The Legal Standard for Information Security
Laws and regulations rarely specify what specific security measures a business should implement to satisfy its legal obligations.43 Most simply obligate the company to establish and maintain internal security procedures, controls, safeguards, or measures directed toward achieving the goals or objectives identified above, but often without any further direction or guidance. The standard for compliance, if one is stated, often requires simply that the security be “reasonable”45 or “appropriate.”46 Other expressions of the standard that appear in some regulations include “suitable,” “necessary,” and “adequate.” 44
A critical problem, then, is assessing how far a company is “legally” obligated to go. When are the security measures it implements sufficient, from a legal perspective, to comply with its obligations? For, example, does installing a firewall and using virus detection software satisfy a company’s legal obligations? Is it necessary for an organization to encrypt all of its electronic records? How does a business know when it is legally compliant? Is there a safe harbor? Since there is no such thing as perfect security
(i.e., there is always more that you can do),47 affect cost.
resolving these questions can significantly
The FTC acknowledges that the mere fact that a breach of security occurs does not necessarily mean that there has been a violation of law.48 But it also notes that an organization can fail to meet its security obligations, even in the absence of a breach of
Thus, the key issue (from a legal perspective) is defining the scope and
43 Although they often focus on categories of security measures to address. See, e.g., HIPAA Security Regulations, 45 C.F.R. Part 164.
44 See, e.g., FDA regulations at 21 C.F.R. Part 11 (procedures and controls); SEC regulations at 17 C.F.R. 257.1(e)(3) (procedures); SEC regulations at 17 C.F.R. 240.17a-4 (controls); GLB regulations (FTC) 16 C.F.R. Part 314 (safeguards); Canada, Personal Information Protection and Electronic Documents Act, Schedule I, Section 4.7 (safeguards); EU Data Privacy Directive, Article 17(1) (measures) available at http://europa.eu.int/comm/internal_market/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf.
45 See, e.g., HIPAA 42 U.S.C. 1302d-2, and HIPAA Security regulations, 45 CFR 164.306; COPPA, 15 U.S.C. 6502(b)(1)(D), and COPPA regulations 16 C.F.R. 312.8; IRS Rev. Proc. 97-22, sec. 4.01(2); SEC regulations 17 C.F.R. 257. See also UCC Article 4A, Section 202 (“commercially reasonable” security procedure), and Microsoft Consent Decree.
46 “Appropriate” security required by: HIPAA 42 U.S.C. 1302d-2, and HIPAA Security regulations, 45 CFR 164.306; EU Data Protection Directive, Article 17(1).
47 See, e.g., Prepared Statement of the Federal Trade Commission before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, Committee on Government Reform, U.S. House of Representatives on “Protecting Our Nation’s Cyberspace,” April 21, 2004, at p. 5, available at www.ftc.gov/os/2004/04/042104cybersecuritytestimony.pdf (noting that “the Commission recognized that there is no such thing as “perfect” security and that breaches can occur even when a company has taken all reasonable precautions”), at p. 4.
48 Id. at p. 5, (noting that ““not all breaches of information security are violations of FTC law . . . . [B]reaches can happen, . . . even when a company has taken every reasonable precaution. In such instances, the breach will not violate the laws that the FTC enforces.”).
49 Id. at p. 6, (noting that “there can be law violations without a known breach of security.”). See also, Microsoft Consent Decree.