Deriving Due Care Practices from HIPAA and GLBA

Recent years have seen an increasing trend of corporations being held accountable for their negligent security practices in the field of information. Particularly authorities like the Federal Trade Commission (FTC) and the Attorney General of New York have been actively investigating companies that do not adhere to effective security procedures. A number of high-profile cases show the way companies are required to adopt stronger security procedures such as the Guess case providing a good illustration.

The company was notified in June of 2003 that Guess, Incorporated agreed to pay FTC allegations that it had exposed the personal information of its customers to the most well-known attacks of hackers, in contradiction to the company’s assertions. “Consumers are entitled to assume that a business who claims to protect private information safe does exactly what it says,” said Howard Beales director of Federal Trade Commission’s Bureau of Consumer Protection. The settlement mandated that Guess implement a comprehensive data security plan that would be verified as meeting or exceeding the standards set forth in the consent decree by an outside professional within one year.

It’s a Problem

One reason that companies have poor or inconsistent security practices for their information is the absence of a widely-accepted and comprehensive set of security guidelines. Standardization bodies like ISO, the U.S. National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) issue security standards that have various levels of corporate acceptance and usage. They are also a part of the Information Systems Security Association (ISSA) has recognized the need for a globally agreed upon collection of fundamental security standards and is currently working on standards for the Generally Accepted Information Security Principles (GAISP)–although the degree to which these standards will be after publication is yet to be determined.

The Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule and the Gramm Leach Bliley Act (GLBA) Interagency Guidelines are customer privacy laws that define the security guidelines that must be followed by financial and healthcare sectors and financial services industries. If organizations that are subject to these laws do not follow the necessary security procedures, they could not only expose the personal information of their customers but also be liable to penalties under the regulatory system and fines. These laws establish information security due care standards, which are the security practices that must be observed to avoid liability the financial and healthcare sectors. The companies that are covered by these laws but, they only comprise about 25% of U.S. GDP. Other industries have to rely on their best judgment in protecting the privacy of their customers. This is clearly not a successful method, as the examples previously mentioned demonstrate.

The majority of companies would like to be ethical and safeguard their customers’ personal information however, protecting themselves from legal liability and harm to their reputations are other motives to put in place appropriate security measures. Although most corporate security specialists may think they know how to safeguard information of customers, they may not be confident in proving that their actions would shield their employer from being held accountable. In the absence of a common set of security standards and procedures, many information security experts aren’t sure what they can do to protect customer data in a manner that reduces the risk of their business.

A Proposed Solution

The best option for companies who wish to secure the privacy of their customers’ information and possibly be protected from liability is to follow the security measures that are required to be followed by HIPAA as well as GLBA. There are 12 security procedures that are common to both privacy laws for customers. By adhering to these 12 rules businesses will practice the highest standards of security for their information and could save themselves from any liability. In actual fact, all the security standards outlined by the resolution of previous cases are part of the 12 rules that are common to HIPAA as well as GLBA.

What is due care?

Businesses that handle customer’s personal data could be in violation of the law, but they may not realize this, as demonstrated in The Guess case. This misinformation could result from the large gaps in lawful computer crimes that are contained in the federal criminal code as well as specific states’ criminal laws. State and federal criminal statutes are unable to change to properly prosecute crimes that are in light of the rapid advancements that is used in information technology. Information security professionals and companies are likely to find no guidance in statutes and criminal codes to avoid accidentally breaching the law when is about protecting their customers and their personal information.

There isn’t a lot of guidelines for businesses to follow in staying clear of civil or criminal liability , or hefty settlements with the FTC It is important to examine how legal standards were developed in the first place. Legal standards are created by focusing on due care which is the standard of standard of care that a normal person would exercise under similar or similar situations. The failure to take due care is the equivalent of showing negligence. Businesses who exhibit negligence with regard to their security procedures can be liable to fines, lawsuits, and other penalties, while those who practice due diligence should generally be shielded from punishments.

Where can I find Due Care Security of Information Best Practices

Businesses looking to learn more about proper information security practices should look no further to two of the major federal laws that govern the protection of personal information of customers: HIPAA and GLBA. Although both HIPAA and GLBA have enacted more than just privacy regulations, each have created extensive guidance from regulators regarding security measures to protect customers’ information. The rules for HIPAA are known as”the Final Security Rule and those for GLBA are known by the Interagency Guidelines.

Although some of the rules of these rules are specific to industries but there’s plenty of overlap between the two. Particularly twelve security guidelines are found within both HIPAA Final Security Rule and the GLBA Interagency Guidelines. The combination of the two sets of rules cross paths in 12 locations is not a coincidence. It is an obvious sign from the federal government about the quality of care it wants the nation’s health care providers as well as financial institutions to adhere to. In the event that these standards are norms of due care that have to be adhered to by industries that account for 25% of the nation’s GDP and a quarter of the country’s population, it follows the other sectors will also be required to adhere to the same standards.

HIPAA and the GLBA Security Due Care Practices in Common

The 12 security guidelines common to HIPAA as well as GLBA include the same “high-level” techniques. There is no particular technological controls. Certain practices are required, while others are only required when a risk assessment performed by the organization determines that the practice is safe.

The HIPAA Final Security Rule as well as the GLBA Interagency Guidelines were created to provide direction to the top management. The way in which the guidelines are implemented is largely to the businesses to decide.

The following is a listing of the 12 security methods that are shared between HIPAA as well as GLBA (please consult the Due Care Practices HIPAA/GLBA Matrix on the Laws and Regulations section of the OpenCSOProject for a more detailed analysis and sources):

  1. Monitor and manage risk
  2. Assign Security Responsibilities
  3. The appropriate access and authorization
  4. Safety Awareness Training and Security
  5. In the event of an incident, Incident Response and Reporting
  6. Disaster Recovery
  7. Security Evaluation
  8. Vendor Contracts
  9. Facility Access Controls
  10. Controls for Data Integrity
  11. Encryption
  12. Security Monitoring Procedures

Validation based on recent Enforcement Actions

If the businesses involved in those FTC settlement cases mentioned previously had followed the 12 principles the companies would not have been penalized and the information of their customers would have been secured. In the Guess case the FTC directed Guess to:

  • Designate an employee to oversee and be accountable for the security of information plan (HIPAA/GLBA due care practice 2: Designate Security responsibility);
  • Determine the major external and internal threats in the confidentiality, security and integrity of customer information, which could lead to the unintentional disclosure, misuse or loss, change or destruction risk to the security, confidentiality, or integrity of this information and determine the appropriateness of the security measures that are in place to mitigate the risk. At a minimum, the risk assessment should include consideration of potential risks in every area of operation. (HIPAA/GLBA Due-Care Practice #1: Evaluate and Manage Risk);
  • Create and implement appropriate security measures to limit the risks identified by risk assessment and continuously test or monitor their effectiveness. principal controls processes, systems, and systems. (HIPAA/GLBA due care practice #7 Assessment of security Evaluation);
  • Review and modify the security measures as a result of the outcomes of monitoring and testing changes that could have a significant impact on its business operations or arrangements or other events that Guess is aware of or believes could have a significant impact on the security of its information. (HIPAA/GLBA Due Practice #7 Security Evaluation)

The four requirements could have been met if the company followed only three of the 12 HIPAA/GLBA Due-Care Practices to: Assess and Manage the risk, assign Security Responsibility and security Evaluation. Other settlement cases have similar requirements, which were also included in the HIPAA/GLBA Due Care Practices. It is evident that the security standards stipulated by HIPAA and GLBA create a framework for due care.


Businesses are discovering that they’ll be liable for the cost of not having strong security controls and securing the personal information of their customers. They should be proactive in implementing and sustain a prudent security system to prove that they’re exercising proper diligence. In the meantime, until a universally accepted set of security guidelines is created the most effective method for businesses is to adopt the security standards that are required by both HIPAA as well as GLBA.

Leave a Reply

%d bloggers like this: