David Thaw, Relationship Between Regulatory Models and Information Security Practices
Comment by: Gerry Steigmaier
Workshop draft abstract:
Two models of regulation are responsible for governing virtually all private-sector information security practices in the United States. The first is industry-specific regulatory delegation, such as that found in HIPAA’s Privacy Rule and GLB’s privacy and security rules. Under this model, federal legislation requires the development of standards for information security practice and ultimately delegates the power to establish and update such standards to industry through various administrative mechanisms. The second is a paradigm in which law ties performance to reputation. This describes the data breach notification laws in effect in most states, under which whenever a firm experiences an incident in which certain information about individuals is lost, that firm must notify the individuals, a central state authority, local media, and/or other measures.
Currently only two industrial sectors – finance and healthcare – are subject to the first type of regulation. All of the current state statutes comprising the second form of regulation are laws of general applicability and thus, given the highly interstate nature of information exchange, apply to nearly all organizations in the United States. To study the effects of these forms of regulation, we employed a mixed qualitative and quantitative methods approach. We first conducted a series of two-hour semi-structured interviews of Chief Information Security Officers (or functional equivalents) at key U.S. organizations in each of the finance, healthcare, consumer products, energy, and information technology sectors. We then performed analysis on the frequency of reported breach incidents based on data maintained by the Open Security Foundation.
Our research and analysis revealed that the two forms of regulation have differential effects on information security practices. Regulatory delegation models encourage collaboration, information sharing, secure information exchange, incorporation of security into system design, and intrusion detection and other perimeter security measures. Laws linking performance to reputation, in contrast, promote good authentication and provenance, auditing, and host security/internal site security.