaningful when the auditor tests control procedures based on a specified security framework or standard, such as ISO 27001 / 27001, CobiT, ITIL, BITS (banking industry standards), FIPS 200, or the AICPA Trust Principles, as well as on the organization’s written security policies.

For payment card data, banks and merchants must comply with the payment card industry’s global PCI DSS standard, and that should be referenced in any contract with a vendor handling such data. Where the customer needs stricter assurances, the contract can require submission of a PCI DSS Self-Assessment Questionnaire (SAQ) or a compliance assessment by a Qualified Security Assessor (QSA). (The PCI DSS standard requires independent QSA assessments for organizations handling more than a specified number of payment card transactions, while others need only prepare an SAQ.) Customers that are themselves required to obtain a periodic QSA assessment should require their relevant vendors to provide such an assessment, or participate in one conducted by the customer.

The Bottom Line

Customers and vendors need to be clear about security responsibilities. In many cases, this is facilitated by a reference to standards, but due diligence and contract drafting should not end there. Such references almost always need to be supplemented with specific requirements and policies concerning security measures for the particular kinds of data that the customer needs to protect, with express reference to any controlling laws or industry standards. Where the customer has especially sensitive or legally protected data, it should also consider contractual audit rights or a provision requiring the submission of a third-party certification or assessment of the vendor’s information security controls.