The traditional business way of looking at information and cyber security has been focused on a data or record cost basis. Makes sense after all – algorithmic connections between revenue, liability, and data are fairly easily created and central to the processes of many organizations. Likewise, business processes are often built around information and data flows, which makes data significance and location intrinsic to security and risk assessments. The Peters & Associates’ eBook, Defending Your Data Practical Security for Today’s Business, goes into these data security challenges and more.
However, thanks to an update to Illinois’ Personal Information Protection Act (PIPA) by the legislature, a decidedly non-quantitative challenge regarding data risk came into the mix for Illinois organizations on January 1st of 2017.
It is the new “reasonable security measures” standard. Sounds reasonable, right? Let’s hope so.
Here is the actual verbiage in PIPA: “(a) A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.”
One might ask, but who is a “data collector”? I’ll save you the assault of the bill’s verbiage – the list of affected entities ends with…“and any other entity.”
Now that we know any organization in Illinois handling, collecting, disseminating, or otherwise dealing with (yes, that’s bill verbiage also) nonpublic personal information is now held to this “reasonable security measures” standard, one should ask some very simple questions.
What is considered “reasonable”?
Would an organization be seen as reasonably protecting personal information if it has an HR policy instructing employees about protecting the organization’s proprietary information, but not a policy about protecting personal information? How would it look if an organization has processes in place to protect said proprietary information, but no processes for protecting personal information?
If it is reasonable to protect an organization’s information through policies and processes, how then can an organization argue it has reasonable security measures protecting personal information when it does not have in place similar information, IT, and cyber security policies or procedures for personal information?
The answer to a reasonable, ordinary person seems clear – the organization will likely not be seen as being reasonable in its security measures concerning personal information.
One may also ask, what constitutes “measures”?
For highly regulated industries like finance, Governance Risk Compliance (GRC) looms large in information, IT, and cyber security – in ways smaller organizations simply cannot afford. However, that doesn’t mean smaller organizations cannot apply GRC lessons and frameworks – scaled to an appropriate level – in their business. In fact, HB1260 makes doing so practically a requirement.
We are going to focus on only the first one, governance. Governance is the combination of polices and processes established by an organization and reflected in its organizational structure and management that direct it towards achieving specific goals. Or said in a slightly different way, governance determines and drives the measures an organization takes to achieve a goal or set of goals.
So, reasonable measures and reasonable governance go hand-in-hand. It is virtually impossible for an organization to show any reasonable efforts toward any goal, without having the appropriate polices and processes in place. The key word to reasonableness being appropriate.
Peters & Associates has experienced vCISOs who specialize in finding tailored solutions for these kinds of Governance Risk Compliance challenges. We can help your organization fashion an appropriate level of policies and procedures to ensure you meet this new standard.
For help in determining the “reasonable security measures” your organization needs to put in place, please contact us at firstname.lastname@example.org or 630.832.0075.