X hits on this document

PDF document

The New Law of Information Security: - page 21 / 29





21 / 29

every changing threats, risks, vulnerabilities, and security measures available to respond to them. It is a never-ending process. As a consequence, businesses must conduct periodic internal reviews to evaluate and adjust the information security program115 in light of:

  • The results of the testing and monitoring

  • Any material changes to the business or arrangements

  • Any changes in technology

  • Any changes in internal or external threats

  • Any environmental or operational changes

  • Any other circumstances that may have a material impact.116

In addition to periodic internal reviews, best practices and the developing legal standard may require that businesses obtain a periodic review and assessment (audit) by qualified independent third-party professionals using procedures and standards generally accepted in the profession to certify that the security program meets or exceeds applicable requirements, and is operating with sufficient effectiveness to provide reasonable assurances that the security, confidentiality, and integrity of information is protected.117 It should then adjust the security program in light of the findings or recommendations that come from such reviews. 118


The Duty To Disclose Security Breaches

As a direct response to the large number of high-profile security breaches involving sensitive personal information, most states, and Congress, introduced legislation to require notification of persons affected by such breaches. Such laws and regulations focused not on imposing an obligation to implement security measures, but rather, on imposing an obligation to disclose security breaches. Thus, even where there is no duty to provide security, there may well be a duty to disclose a breach of security.


Overview of the Duty

One of the first requirements to disclose breaches of security applied to tax- related records, and appeared in 1998 regulations governing electronic records issued by the Internal Revenue Service. In a Revenue Procedure that sets forth the basic rules for maintaining tax-related records in electronic form, the IRS requires taxpayers to “promptly notify” the IRS District Director if any electronic records “are lost, stolen,

115 Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of Discontinuance, Para. 27(e) and (f), p. 7; Eli Lilly Decision at II.D, GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part III.E; HIPAA Security Regulations, 45 C.F.R. Section 164.306(e) and 164.308(a)(8)

116 GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.E; HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(8); Microsoft Consent Decree at II, p. 4; Eli Lilly Decision at II.D



Microsoft Consent Decree at III, p. 5 Ziff Davis Assurance of Discontinuance, Para. 27(h), p. 7


Document info
Document views177
Page views179
Page last viewedSun Jan 22 22:46:39 UTC 2017