While these statutes and regulations impose significant obligations on certain companies with respect to certain types of data, they are part of a growing trend to require all companies to provide appropriate security for all data, at least where the compromise of such data may damage the interests of corporate stakeholders. Several key developments support this expansion of coverage of security obligations.
Beginning in 2002, through a series of enforcement actions and consent decrees, both the FTC and several state attorneys general have pursued companies in a variety of industries bases on an alleged failure to provide adequate security for their data. However, the targeted companies were not directly subject to security regulation. Instead, these cases were based on the alleged failure of such companies to provide adequate information security contrary to representations to customers – i.e., claims of deceptive trade practices. 30
In early 2003, the Bush Administration released its National Strategy to Secure Cyberspace, which also argued for a much broader approach to corporate security obligations. Noting that most business entities “have become fully dependent upon information technology and the information infrastructure,”31 the National Strategy sought to move the debate beyond specific industry sectors and specific types of data, asserting that “all users of cyberspace have some responsibility, not just for their own security, but also for the overall security and health of cyberspace.” 32
In March 2005 testimony before Congress, the Chairman of the Federal Trade Commission, Deborah Platt Majoras, provided further support for this view by suggesting that the extensive scope of the security obligations imposed on the banking industry33 should be expanded to cover all industries.34 And, in fact, this has essentially been FTC policy in its enforcement actions and resulting consent decrees since 2002.35 Moreover, in June 2005 the FTC broadened the scope of its enforcement actions by asserting that a failure to provide appropriate information security was, itself, an unfair trade practice
Liability for Negligent Internet Security, Computer Security Journal, Vol. XVI, No. 2, 2000, available at http://www.gocsi.com/pdfs/byte.pdf.
30 See list of FTC Decisions and Consent Decrees and list of State Attorneys General Consent Decrees in the Appendix.
31 National Strategy to Secure Cyberspace, February 14, 2003, at pp. 5-6, available at www.whitehouse.gov/pcipb
National Strategy at page 37 (emphasis added).
33 See, Gramm-Leach-Bliley Act (“GLBA”), Public Law 106-102, Sections 501 and 505(b), 15 U.S.C. Sections 6801, 6805, and implementing regulations at 12 C.F.R. Part 30, Appendix B (OCC), 12 C.F.R. Part 208, Appendix D (Federal Reserve System), 12 C.F.R. Part 364, Appendix B (FDIC), 12 C.F.R. Part 568 (Office of Thrift Supervision) and 16 C.F.R. Part 314 (FTC).
34 “Senate Banking Committee Members Grill ChoicePoint Executive on Breaches,” BNA Privacy & Security Law Report, March 21, 2005 at p. 351.
See list of FTC Decisions and Consent Decrees in the Appendix.