confidentiality, integrity, authenticity of information18 In other cases, they define the goals or objectives of security in terms of the harms to be avoided – e.g., to protect systems and information against unauthorized access, use, disclosure or transfer, modification or alteration, processing, and accidental loss or destruction. 19
Regardless of approach, achieving these objectives involves implementing security measures designed to protect systems and information from the various threats they face. What those threats are, where they come from, what is at risk, and how serious the consequences are, will of course, vary greatly from case to case. But responding to the threats a company faces with appropriate physical, technical, and organizational security measures is the focus of the duty to provide security.
Where the Duty Comes From
Corporate legal obligations to implement security measures are set forth in an ever-expanding patchwork of federal and state laws, regulations, and government enforcement actions, as well as common law fiduciary duties and other implied obligations to provide “reasonable care.”20 Many of the requirements are industry- specific (e.g., focused on the financial industry or the healthcare industry) or data-specific (e.g., focused on personal information or financial data). But in all cases they have been steadily expanding over the past several years, and that trend has been greatly accelerated by the series of high profile security breaches in early 2005.
Examples of some of the key sources of the duty to provide security that have been in place for several years include the following:
Corporate governance legislation and caselaw designed to protect the company and its shareholders, investors, and business partners – Sarbanes-Oxley, for example, requires public companies to ensure that they have implemented appropriate information security controls with respect to their financial information.21 Similarly, several SEC regulations impose a variety of requirements for internal controls over information systems.
18 See, e.g., Homeland Security Act of 2002 (Federal Information Security Management Act of 2002) 44 U.S.C. Section 3542(b)(1); GLB Security Regulations (OCC), 12 C.F.R. Part 30 Appendix B, Part II.B; HIPAA Security Regulations, 45 C.F.R. Section 164.306(a)(1); Microsoft Consent Decree at II, p. 4.
19 See, e.g., 44 USC 3532(b)(1), emphasis added. See also FISMA, 44 U.S.C. Section 3542(b)(1). Most of the foreign privacy laws also focus their security requirements from this perspective. This includes, for example, the EU Privacy Directive, Finland’s Privacy Law, Italy’s Privacy Law, and the UK Privacy Law. Also in this category is the Canadian Privacy Law.
20 A list of some of the key security laws and regulations is set out in the Appendix to this article. For a more comprehensive compilation of some of the laws and regulations governing information security, see www.bakernet.com/ecommerce.
21 See Sarbanes-Oxley Act, Sections 302 and 404. Sarbanes-Oxley is a good example of a statute that does not use the word “security,” but that nonetheless requires significant security measures to ensure that adequate internal control structure and procedures for financial reporting are in place.