the Office of Thrift Supervision, on February 1, 2001,54 and later adopted by the FTC in its GLBA Safeguards Rule on May 23, 2002.55 The same approach was also incorporated in the Federal Information Security Management Act of 2002 (“FISMA”),56 and in the HIPAA Security Standards issued by the Department of Health and Human Services on February 20. 2003. 57
The FTC has since adopted the view that the “process oriented” approach to information security outlined in these regulations sets forth a general “best practice” for legal compliance that should apply to all businesses in all industries.58 Thus, it has, in effect, implemented this “process oriented” approach in all of its decisions and consent decrees relating to alleged failures to provide appropriate information security.59 The National Association of Insurance Commissioners has also recommended the same approach, and to date, several state insurance regulators have adopted it.60 Several state Attorneys General have also adopted this approach in their actions against perceived offenders. 61
A careful review of the foregoing legislation, regulations, and consent decrees reveals an amazingly consistent approach that defines the parameters of the process- oriented legal standard for security. The overall theme is a recognition that determining appropriate security is a fact-specific exercise. Merely implementing seemingly strong security measures is not sufficient per se. Security measures must be responsive to existing threats facing the company, and must constantly evolve in light of changes in threats, technology, the company’s business, and other factors.
54 66 Fed. Reg. 8616, February 1, 2001; 12 C.F.R. Part 30, Appendix B (OCC), 12 C.F.R. Part 208, Appendix D (Federal Reserve System), 12 C.F.R. Part 364, Appendix B (FDIC), 12 C.F.R. Part 568 (Office of Thrift Supervision).
67 Fed. Reg. 36484, May 23, 2002; 16 C.F.R. Part 314. 44 U.S.C. Section 3544(b). 45 C.F.R. Parts 164.
58 See, Final Report of the FTC Advisory Committee on Online Access and Security, May 15, 2000, p.26 (noting that “security is more a process than a state”), available at www.ftc.gov/acoas/papers/finalreport.htm; and Prepared Statement of the Federal Trade Commission before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, Committee on Government Reform, U.S. House of Representatives on “Protecting Our Nation’s Cyberspace,” April 21, 2004, at p. 5 (noting that “security is an ongoing process of using reasonable and appropriate measures in light of the circumstances”), available at www.ftc.gov/os/2004/04/042104cybersecuritytestimony.pdf.
See, e.g., FTC Decisions and Consent Decrees listed in the Appendix.
60 See, e.g., National Association of Insurance Commissioners “Standards for Safeguarding Customer Information Model Regulation” IV-673-1 available at www.naic.org (adopted in 9 states)61 See, e.g., State Attorneys General Consent Decrees listed in the Appendix