anticipated threats or hazards to the security or integrity of the information and systems to be protected71). The goal is to reduce the risks and vulnerabilities to a reasonable and appropriate level. 72
In other words, it is not enough merely to implement impressive-sounding security measures. They must be responsive to the particular threats a business faces, and must address its specific vulnerabilities. Posting armed guards around a building, for example, sounds impressive as a security measure, but if the primary threat the company faces is unauthorized remote access to its data via the Internet, that particular security measure is of little value. Likewise, firewalls and intrusion detection software are often effective ways to stop hackers and protect sensitive databases, but if a company’s major vulnerability is careless (or malicious) employees who inadvertently (or intentionally) disclose passwords or protected information, then even those sophisticated technical security measures, while important, will not adequately address the problem.
Relevant Factors to Consider
In determining what security measures should be implemented
within a particular organization, virtually all of the existing precedent recognizes that there is no “one size fits all” approach. Which security measures are appropriate for a particular organization will vary, depending upon a variety of factors.
Traditional negligence law suggests that the relevant factors are (1) the probability of the identified harm occurring (i.e., the likelihood that a foreseeable threat will materialize), (2) the gravity of the resulting injury if the threat does materialize, and (3) the burden of implementing adequate precautions.73 In other words, the standard of care to be exercised in any particular case depends upon the circumstances of that case and on the extent of foreseeable danger. 74
Security regulations take a similar approach, and indicate that the following factors are relevant in determining what security measures should be implemented in a given case:
The probability and criticality of potential risks
The company’s size, complexity, and capabilities
The nature and scope of the business activities
The nature and sensitivity of the information to be protected
71 See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.B(2); HIPAA Security Regulations, 45 C.F.R. Section 164.306(a)(2).
See, e.g., HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(1)(ii)(B) See, e.g., United States v. Carroll Towing, 159 F.2d 169, 173 (2d Cir. 1947).
74 See, e.g., DCR Inc. v. Peak Alarm Co., 663 P.2d 433, 435 (Utah 1983); see also Glatt v. Feist, 156 N.W.2d 819, 829 (N.D. 1968) (the amount or degree of diligence necessary to constitute ordinary care varies with facts and circumstances of each case).