boblord (boblord) wrote,

"reasonable security measures" for data security

Increasingly the law cannot keep up with specific technologies, and instead relies on phrases like "reasonable security measures". But what does that phrase mean?

Here's an example. The Newfoundland and Labrador Office of the Information and Privacy Commissioner issued a report (P-2008-002) on the theft of some laptops. It has some interesting analysis, such as:
The Commissioner noted that section 36 of the ATIPPA required public bodies to make “reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.” ESD failed to provide such reasonable security measures and this led to the unauthorized disclosure of personal information, contrary to section 39 of the ATIPPA.
Paragraph 34 contains this passage on how they worked to define "reasonable":
To determine whether ESD took “reasonable security measures” to protect personal information, I will consider the following factors:
1. The foreseeability of the privacy breach
2. The seriousness of potential harm (discussed above)
3. The cost of preventative measures
4. Relevant standards of practice
And paragraph 62 contains:
As a multi-layered approach to information security is the current industry standard, I am also of the opinion that this approach is necessary for compliance with section 36 of the ATIPPA. At the time of the breach, ESD was not using this approach. Some useful physical safeguards were in place, but administrative and technological safeguards were obviously lacking. While directives and policies alone would not have prevented this breach, they are nonetheless an important feature in safeguarding personal information. In another case, policies and directives may be the difference between a breach occurring or not. In this situation, however, appropriate technological measures may have prevented the breach. Use of network passwords alone to protect personal information does not constitute a “reasonable security measure” as mandated by section 36 of the ATIPPA. This lack of adequate technological safeguards led to unauthorized disclosure of personal information, contrary to section 39
(Emphasis added)

Some more analysis can be found here:

It also contains some analysis of another incident in the UK. Steptoe writes:
While these specific actions are limited to government agencies, they reinforce the growing trend in the UK -- as well as the United States and around the world -- to regard encryption as a necessary component of data security.
Tags: encryption, mozilla
Comments for this post were disabled by the author