under Section 5 of the FTC Act, even in the absence of any false representations by the defendant as to the state of its security. 36
Recently filed lawsuits also suggest efforts to broaden the scope of corporate security obligations, with a view to protecting the interests of major stakeholders of all companies. Two class action lawsuits brought against ChoicePoint are good examples. The first suit, brought on behalf of individuals whose personal data was compromised by the security breach disclosed on February 15, 2005, alleges that ChoicePoint failed to implement adequate security measures, and failed to timely and fully disclose the breaches once they occurred.37 The second suit, brought on behalf of shareholders, alleges that ChoicePoint and its management failed to disclose to shareholders and potential investors that the company’s security measures were inadequate and ineffective. 38
At the same time, some states have begun passing laws imposing a general obligation to implement information security. The first was California, which enacted legislation in 2004 requiring all businesses to “implement and maintain reasonable security procedures and practices” to protect personal information about California residents from unauthorized access, destruction, use, modification, or disclosure.39 Other states have followed suit in 2005, including Arkansas,40 Nevada,41 and Rhode Island. 42
The bottom line is that a company’s duty to provide security may come from several different sources, each perhaps asserting jurisdiction over a different aspect of corporate information. But the net result (and certainly the trend) is a general obligation to provide security for corporate data and information systems.
The nature and scope of that obligation, however, is not always clear. Often unanswered is a key question: Just what exactly is a business obligated to do? What is the scope of its legal obligations to implement information security measures?
36 See, In the Matter of BJ’s Wholesale Club, Inc. (Agreement containing Consent Order, FTC File No. 042 3160, June 16, 2005), available at www.ftc.gov/opa/2005/06/bjswholesale.htm.
Goldberg v. ChoicePoint, Inc. No. BC329115, (Los Angeles Superior Ct., filed Feb. 18, 2005). Perry v. ChoicePoint, Inc. No. CV-05-1644 (C.D. Cal., filed March 4, 2005). Cal. Civil Code Section 1798.81.5(b). Ark. Code Section 4-110-104(b). 52 Nev. Rev. Stat. Section 23(1). R.I. Stat. 11-49.2-2(2) and (3).