Due Diligence on IT Security

Most organizations are required by laws, regulations, contracts or the marketplace to have established internal controls that support the transparency of their financial statements and/or the privacy and security of sensitive information. This information includes customer and employee financial and medical information (sometimes called ?personal information?), as well as company trade secrets that are transmitted and stored through paper and electronic means.

To the extent that an organization outsources business processes involving personal information, it probably is required by laws, regulations and/or contracts to exercise due diligence and oversight prior to and during engagements with service providers. Moreover, the pace with which these new requirements are being imposed is accelerating.

The drivers behind the explosion of new requirements are:

? Proliferating worldwide laws and regulations created in response to consumer and government concerns about identity theft and the privacy and security of personal information

? The complexity of global organizations due to outsourcing

? An ever-increasing emphasis on the value of intangible information assets and such valuation?s impact on financial statements and accurate risk management

? New and faster technologies to transmit, store and share information

? The often brutal competition in the global marketplace and concomitant pressure to reduce costs.

These drivers are discussed below, and recommendations are offered to help an organization reduce compliance costs and potentially optimize its use of information technology.

{mosapgebreak title=Worldwide Laws and Regulations}

Worldwide Laws and Regulations

New, more prescriptive laws and regulations affording greater protection to personal information are based on the very real threats posed by identity thieves, scam artists and crooks who are stealing credit- and debit-card numbers, health plan data and bank account information and the like that reside in disparate databases and are transmitted over the Internet. Unfortunately, personal information often is compromised because basic information security controls?such as strong passwords, encryption and up-to-date anti-virus software?are not in place, or because the resources and sophistication of cyber-criminals often seriously exceed those of the public and private sectors.

While the estimated costs of breaches are difficult to calculate, studies indicate that they are significant. For example, a 2005 study estimated that identity theft cost U.S. businesses and consumers $56.6 billion a year.

There are hundreds of international, federal and state laws and regulations that address the privacy and security of personal and other information. However, the two federal agencies with privacy and security laws that impact most U.S. organizations are the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC).

The HHS is pushing the health care industry to use electronic medical records (EMRs), health information exchanges (HIEs) and health information technology (HIT) to improve health care and reduce costs. Organizations that have health plans are affected by the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), and they could potentially benefit from the use of EMRs, HIEs and HIT if health care costs are reduced.

The FTC is the consumer watchdog agency that oversees a number of federal laws and regulations that protect personal information from inappropriate use or disclosure, enforce implicit and explicit privacy and security promises of organizations to consumers, and restrict how credit information may be used and disclosed. Both the HHS and the FTC have been busy on a number of fronts in 2008, including the following:

? The FTC announced a settlement against TJX Companies, parent of TJ Maxx, which compromised as many as 100 million credit- and debit-payment card numbers. The settlement, which includes FTC oversight of TJX?s security plan for a 20-year period, is in addition to other costs, charge-offs and outlays estimated to exceed $100 million.

? The FTC introduced the ?Red Flags Rule? (meant to address red flags that are indicators of identity theft), which will go into effect on May 1, 2009. It requires creditors (and financial institutions through applicable regulatory agencies with a Nov. 1, 2008, date) to have identity-theft-prevention programs in place. The Red Flags Rule also requires boards of directors and senior management oversight of programs, as well as company oversight of third-party service providers.

? The HHS stepped up enforcement of HIPAA security regulations that require security controls to protect electronic-protected health information. Additionally, it is moving from a solely complaints-driven process to one that is also proactive.

? Different HHS entities are providing guidance and proposals that advance the use of EMRs, HIEs and HIT by the health care industry, and address related functionality, interoperability, and privacy and security issues.

In 2008, certain states expanded the scope of information security breach notification laws (in effect in 44 states, the District of Columbia, Puerto Rico and the Virgin Islands) to include not only financial and other identifying information, but also medical information, as well as requiring notification in case of a breach when such information is unencrypted. Other states are now or will be requiring that certain personal information be encrypted.

{mosapgebreak title=Outsourcing}


Flexibility in new IT and the prospect of lower costs are drivers for outsourcing. Many organizations outsource noncore job functions and processes?both domestically and offshore.

However, a number of significant security breaches have involved service providers, including that of third-party payment processor CardSystems Solutions, at which an estimated 40 million credit- and debit-payment card numbers were compromised because of a failure to secure its network. Also, ChoicePoint, a data aggregation firm, was the victim of a security breach after it unwittingly sold the personal information of almost 145,000 people to a criminal enterprise. Because of these and similar breaches, regulators are increasingly requiring organizations to exercise due diligence prior to engaging a service provider and to provide oversight thereafter.

Value of Information Assets

Organizations are relying increasingly on intangible, knowledge-based information assets to operate. Smokestack industries, too, use information assets and their technology backbone to provide accurate, just-in-time inventory needs, and to connect and share information with customers, suppliers and others through extranets, intranets and the Internet.

Indeed, valuable data and economic intelligence often come from numerous and sundry databases. To accurately reflect risk and allocate proper resources to protect assets, an understanding and accurate valuation of intangible, knowledge-based information assets are key.

New and Faster Technologies

Information no longer just sits behind protected stationary boundaries. It also resides in laptops, thumb drives, portable devices and the like, and it may be transferred instantaneously around the world. As new, faster technology becomes available, organizations are under pressure to adopt the technology to remain competitive. However, without comprehensive risk management?including a formal change control process that meets an organization?s legal, regulatory and contractual privacy and security obligations?introduction of new and faster technologies will be problematic.

{mosapgebreak title=Competition}


There are very few industries that are not under pressure to reduce costs to remain competitive, and there are a limited number of ways to do that. Many companies outsource, and some realize significant cost savings. However, outsourcing brings increased complexity, which, in turn, introduces risk.

For organizations to efficiently and cost-effectively meet their legal, regulatory and contractual obligations; realize the benefits of outsourcing; provide a more accurate valuation and identification of information assets; adopt new and faster technologies; and be competitive, they should consider taking the following steps.

1. Ensure boards of directors and senior management provide oversight and involvement in safeguarding information assets such as personal information and trade secrets. Information privacy and security are governance issues and are required by laws, regulations and/or contracts. The job of the IT department is to put appropriate controls in place that enforce senior management?s privacy and security directives.

2. Use and integrate required and appropriate information technology and information security management frameworks and standards, thereby meeting legal, regulatory and contractual privacy and security requirements. This introduces standardization, reduces duplicative compliance efforts and may also serve to reduce costs when technology is used to enable compliance with other laws.

3. Integrate information technology and information security management frameworks and standards into quality, process improvement and similar programs. These programs include the Malcolm Baldrige Criteria for Performance Excellence, Six Sigma, Balanced Scorecard and/or Lean Manufacturing. Organizations that effectively do this should not only save money?they also should increase profits and, potentially, optimize their systems in order to become leaders in their industries.

Betty K. Steele is of counsel with Baker Donelson. She concentrates her practice on technology, information privacy and security, corporate governance and international law. She is a Certified Information Systems Security Professional (CISSP) and has extensive experience in information privacy and security, corporate compliance planning and training, mergers and acquisitions, and international transactional, regulatory and tax law.