Compliance and data security are not the same things

June 13, 2013

By Bob Johnson, NAID CEO

On Tuesday, I described how privacy and data security, though often thought of interchangeably, are two distinct and separate concepts. Today, I will show how data security and regulatory compliance, concepts often thought of as synonymous, are actually significantly different as well.

For instance, if an organization destroyed their discarded paper records using a conventional strip shredder and then tossed the bagged shreds into the dumpster behind their building, they would be in compliance with the data protection regulations. You see, the regulations say they have to take reasonable steps to prevent unauthorized access (under HIPAA and GLB) or to destroy the paper before being discarded (under FACTA and Reg. S-P). The key phrase is “take reasonable steps,” otherwise known as the “Reasonableness Principle.” Even though most readers of this blog realize tossing shredded material does not provide data security, it would be hard to say they did not take reasonable steps to prevent unauthorized access or destroy the material, as the regulations require.

As industry professionals, we realize shredding material in the office and tossing them in the trash only tell the bad guys what to take and, in fact, lessen the security. But the reasonableness standard is not determined by what the experts think; it is determined by what the proverbial reasonable man would think. Keep in mind, even the FACTA Final Disposal Rule advises that shredding material prior to disposal would be considered reasonable.

Why is this distinction important? It’s important because when a client makes a decision on any destruction process, they confuse compliance and data security as the same issue. Their selection of a particular process for destruction, or a particular vendor, could be markedly different if they understood the difference.