The New Law of Information Security: What Companies Need to Do Now 1
Thomas J. Smedinghoff2
We are in the midst of a significant expansion of corporate obligations regarding security for digital information. Most businesses are, or soon will be, subject to two key legal obligations:
A duty to provide reasonable security for their corporate data and information systems
A duty to disclose security breaches to those who may be adversely affected by such breaches.
Although information security law has been developing for some time, pressures for enhanced corporate legal obligations to implement information security safeguards were accelerated by several recent highly publicized security breaches involving the loss or disclosure of sensitive personal information. Described by many as the “perfect storm,” the controversy began with a February 15, 2005 disclosure by ChoicePoint, Inc., a company previously unknown to most people, that sensitive personal information it had collected on 145,000 individuals had been compromised, and was at risk of unauthorized use for purposes such as identity theft. In the five months that followed, over 60 additional companies, educational institutions, and federal and state government agencies, almost all household names, also disclosed breaches of the security of sensitive personal information in their possession, affecting a cumulative total of over 50 million individual records.3 And perhaps most significantly, the persons whose sensitive information was compromised included the chairman of the FTC and as many as 60 U.S. Senators.
The reaction to these incidents has been a legislative and regulatory fury, at both the state and federal level. There has been a groundswell of support for the view that all corporate stakeholders have an interest in the security of corporate information, and that taking appropriate steps to ensure the security of that information, and to inform affected third parties of any breach, is a legal obligation for all companies. Thus, when the dust
Originally published in The Computer & Internet Lawyer Journal, November 2005, at pp. 9-25.
2 Thomas J. Smedinghoff, Baker & McKenzie, Chicago. Mr. Smedinghoff has been actively involved in developing e-business and information security legal policy both in the U.S. and globally. He currently serves as a member of the U.S. Delegation to the United Nations Commission on International Trade Law (UNCITRAL), where he participates in the Working Group on Electronic Commerce that recently completed negotiation of the Convention on the Use of Electronic Communications in International Contracts. He chaired the Illinois Commission on Electronic Commerce and Crime, and dra ted the Illinois Electronic Commerce Security Act enacted in 1998. He served as an advisor to the National Conference of Commissioners on Uniform State Laws (NCCUSL) and participated in drafting the Uniform Electronic Transactions Act (UETA). He can be reached at firstname.lastname@example.org.
3 For a chronology of such breaches, and a running total of the number of individuals affected, see Privacy Rights Clearinghouse at www.privacyrights.org/ar/ChronDataBreaches.htm.