extent of a company’s “legal” obligation to implement information security. In other words, what is the legal standard against which compliance with an obligation to provide reasonable security is measured?
There are many standards that seek to define the scope of information security requirements from a “technical” perspective.50 But a review of newer statutes, regulations, and cases51 indicates that a “legal” standard is also beginning to emerge – a legal standard that helps to clarify the scope and extent of a company’s obligation to implement information security. Under that standard, which is described in detail below, the duty to provide information security (e.g., the duty to provide “reasonable” security) requires both (1) implementation of an ongoing process and (2) addressing certain categories of security measures.
The developing legal standard involves a relatively sophisticated approach to c o m p l i a n c e , a n d r e c o g n i z e s w h a t s e c u r i t y c o n s u l t a n t s h a v e b e e n s a y i n g f o r s o m e t i m e :
“security is a process, not a product.”52
Thus, it does not literally dictate what security
measures are required to achieve “reasonable security.” Instead, it sets out requirements for a fact-specific process leading to the development of what is often referred to as a
“comprehensive information security program,”53 process is required to achieve legal compliance.
and makes clear that following that
This “process oriented” legal standard for corporate information security was first set forth in a series of financial industry security regulations required under the Gramm- Leach-Bliley Act (GLBA) titled Guidelines Establishing Standards for Safeguarding Consumer Information. They were issued by the Federal Reserve, the OCC, FDIC, and
50 See, e.g., Jody Westby (Ed.), International Strategy for Cyberspace Security, at Chapter 4 (American Bar Association, Section of Science & Technology Law, 2004). Although none of these standards has yet become generally accepted in all industries, one that is commonly cited is ISO 17799, the “Code of Practices for Information Technology Management,” adopted by the International Organization for Standardization (ISO) in August 2000 and revised in June 2005. (A copy of ISO 17799 is available at the ISO web site (www.iso.org) for a fee.) ISO 17799 is “becoming recognized practice for security management in private and public organizations.” See Council of the European Union, Council Resolution of 28 January 2002 on a common approach and specific actions in the area of network and information security (2002/C 43/02), whereas clause number 11. The National Institute of Standards and Technology (NIST) has also developed an extensive set of standards. See http://csrc.nist.gov/publications/nistpubs/index.html.
51 A list of some of the key statutes, regulations, and enforcement actions addressing corporate obligations to implement information security measures is set out in the Appendix.
52 Bruce Schneier, Secrets & Lies: Digital Security in a Networked World (John Wiley & Sons, 2000) at page XII. The FTC has also noted: “security is more a process than a state.” See, Final Report of the FTC Advisory Committee on Online Access and Security, May 15, 2000, p.26, available at www.ftc.gov/acoas/papers/finalreport.htm
53 See, e.g., FISMA, 44 U.S.C. Section 3544(b) (“develop, document, and implement an agencywide information security program”), GLB Regulations (Federal Reserve), 12 C.F.R. 208, Appendix D-2.II(A) (“Implement a comprehensive written information security program”); GLB Regulations (FTC), 16 C.F.R. 314.3(a) (“Develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts”); and Microsoft Consent Decree (“Establish and maintain a comprehensive information security program in writing”).