The company’s technical infrastructure, hardware, and software security
The state of the art re technology and security
The costs of the security measures75
Interestingly, cost was the one factor mentioned most often, and certainly implies recognition that companies are not required to do everything theoretically possible.
Categories of Security Measures that Must Be Addressed
Specifying a process still leaves many businesses wondering,
“What specific security measures should I implement?” In other words, in developing a security plan, what security measures or safeguards should be included?
Generally, developing law in the U.S. does not require companies to implement specific security measures or use a particular technology. As expressly stated in the HIPAA security regulations, for example, companies “may use any security measures” reasonably designed to achieve the objectives specified in the regulations. 76
This focus on flexibility means that, like the obligation to use “reasonable care” under tort law, determining compliance may ultimately become more difficult, as there are unlikely to be any safe-harbors for security. As one commentator has pointed out with respect to the HIPAA security regulations: “The new security rules offer no safe harbor to covered entities, business associates, or the people who make security decisions for them. Rather, whether security countermeasures are good enough to ‘ensure’ the confidentiality, integrity, and availability of [protected health information], and protect it from ‘any’ hazard one could reasonably anticipate, is likely to be judged retroactively.” 77
Nonetheless, developing law seems to consistently require that companies consider certain categories of security measures, even if the way in which each category is addressed is not specified. At a high level, for example, most recent security rules require covered organizations to implement physical, technical, and administrative security measures. 78
75 See, e.g., HIPAA Security Regulations, 45 C.F.R. Section 164.306(b)(2); GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.A and Part II.C; FISMA, 44 U.S.C. Sections 3544(a)(2) and 3544(b)(2)(B); Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of Discontinuance.
HIPAA Security Regulations, 45 CFR Section 164.306(b)(1).
77 Richard D. Marks and Paul T. Smith, Analysis and Comments on HHS’s Just-released HIPAA Security Rules, Bulletin of Law / Science & Technology, ABA Section of Science & Technology Law, No. 124 April 2003, at p. 2, available at http://www.abanet.org/scitech/DWTSecurityRules021703.pdf.
78 See, e.g., HIPAA regulations 45 C.F.R. Sections 164.308, 164.310, and 164.312; GLB Regulations, 12 C.F.R. 208, Appendix D-2.II(A) and 12 C.F.R. Part 30, Appendix B, Part II; Microsoft Consent Decree, at p. 4.