4. Requiring regular reports from management on the program’s adequacy and effectiveness. 13
The scope of that responsibility can also be significant. The GLB security regulations, for example, require the Board of Directors to approve the written security program, to oversee the development, implementation, and maintenance of the program, and to require regular reports (e.g., at least annually) regarding the overall status of the security program, the company’s compliance with regulations, and material matters relating to the security program. 14
Similarly, under the Federal Information Security Management Act (“FISMA”), the head of each agency is responsible for providing information security protections, complying with the requirements of the statute, and ensuring that information security management processes are integrated within agency strategic and operational planning processes. The head of each agency is also required to appropriately delegate implementation tasks to the CIO and others. The HIPAA security regulations require that an identified security official be responsible for developing and implementing the required policies and procedures.
A key problem, however, is that the nature of the legal obligation to address security is often poorly understood by those levels in management charged with the responsibility, by the technical experts who must implement it, and by the lawyers who must ensure compliance. Yet, it is perhaps one of the most critical issues companies will face. As the recent series of highly-publicized security breaches has demonstrated, it is in many respects a time-bomb waiting to explode.
The Duty To Provide Security for Corporate Information
The legal issues surrounding information security are rooted in the fact that, in today’s business environment, virtually all of a company’s daily transactions, and all of its key records, are created, used, communicated, and stored in electronic form using networked computer technology. Electronic communications have become the preferred way of doing business, and electronic records have become the primary means for storing information. As a consequence, most business entities are now “fully dependent upon information technology and the information infrastructure.” 15
13 Information Security Governance: A Call to Action, Corporate Governance Task Force Report, National Cyber Security Partnership, April 2004, pp. 12-13, available at www.cyberpartnership.org/InfoSecGov4_04.pdf. The National Cyber Security Partnership (NCSP) is led by the Business Software Alliance (BSA), the Information Technology Association of America (ITAA), TechNet and the U.S. Chamber of Commerce in voluntary partnership with academicians, CEOs, federal government agencies and industry experts. Following the release of the 2003 White House National Strategy to Secure Cyberspace and the National Cyber Security Summit, this public-private partnership was established to develop shared strategies and programs to better secure and enhance America’s critical information infrastructure. Further information is available at www.cyberpartnership.org.
GLB Security Regulations (OCC), 12 C.F.R. Part 30, Appendix B, Part III.A and Part III.F.
15 National Strategy to Secure Cyberspace, February 14, 2003, at p. 6, available at www.whitehouse.gov/pcipb.