As headlines continue to report data security breaches at an alarming rate, discussion often focuses on the need for enhanced technical controls, such as two-factor authentication and encryption, to protect sensitive, personally identifiable information. The role of the company employee, both as the cause of, and the first line of defense against, security breaches is often lost in the analysis. Yet developing law is increasingly requiring administrative or procedural controls, particularly those directed at employees, as a component of a legally compliant security program.
Employees can be the source of major threats to a company's data security. They need not be bad actors in order to compromise their company's data security. Often it is the innocent actions of employees (e.g., losing a laptop with key data unprotected or succumbing to a third party's social engineering techniques) that leave a company facing a breach situation. At the same time, employees are key to a company's successful compliance with various legal and administrative requirements involving data security.
A recent survey of the IT departments in 461 U.S. organizations conducted by the Ponemon Institute reported that the average annual cost of managing insider threats to data security is $3.4 million per organization. Further, more than 78 percent of respondents reported one or more unreported insider-related security breaches within their company. Latest Ponemon Institute Study Ties Lack of Awareness in Corner Office to Insider Threat Challenges, available at www.arcsight.com/solutions_insider_threat.htm, Sept. 12, 2006.
Raising the stakes further, a growing number of legal and industry guidelines governing data security are in place across multiple industry sectors, requiring companies to implement data security controls directed at their employees. Failing to satisfy such obligations can leave a company vulnerable to lawsuits filed by third parties as well as enforcement actions by federal and state government agencies.
However, employees need not be viewed as an expensive companion threat to outsiders. Instead, if companies properly focus on key employee-related security controls and implement those controls in a reasoned and responsive manner, employees can be powerful assets to data security. Employees can assist companies with compliance requirements and, at the same time, help serve as an important line of defense from insider and outsider threats.
LEGAL AND INDUSTRY REQUIREMENTS FOR EMPLOYEE CONTROLS
When designing a security program, developing law generally requires that companies address certain categories of security controls. Typically, that list includes employee procedures and controls designed to ensure employee honesty, education and proper job performance, and to prevent employees from compromising system security. The need for such controls is outlined in several federal statutes, regulations, administrative enforcement actions and industry guidelines spanning multiple industry sectors.
Implementing regulations for the Gramm-Leach-Bliley Act (GLB) requires covered financial institutions to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information. That assessment, at a minimum, must include employee training and management. See, e.g., FTC Safeguards Rule, 16 CFR 314.4(b)(1).
Likewise, implementing regulations for the Health Insurance Portability and Accountability Act requires covered entities to take a number of actions regarding employees under the heading of "administrative safeguards." The regulations require covered entities to (among other requirements):
"(1) apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity; (2) identify the security official who is responsible for the development and implementation of the policies and procedures required; (3) implement policies and procedures to ensure that all members of its work force have appropriate access to electronic protected health information and to prevent those members who do not have access from obtaining access to electronic protected health information." HIPAA Security Regulations, 45 CFR 164.308(a)(1)(ii)(C), (a)(2) and (a)(3)(i).
The Purchase Card Industry Data Security Standards (PCI Standards) require companies to "[m]aintain a policy that addresses information security for employees and contractors." Purchase Card Industry Data Security Standards, Version 1.1, Requirement 12. Under PCI Standards Requirement 12, companies must, for example, "develop usage policies for critical employee-facing technologies (such as modems and wireless devices) to define proper use of these technologies for all employees."
The FTC, in an enforcement action against Nationwide Mortgage Group Inc., found that the company violated the GLB Safeguards Rule in part by "stor[ing] customer information on a computer network accessible to all employees" and failing to "train employees on information security issues, or oversee the collection and handling of customer information by its loan officers." In the Matter of Nationwide Mortgage Group, Inc. and John D. Eubank, File No. 042-3104, Docket No. 9319 (FTC 2005).
In a similar GLB Safeguards Rule action brought against Sunbelt Lending Services Inc., the FTC found that Sunbelt failed "to implement reasonable policies and procedures in key areas, such as employee training and appropriate oversight of the security practices of loan officers working from remote locations." In the Matter of Sunbelt Lending Services, Inc., File No. 042-3153 (FTC 2005).
The Federal Financial Institutions Examination Council (FFIEC), a formal interagency body of the five key federal banking regulatory agencies empowered to prescribe uniform principles and standards for the federal examination of financial institutions, has created an IT Examination Handbook for use by examiners when evaluating a financial institution's risk management process. The handbook addresses the requirements for employee security in multiple areas. See Federal Financial Institutions Examination Council IT Examination Handbook, July 2006, available at www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf. Likewise, ISO 17799, an international standard for information security, requires multiple employee-related security controls. See BS ISO/IEC 17799: 2005.
CRITICAL EMPLOYEE-RELATED CONTROLS
In light of the above requirements, companies across a broad array of industry sectors should implement appropriate security controls aimed at the employee. These controls will form part of the foundation of a company's legal compliance effort and will become an integral part of that company's overall information security program. A review of the foregoing regulations, enforcement actions, and standards provides a good overview of best practice requirements likely to apply to any company seeking to satisfy its legal obligations to implement appropriate security. Below is a summary of some of the key employee-focused controls a company should consider.
Pre-hire background checks
Before an employee is hired, companies should consider whether background checks are appropriate, and if so, what information should be verified. For instance, the Handbook requires that all financial institutions, at a minimum, verify the information provided on job applications. Further, depending on the sensitivity of the job at issue and the access level to sensitive data that will be granted, the Handbook recommends a deeper investigation, including background and credit checks. According to the Handbook, the following checks are typically conducted as a matter of course: 1) character references, 2) criminal background checks, 3) confirmation of prior experience and education level and 4) confirmation of identity. Handbook, at p. 71. Likewise, ISO 17799 requires that "background verification checks on all candidates for employment ... [are] carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks." BS ISO/IEC 17799: 2005, at p. 23.
Background checks are an important first line of defense, especially for companies hiring employees that will have high-level access to sensitive data. While every company may not be required to conduct such a check, addressing whether one is necessary is an important consideration.
Comprehensive training and retraining
Once an employee is hired, proper training on the company's security policies and procedures is critical. Such training is an important component to any company's effort to implement reasonable security measures and is a requirement under the GLB Safeguards Rule. FTC Safeguards Rule, 16 CFR 314.4(b)(1). Similarly, the HIPAA regulations require companies to "implement a security awareness and training program for all members of its workforce (including management)." HIPAA Security Regulations, 45 CFR 164.308(a)(5)(i). Further, ISO 17799 requires companies to ensure that employees "are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information or information systems" and that they "are provided with guidelines to state security expectations of their role within organization …" BS ISO/IEC 17799: 2005, at p. 25.
Employees should not be hired and simply handed a thick security manual to digest. Instead, the employee should be offered comprehensive education programs that specifically relate to an employee's day-to-day security-related responsibilities. For example, if an employee has high-level access to sensitive data, procedures for accessing that data, processing that data, transferring that data and ultimately closing the access point to that data should be discussed and practiced. Further, employees should be trained on how to handle outsider threats such as social engineering, third party vendors and vulnerable locations such as airports. In addition, training should include a discussion of how to properly handle a breach once it has been discovered. Finally, training should not merely be a first day of work activity. Employees must also be continually retrained as technology and threats to that technology continue to evolve.
Ensuring that employees are contractually subject to appropriate obligations regarding confidentiality, nondisclosure and access to sensitive data, and that they clearly understand those obligations, is another important control. Contracts send a strong message to employees that security is an integral part of a company's operations and that they themselves are being held accountable. A company should consider using contracts that require employees to keep confidential their knowledge of key security information, including passwords and other access codes, remote access procedures and security vulnerabilities.
ISO 17799 recommends that such agreements address: 1) the type of information to be protected; 2) how long that information should be protected; 3) what occurs when the agreement terminates; 4) who will have access to the confidential information; 5) which party owns the confidential information; 6) how the confidential information may be used; and 7) how use of the confidential information can be monitored. ISO/IEC 17799: 2005, at p. 11.
Acceptable-use agreements that limit how an employee may use critical systems, and provide disciplinary consequences for noncompliance, are also important. According to the FFIEC, an acceptable-use policy often includes the following elements: "(1) the specific access devices that can be used to access the network; (2) hardware and software changes the user can make to their access device; (3) the purpose and scope of network activity; (4) network services that can be used and those that cannot be used; (5) information that is allowable and not allowable for transmission, using each allowable service; (6) bans on attempting to break into accounts, crack passwords, or disrupt service; (7) responsibilities for secure operation; and (8) consequences of noncompliance." Handbook, at p. 25.
Access control and monitoring
Proper employee access control limits the accessibility to a particular company asset to only those that require access on a need-to-use or event-by-event basis. According to the PCI standards, systems must be set to "deny all" except for those employees who do have a need-to-use. Purchase Card Industry Data Security Standards, Version 1.1, Requirement 7.2. HIPAA, in general terms, requires companies to implement policies and procedures that appropriately limit access to health information. HIPAA Security Regula-tions, 45 CFR 164.308(a)(3)(i). According to the Handbook, financial institutions should control access by: "(1) assigning users and devices only the access required to perform their required functions; (2) updating access rights based on personnel or system changes; (3) reviewing periodically users' access rights at an appropriate frequency based on the risk to the application or system; and (4) designing appropriate acceptable-use policies and requiring users to agree to them in writing." Handbook, at p. 22.
Monitoring of employee activities also helps to ensure that the access controls are in place and working effectively. ISO 17799 requires companies to monitor their systems and record information security events. Further, ISO 17799 calls for companies to: 1) "[use] operator logs and fault logging … to ensure information system problems are identified;" 2) "comply with all relevant legal requirements applicable to its monitoring and logging activities"; and 3) "[use] system monitoring … to check the effectiveness of controls adopted and to verify conformity to an access policy model." ISO/IEC 17799: 2005, at p. 55. Finally, GLB's regulations also weigh in on access control and monitoring, requiring financial institutions to design information safeguards that regularly test or monitor the effectiveness of security controls, systems and procedures. FTC Safeguards Rule, 16 CFR 314.4(b)(3)(c).
Proper use of remote devices
Employees who work out of the office may utilize devices that if used improperly or left unattended can create significant security threats. For example, employees may travel with laptops or USB hard drives that contain sensitive data available to anybody who picks up the device. Employees may also complete sensitive tasks while utilizing an unsecured home computer. It is important to provide employees with detailed policies and procedures on how to securely use technology outside of the office.
According to ISO 17799, a company's mobile computing policy should include requirements for physical protection, access controls, cryptographic techniques, backups and virus protection. In addition, the policy should include "rules and advice on connecting mobile facilities to networks and guidance on the use of these facilities in public places." ISO/IEC 17799: 2005, at p. 74.
Remote access can also mean that an employee is transferring data over a network connection. A company's remote access policies should address this potential vulnerability. HIPAA specifically addresses this component, requiring entities to implement security measures that guard against unauthorized access to electronically transmitted data. HIPAA Security Regulations, 45 CFR 164.312(e)(1). The handbook requires financial institutions to use strong authentication and encryption methods to secure communications (Handbook, at p. 50), and the PCI Standards require entities to utilize two-factor authentication before employees can gain remote access to systems. Purchase Card Industry Data Security Standards, Version 1.1, Requirement 8.3.
Employee policies should also be in place regarding how to handle the loss of such a device, including how to isolate the data loss to the greatest extent possible and how to properly report the loss.
Should a breach occur, it is important to have rules and procedures in place for employees while reporting and responding to security incidents. Considerations should include: 1) ensuring that the right personnel are notified and available to take action; 2) determining who is responsible for restoring systems and how that will be accomplished (including when it is appropriate to return sensitive data to the network); 3) how to maintain evidence of the breach; 4) how to respond to law enforcement, supervisory agencies, customers, service providers, potential victims, the press and others; and 5) when to involve outside experts. Further, many state laws require companies to report security breaches of a certain magnitude to the public. It is important to analyze these laws in light of the breach and determine whether it is necessary to inform the public.
The Handbook specifically instructs financial institutions to determine: "which personnel have authority to perform what actions in containment of the intrusion and restoration of the systems." Further, the Handbook requires the creation of escalation policies that address when different personnel within an organization will be contacted about a security incident and what their responsibilities will be. Handbook, at pp. 91-92. Moreover, according to ISO 17799:
"A formal information security event reporting procedure should be established, together with an incident response and escalation procedure, setting out the action to be taken on receipt of a report of an information security event. A point of contact should be established for the reporting of information security events. It should be ensured that this point of contact is known throughout the organization, is always available, and is able to provide adequate and timely response. All employees, contractors and third-party users should be made aware of their responsibility to report any information security events as quickly as possible. They should also be aware of the procedure for reporting information security events and the point of contact." ISO/IEC 17799: 2005, at p. 90.
When a company does identify an employee whose conduct has caused or is likely to cause a security issue, the company must take affirmative steps to address the situation, sanction the appropriate employee and move toward a resolution. These steps should include: 1) a thorough investigation of the employee activities at issue, including a look at that employee's past performance and disciplinary history; 2) proper discipline of the employee involved; and 3) retraining of the involved employee (if that employee remains with the company) as well as other employees with similar responsibilities or roles. If an employee is released, that employee should be required to return all company assets in his or her possession.
According to the HIPAA security regulations, entities must apply appropriate sanctions against employees that fail to comply with security policies and procedures. HIPAA Security Regulations, 45 CFR 164. 308(a)(1)(ii)(C). Further, ISO 17799 states that breaches should be a source of learning for companies and an occasion to implement policies and procedures that absorbs lessons-learned to address recurring or high-impact security incidents. ISO/IEC 17799: 2005, at p. 93.
BUILDING A CULTURE OF SECURITY
Finally, in light of all the evolving legal requirements and technological threats to security discussed above, it is important for companies to ground security in the culture of their organization. This begins with the training process, but also requires an ongoing emphasis on the importance of security.