settles, we are likely to see a more extensive codification of corporate legal obligations regarding the security of their own data, notwithstanding prior policy rejecting such a regulatory approach. 4
It is important to recognize, however, that even without the additional legislation currently under consideration, almost all businesses today have some legal obligation to provide security for their own information. And satisfying that obligation is critical, especially in this highly-charged environment where a failure to do so is likely to bring on significant public relations problems as well as legal risk.
More importantly, a legal standard for compliance is emerging – i.e., a definition of “reasonable security.” All of the major security-related statutes, regulations, and government enforcement actions of the past few years show an amazing consistency in approach. When viewed as a group, they set forth a rather clearly defined standard for legal compliance – one that requires a process-oriented approach to the development and maintenance of a comprehensive security program. Moreover, evidence suggests that even in cases not subject to such laws, this process-oriented approach is likely to be the standard against which legal compliance is measured.
As a result of recent security breaches, a legal corollary to the obligation to provide security has also received extensive legislative support. This is the duty to disclose security breaches to those who may be adversely affected by such breaches. That duty, which is focused primarily on personal information, is law in an ever-growing list of states, and will likely soon be federal law as well.
For both the duty to provide security and the duty to disclose breaches, this article will examine (1) the legal sources of the obligation, (2) the nature and scope of the duty, and (3) how companies should respond to address their compliance obligations. But first we take a look at where the law places the compliance responsibility.
Responsibility for Corporate Information Security
Protecting the security of corporate information and computer systems was once just a technical issue to be addressed by the IT department. Today, however, as information security has evolved into a legal obligation, responsibility for compliance has been put directly on the shoulders of senior management, and in many cases the board of directors. It is, in many respects, a corporate governance issue.
Under the Sarbanes-Oxley Act, for example, responsibility lies with the CEO and the CFO.5 In the financial industry, the Gramm-Leach-Bliley (“GLB”) security regulations place responsibility for security directly with the Board of Directors.6 In the
4 See, e.g., National Strategy to Secure Cyberspace, February 14, 2003, at p. 30, available at www.whitehouse.gov/pcipb.
Sarbanes-Oxley Act, Section 302. See, e.g., GLB Security Regulations (Federal Reserve) 12 C.F.R. 208, Appendix D-2.III(A).