Pub. 13 2018-2019 Issue 2

WWW.NEBANKERS.ORG 14 Counselor’s Corner — continued from page 13 of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At aminimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures; C. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures; D. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requir- ing service providers by contract to implement and maintain appropriate safeguards; and E. the evaluation and adjustment of respondent’s informa- tion security program in light of the results of the testing and monitoring required by Subpart C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to knowmay have a material impact on the effectiveness of its information security program. Such an argument, however, would not persuade the Elev- enth Circuit. The court in fact acknowledged the presence of the preceding items (in a footnote) but characterized them as “equally vague” and held that they suffered from the same en- forceability problems. In the court’s view, the order lacked sufficient specificity. Given the penalties that could be imposed for violation of a cease and desist order, the court held that such an order’s prohibitions must be stated with clarity and precision. The court cited U.S. Supreme Court precedent in support of its holding and further noted that the imposition of penalties for violation of an impre- cise order could constitute a denial of due process: See BMW of N. Am., Inc. v. Gore , 517 U.S. 559, 574 & n.22, 116 S. Ct. 1589, 1598 & n.22 (1996) (“Elementary notions of fair- ness enshrined in our constitutional jurisprudence dictate that a person receive fair notice . . . of the conduct that will subject him to punishment . . . .”). Indeed, “[t]hemost fundamental postulates of our legal order forbid the imposition of a penalty for disobeying a command Certainty generally is illusion . . . . - Oliver Wendell Holmes, The Path of the Law