Privacy and Information Management: What are “Reasonable and Customary” practices?
Gail W. Bisbee, PRISM SME
As we review the penalties handed down to Washington State University (WSU) most recently for failure to protect confidential data, two words come to mind -“Reasonable and Customary”. At some point in their process of record management a WSU committee made the decision to use a mini-storage unit. No doubt the decision revolved around convenience, availability and cost. It is doubtful the WSU Compliance Officer and or Risk Manager was aware of the location for off-site storage of the confidential data.
Regardless of the format, an organization should consider two simple questions when defining standards for the management of critical client data. One – is my method of safeguarding the information entrusted with our organization being handled in a “reasonable” manner? Reasonable – referring to “determining if the measures I or my organization have taken to safeguard the data, is one that my peers and/or any applicable regulatory organization would deemed a “reasonable” manner in which to protect the data”. If using this simple approach – WSU personnel would have chosen a more secure site for off-site management of the organization’s historical research data.
The second question: Is the method or format in/on which I
am managing this critical data a “customary” format meaning “a format that industry peers and/or an applicable accrediting body would approve or recommend”? While it is not unusual for a backup system to include mass storage devices such as an external hard drive (even in the age of cloud storage), the method of management within this situation and WSU system did not appear to meet the basic requirements with multiple levels of encryption to prevent unauthorized access. Clearly encryption will not prevent the highly trained hacker from accessing the data – but implementing multiple levels of access control is a “reasonable” standard.
As a consultant to your RIM clients – exploring alternative solutions is a critical component of every sales call. Encourage team members to consider these two questions during their sales process. Be knowledgeable of the industries you serve and challenge the sales team to know what is “reasonable and customary” in each market for management of various types of records.