Laws focused on the personal interests of individual employees, customers, or prospects – Many privacy laws and regulations, particularly in the financial and healthcare sectors, require companies to implement information security measures to protect certain personal data they maintain about employees, customers, and prospects.
Laws addressing governmental regulatory interests or evidentiary requirements – Both the federal and state electronic transaction statutes (E- SIGN and UETA) require all companies to provide security for storage of electronic records relating to online transactions.23 Many regulations do likewise. For example, IRS regulations require companies to implement information security to protect electronic tax records,24 and as a condition to engaging in certain electronic transactions,25 SEC regulations address security in a variety of contexts,26 and FDA regulations require security for certain records.
Laws governing federal government agencies – The comprehensive Federal Information Security Management Act of 2002 (“FISMA”) addresses government security and requires security measures to protect all information collected or maintained by a federal agency, and all information systems used or operated by or for the agency.
Common law – In addition, several commentators have also argued that there may exist a common law duty to provide security, the breach of which constitutes a tort.
22 See, e.g., Gramm-Leach-Bliley (“GLB”) Act, Sections 501 and 505(b), 15 U.S.C. Sections 6801, 6805 and GLB Security Regulations at 12 C.F.R. Part 30, Appendix B (OCC), 12 C.F.R. Part 208, Appendix D (Federal Reserve System), 12 C.F.R. Part 364, Appendix B (FDIC), 12 C.F.R. Part 568 (Office of Thrift Supervision) and 16 C.F.R. Part 314 (FTC); Health Insurance Portability and Accountability Act (“HIPAA”), 42 U.S.C. 1320d-2 and 1320d-4, and HIPAA Security Regulations at 45 C.F.R. Part 164; and Children’s Online Privacy Protection Act of 1998 (“COPPA”), 15 U.S.C. 6501 et seq., and COPPA regulations at 16 C.F.R. 312.8. See also, EU Data Protection Directive, Article 17, available at http://europa.eu.int/comm/internal_market/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf.
23 See Electronic Signatures in Global and National Commerce Act (“E-SIGN”), at 15 U.S.C. § 7001(d); Uniform Electronic Transaction Act (“UETA”), at § 12.
See, e.g., IRS Rev. Proc. 97–22, 1997-1 C.B. 652, 1997-13 I.R.B. 9, and Rev. Proc. 98-25. See, e.g., IRS Announcement 98-27, 1998-15 I.R.B. 30, and Tax Regs. 26 C.F.R. § 1.1441-1(e)(4)(iv). See, e.g., 17 C.F.R. 240.17a-4, 17 C.F.R. 257.1(e)(3). See, e.g., 21 C.F.R. Part 11. Federal Information Security Management Act of 2002 (“FISMA”), 44 U.S.C. Section 3544(a)(1)(A).
29 See, e.g., Margaret Jane Radin, Distributed Denial of Service Attacks: Who Pays? available at http://www.mazunetworks.com/white_papers/radin-print.html; Kimberly Kiefer and Randy V. Sabett, Openness of Internet Creates Potential for Corporate Information Security Liability, BNA Privacy & Security Law Report, Vol. 1, No. 25 at 788 (June 24, 2002); Alan Charles Raul, Frank R. Volpe, and Gabriel S. Meyer, Liability for Computer Glitches and Online Security Lapses, BNA Electronic Commerce Law Report, Vol. 6, No. 31 at 849 (August 8, 2001); Erin Kenneally, The Byte Stops Here: Duty and