Risk analysis is the foundation of data security, but regulator approaches differ

Recent data security enforcement actions by the U.S. Department of Health and Human Services consistently sound an important theme: Failure to conduct an adequate risk assessment is itself a violation of the security rule promulgated under the Health Insurance Portability and Accountability Act. The lesson of these cases applies beyond protected health information.

Across the patchwork quilt of cybersecurity regulation in the U.S., enforcement agencies — including the Federal Trade Commission, Federal Communications Commission and Transportation Security Administration — agree that any entity's cybersecurity program should address issues identified in a risk assessment. And since system inventories, attacker tactics and the state of the art in cybersecurity controls change over time, the agencies agree the risk assessment must be regularly updated.

There are, however, some noteworthy differences in the way agencies approach their oversight of the risk assessment process.

Especially noteworthy in the HHS cases is a practice that other regulators might want to adopt: Once HHS has concluded that an entity violated the security rule, it will oversee the entity's risk assessment until satisfied it is complete and will then engage in an iterative review of the entity's data security practices until those are deemed sufficient to respond to the identified risks. The FTC and the FCC, in contrast, impose lengthy lists of cybersecurity practices before the first risk assessment is done.