Introduction
Rapid technological advancement and globalization have entailed new challenges in organizational information security management. The level of data collection and sharing across various media has drastically increased. Moreover, new technologies allow public and private enterprises and institutions to process personal information at the largest scale than ever to pursue their own goals. The given developmental trends are associated with major risks of confidential data breaches, which can violate a natural person’s rights for the protection of personal data. Multiple national and international regulations and standards are created to address this problem. All organizations are expected to abide by laws requiring them to ensure a sufficient degree of data protection enacted at both state-wide and nation-wide levels and to follow recommendations outlined in international managerial guidelines and standards. Considering this, the present paper aims to evaluate the significance of the regulatory aspect of organizational information protection endeavors and identify the extent to which they may facilitate or hinder the work of security managers. To attain the formulated objectives, the review of state, national, and international regulations and standards, as well as recent literature findings, will be performed.
Levels of Information Security Management
Data security measures as such can be divided into three major levels: legal, organizational, and technological. It is possible to say that laws and regulations form the basis of data protection: they ensure compliance with state standards in the field of information protection and include such elements as copyright, decrees, patents, and job descriptions. It is valid to say that a well-built security system, which takes into account all relevant laws and policies, does not violate user rights and data processing standards. Thus, the significant effect of the legal component of data protection management on the organizational-level procedures cannot be underestimated. National laws and standards directly affect the formulation of rules for confidential information processing, staff recruitment, overall work with documentation and data carriers, design of access control protocols, etc. within a company. In their turn, these organizational information protection practices become realized at the technological level of security management through programs, cryptographic protocols, and so on.
U.S. Laws on Protection of Personal Data
A lot of companies nowadays deal with the personal information of their customers and employees. Overall, personal data can be defined as any information directly or indirectly related to a personal data subject, i.e., a person who shared this information with a company or another individual (i.e., data controllers). Organizations are obliged to follow certain rules linked to secure data processing to minimize possible harm to individual identity, financial status, and so on. However, at the current moment in the United States, no comprehensive federal laws are regulating personal data processing. Most of the active national laws, such as the Federal Trade Commission Act, the Health Insurance Portability and Accountability Act, the Financial Services Modernization Act, and others, apply to certain types of data and spheres, e.g., medical, financial, personal data in telemarketing, and so on.
Based on the observations provided above, it is possible to say that the application of different national laws and standards to organizational operations in terms of data storing and processing to a distinct extent depends on the type of information used by an organization, its sphere of performance, etc. In some cases, security managers and personnel, in general, have to abide by some stricter and specialized rules. For instance, in governmental organizations, a small number of employees may deal with classified data related to the field of national security, e.g., information on measures against terrorism.
Safeguarding of the classified information is guided by Executive Order 12958 that outlines specific procedures, which an organization should follow, including determination of authorized personnel, the establishment of uniform protocols for prevention of unauthorized access, an update of automatic distribution mechanisms, as well as sanctions imposed in case inefficient security measures are identified (U.S. National Archives and Records Administration 2016). Overall, the law guides the organization in the arrangement of data security protection in a way that avoids causing harm to relevant stakeholders due to inappropriate handling of information, and when speaking about classified governmental information, the stakeholder group may include the nation as a whole. At the same time, explicitly open organizations may face no security risks because they store and process only highly accessible mass information. Nevertheless, in the majority of contexts, the illegal access is associated with multiple risks.
At the same time, some state laws address the issue of data security with greater scrutiny than the federal ones. Some of them are reactive. For instance, California Civil Code §1798.82 requires owners of electronic confidential data to disclose any breach of the security to individuals whose computerized personal information was received by an unauthorized person (Jolly 2017). Also, a limited number of active state regulations can be prescriptive and preventive, e.g., the Massachusetts Regulation (201 CMR 17.00): a comprehensive law outlining a detailed list of administrative procedures and technical security protocols aimed to avoid security breaches (Jolly 2017). It is possible to say that compared to reactive regulations, such comprehensive preventive laws assist security managers in developing organizational information protection architectures and description of information security programs much better than reactive, fragmented, and industry-specific regulations by guiding them through these processes.
Security Threats and Regulatory Capacity to Tackle Them
In general, the laws on data privacy requires organizations, which have access to personal data, to not disclose it to third parties without the consent of a personal data subject. It means that any operator of personal data must ensure a sufficient level of security and confidentiality. Overall, to apply the best data protection measures, not only should security managers assess threats to information security, but also evaluate possible damages in advance. This recommendation is included in various international standards for data protection, i.e., ISO/IEC 27002:2013. It means that the organization must identify what to protect, what types of threats (internal or external) it faces, and what methods can be considered more effective in mitigating those threats.
First of all, to ensure the security and confidentiality of information, it is necessary to determine what types of media are used to process it, and what level of access (open or closed) is associated with those media. The types of data carriers can be as follows: print media, electronic and web-based sources, corporate telecommunications equipment, documents, software, and so on. Distinct types of data carriers are associated with different kinds of security threats to confidentiality and integrity of personal and organizational information. Secondly, security managers should take into account distinct types of confidential data, which can include either technical information (e.g., passwords and usernames, etc.) or subject information (i.e., actual information vulnerable to security threats). The protection of technical information can be especially challenging in the context of growing data synchronization where employees request access to data on multiple devices (Mallery 2013). Along with this, Mallery (2013) states that the trend for storing and sharing data online, in cloud-based and similar commercial services, raises some additional privacy and confidentiality issues because, in this case, a company provides access to almost a limitless amount of data to third parties, i.e., service providers.
It is worth noticing that even if the information is stored in a computer or intended for computer use, threats to its confidentiality may be non-technical. One of such threats, which is often difficult to be defended from, is attributed to abuse of authority. For instance, within multiple security systems, a privileged user (e.g., a system administrator) can read any (unencrypted) file, access the mail of any user, etc. Additionally, service engineers usually get unlimited access to the equipment and are capable of bypassing the software protection mechanisms.
It is possible to say that the U.S. federal and state breach notification laws do not significantly help companies mitigate the mentioned information security risks as they primarily aim to alleviate the adverse consequences of breaches post-factum. The major problem is that active U.S. preventive and reactive regulations may do not apply to all industries and states. Moreover, as stated by Guffin (2012), the lack of comprehensive and unified regulation of information security issues often results in the situation when different (and often conflicting) federal and state regulations can relate to the same legal incidents. Such overlaps may significantly complicate the organizational compliance with laws.
At the same time, it is implied that noncompliance with legal regulations and laws on data protection entails threats to information security, which, in turn, can lead to multiple adverse consequences for both data subjects and data controllers including the imposition of various punitive actions and sanctions. Along with this, security managers in organizations can refer to national and international standards and guidelines, such as “Start with Security: A Guide for Business” by the Federal Trade Commission, as well as the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standards. The given documents usually comprise a list of best security practices, both administrative and technical. However, compliance with them does not exempt companies from legal obligations.
Although it is not mandatory for enterprises to follow the standards, the referral to them may provide multiple benefits for them. First of all, standards and managerial specifications are developed based on the accumulated experience and knowledge, primarily related to procedural and program-technical levels of information security. Such documents list approved, high-quality solutions and methodologies formulated by the most qualified specialists. Secondly, compared to laws, such standards as ISO/IEC 27002:2013 aim to reconcile different points of view including perspectives of both data controllers and data subjects. Thus, standards may provide security managers with information about effective mechanisms for productive and beneficial interaction among all involved parties.
As it was already mentioned above, the availability of a comprehensive law on information protection across multiple industries and organizations can largely facilitate the establishment of corporate information security systems. The General Data Protection Regulation enacted in the European Union in 2016 is a bright example of such unified legislation. Not only does this law aim to ensure the protection of natural persons’ rights about the processing of personal data by data controllers, but also provides a detailed list of procedures, which the latter must implement to maintain a consistent level of protection of personal data subjects’ freedoms and rights, and sets the criteria for showing the compliance with the law. For instance, the law states that “the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default,” including the measures of “minimizing the processing of personal data,…transparency about the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features,” etc. (European Commission 2016, p. L119/15). However, the regulation provides a generalized orientation to follow, which gives organizations a chance to choose an appropriate method of security protection, based on their overall strategic goals and objectives.
The Role of Administrative Measures and Their Links to Laws
The way available laws and regulations are implemented at the administrative level in an organization is key to information security. Nevertheless, the discussed state, national, and international regulations do not dictate which practices to use precisely. Thus, security managers can utilize a creative and innovative approach to performing organizational security management activities, development, and planning of architecture and planning solutions. The only requirement is to ensure that the applied information protection practices do not contradict relevant laws and meet quality and efficiency requirements.
According to Holtfreter and Harrington (2016), the number of data breaches due to external factors including theft, hacking, or loss by the individuals who are not related to the organization prevails nowadays and equals nearly 70 percent of all data breach cases. However, employees’ actions and misconduct have greater significance in this regard and are associated with far more important implications for organizations than the actions performed by the third parties. The internal factors defining data breaches include improper protection of data, theft, or hacking by employees with a high or a low probability of fraudulent intent, and unintentional loss of data (Holtfreter & Harrington 2016). To address the problem of both internal and external unauthorized use of confidential data, security managers must utilize a set of organizational-regulatory and technical measures to increase security and minimize threats to confidential information.
One can locate detailed recommendations regarding organizational security solutions in international standards. The ISO and the IEC (2017) suggests starting with the allocation of responsibilities and imposition of access restrictions; development of policies regarding the use of the mobile device and teleworking practices, covering such measures as cryptographic techniques, requirements for physical protection, and malware protection, etc. The ISO and the IEC (2017) also recommend implementing such human resource practices as screening before the recruitment, confirmation of qualifications, and so on. Overall, it is implied that the understanding of assigned duties and responsibilities about data security among employees is the key to effective data protection. Thus, the organization must ensure that a person authorized to access confidential information is competent enough. Moreover, it is essential to eliminate possible conflicting areas of responsibility to eliminate the risks of intentional and unintentional misuse. Moreover, Chander, Jain, and Shankar (2013) note that ethical norms and rules adopted by the company can contribute to better information security protection. Such norms may not be obligatory as the legal regulations. However, the failure to promote compliance with them can lead to inappropriate and harming employee behaviors.
In general, comprehensive data protection acts and standards, such as the General Data Protection Regulation and ISO/IEC 27002:2013, outline managerial rules reflecting such principles as system complexity, reliability, and continuity. They emphasize the importance of considering all possible threats to various stakeholders and the selection of appropriate methods and interrelated processes, both technical and non-technical, that would be included in a comprehensive information protection system. The regulations also make it clear that a high standard for data security management should be equally applied to all areas of data protection. Lastly, these regulations require security systems to be effective continuously, which means that managers should keep up with technological advancements, should update the security system regularly, and inform the personnel about occurred changes promptly. The consideration of the given principles, legal norms, and standards can help security managers increase the efficiency of information security strategies in their organizations.
Conclusion
Overall, information security implies the implementation of legal, administrative, and technical measures aimed to ensure the protection of sensitive information from unauthorized access, modification, deletion, dissemination, etc.; to maintain the confidentiality of sensitive data; and realization of rights for access to those data by subjects and responsible controllers. The conducted analysis of the state, national, and international laws on information security across industries reveals that to a varying degree they address such issues as prevention of personal data misuse; timely detection of unauthorized access incidents, as well as mitigation of their adverse consequences; determination of sanctions for data breaches; and continual control over the information security system and its functioning.
The analysis also revealed that in the United States, there is currently no comprehensive and unified federal law aimed to protect the rights of natural persons for safe processing of personal data and to regulate organizational efforts in data protection across the industries and sectors. Most of the legal regulations related to data security specialize in particular areas, such as federal information system security, healthcare, financing, commerce, and telecommunications. At the same time, several state laws address the problem to a different extent, focusing mainly on breach notification requirements. It can be suggested that the development of a comprehensive document comprising both preventive and regulatory regulations may provide a substantial basis for the establishment of sound information security systems in organizations of different types and would allow eliminating possible controversies due to overlaps in federal and state laws.
As for security protection standards, they are usually associated with greater practical utility compared to laws because they summarize high-quality, credible recommendations formulated by experts in the field of security management. In most of the cases, the utilization of standards and guidelines in practice is not obligatory, yet it can help security managers develop more efficient data protection strategies and architectures and, in this way, may allow protecting organizational interest better. Security managers may also utilize professional recommendations and guidelines to develop a unique information protection framework that would support the fulfillment of specific corporate goals and would suit the overall strategic orientation of the company in a more effective way. Thus, it is valid to conclude that standards, as well as legal regulations, largely support the work of security management teams.
Reference List
Chander, M, Jain, SK & Shankar, R 2013, ‘Modeling of information security management parameters in Indian organizations using ISM and MICMAC approach”, Journal of Modelling in Management, vol. 8, no. 2, pp. 171-189.
European Commission 2016, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, Web.
Guffin, PJ 2012, United States: data security breach notification requirements in the united states: what you need to know, Web.
Holtfreter, R & Harrington, A 2016, ‘Employees are the weakest links, part 1: data breaches and untrained workers’, Fraud Magazine, Web.
International Organization for Standardization & International Electrotechnical Commission 2017, Information technology − security techniques − code of practice for information security controls,Web.
Jolly, I 2017, Data protection in the United States: overview, Web.
Mallery, J 2013, ‘Building a secure organization’, in JR Vacca (ed), Computer and information security handbook, Syngress, Amsterdam, Netherlands, pp. 3-24.
U.S. National Archives and Records Administration 2016, Basic laws and authorities, Web.