Can You Make the PIPA Compliance Cut?

The traditional business way of looking at information and cyber security has been focused on a data or record cost basis.  Makes sense after all – algorithmic connections between revenue, liability, and data are fairly easily created and central to the processes of many organizations.  Likewise, business processes are often built around information and data flows, which makes data significance and location intrinsic to security and risk assessments.  The Peters & Associates’ eBook, Defending Your Data  Practical Security for Today’s Businessgoes into these data security challenges and more.

However, thanks to an update to Illinois’ Personal Information Protection Act (PIPA) by the legislature, a decidedly non-quantitative challenge regarding data risk came into the mix for Illinois organizations on January 1st of 2017.

It is the new “reasonable security measures” standard.  Sounds reasonable, right?  Let’s hope so.

Here is the actual verbiage in PIPA: “(a) A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.

One might ask, but who is a “data collector”?  I’ll save you the assault of the bill’s verbiage – the list of affected entities ends with…“and any other entity.”

Now that we know any organization in Illinois handling, collecting, disseminating, or otherwise dealing with (yes, that’s bill verbiage also) nonpublic personal information is now held to this “reasonable security measures” standard, one should ask some very simple questions.

What is considered “reasonable”?

Would an organization be seen as reasonably protecting personal information if it has an HR policy instructing employees about protecting the organization’s proprietary information, but not a policy about protecting personal information?  How would it look if an organization has processes in place to protect said proprietary information, but no processes for protecting personal information?

If it is reasonable to protect an organization’s information through policies and processes, how then can an organization argue it has reasonable security measures protecting personal information when it does not have in place similar information, IT, and cyber security policies or procedures for personal information?

The answer to a reasonable, ordinary person seems clear – the organization will likely not be seen as being reasonable in its security measures concerning personal information.

One may also ask, what constitutes “measures”?

For highly regulated industries like finance, Governance Risk Compliance (GRC) looms large in information, IT, and cyber security – in ways smaller organizations simply cannot afford.   However, that doesn’t mean smaller organizations cannot apply GRC lessons and frameworks – scaled to an appropriate level – in their business.  In fact, HB1260 makes doing so practically a requirement.

We are going to focus on only the first one, governance.  Governance is the combination of polices and processes established by an organization and reflected in its organizational structure and management that direct it towards achieving specific goals.  Or said in a slightly different way, governance determines and drives the measures an organization takes to achieve a goal or set of goals.

So, reasonable measures and reasonable governance go hand-in-hand.   It is virtually impossible for an organization to show any reasonable efforts toward any goal, without having the appropriate polices and processes in place.  The key word to reasonableness being appropriate.

Peters & Associates has experienced vCISOs who specialize in finding tailored solutions for these kinds of Governance Risk Compliance challenges.  We can help your organization fashion an appropriate level of policies and procedures to ensure you meet this new standard.

For help in determining the “reasonable security measures” your organization needs to put in place, please contact us at info@peters.com or 630.832.0075.

Security

Click edit button to change this text.

Button Text
By | 2017-05-07T07:26:49+00:00 April 19th, 2017|IT Security Solutions|Comments Off on Can You Make the PIPA Compliance Cut?

About the Author:

Joe’s career in information, operations, and cyber security began over twenty years ago as a military information and computer systems security manager, well before cybersecurity, as it is known today, existed. In addition to his cybersecurity experience, he his information systems experience includes leadership and senior management, at the executive PMO level, of large enterprise transitions and lifecycle support operations; and B2B platform and web-portal development from both the technical and business development side. His approach to helping organizations in their cybersecurity, information, and operational risk management challenges focuses on actionable risk management strategies and application of technology at the strategic and operational level through scalable architecture, standards, and controls. His has broad experience supporting clients includes both the private and public sector and extends across a spectrum of business roles, and activities; including operations, IT services, standardization, training, education, and safety.