Managing The Legal Risks Related to Information Security

Abstract

Information security has become a critical issue. The risks of computer hackers, computer viruses ana worms, identity theft, denial of service attacks, theft, terrorist attacks, sabotage, surveillance and intrusion by competitors and malicious acts by disgruntled employees, among other vulnerabilities, are increasing at an alarming exponential rate. Managing the risks from these unprecedented threats to the enterprise has become a vital risk management concern for the company's board of directors and top management, with the result that effective security programs have become a necessity. Prudent risk management and due care with respect to security programs are necessary to avoid potential liability. Information security is a risk management process to protect the confidentiality, integrity and availability of systems and content. The federal Information Security Act of 2002 (44 U.S.C. § 3542) defines Security as ... protecting and systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide - (A) integrity, which means guarding against improper modification or destruction and includes ensuring nonrepudiation and authenticity; (B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and (C) availability, which means ensuring timely and reliable access to and use of information. This article examines the evolving standard in the United States to provide reasonable security requiring a risk-based process to develop and maintain a comprehensive security program. This process is based upon recent Federal Trade Commission (FTC) consent orders relating to security. The FTC has significantly broadened the scope of its enforcement actions by asserting that a failure to provide appropriate security was, itself, an unfair trade practice in violation of Section 5 of the FTC Act. These information security FTC cases are very instructive in defining the scope and extent of a company's legal obligation to implement security measures. These cases point to the emergence of a standard respecting security. They demonstrate that security is no longer just good business practice. Information security has become a obligation.