The State of Information Security Law: A Focus on the Key Legal Trends

Abstract

Information security is rapidly emerging as one of the most critical legal issues facing companies today. Concerns regarding corporate governance, individual privacy, accountability for financial information, the authenticity and integrity of transaction data, and the security of sensitive business data are driving the enactment of new laws and regulations designed to ensure that businesses adequately address the security of their own data. These legislative and regulatory initiatives are imposing obligations on all businesses to implement information security measures to protect their own data and to disclose breaches of security that do occur. Four legal trends are rapidly shaping the information security landscape for most companies. They are: * A continuing expansion of the duty to provide security; * The emergence of a legal standard for compliance; * A focus on security obligations regarding specific data elements and controls; * The imposition of a duty to warn - that is, to disclose security breaches to those that may be affected. Corporate obligations regarding security come from numerous laws, regulations, common law obligations, industry standards, and contractual obligations. The net result, however, is that almost all companies are subject to a legal obligation to provide security for their own data. And this generally includes all forms of data, not just personal information. The legal standard for information security focuses not on specific security measures, but rather, on implementation of a repetitive process designed to identify and address threats. The required process may be generally summarized as follows: * Identify corporate information assets; * Conduct periodic risk assessments to identify the specific threats and vulnerabilities the company faces; * Develop and implement security controls to manage and control the risks; * Monitor and test the program to ensure that it is effective; * Continually review and adjust the program in light of ongoing changes, including obtaining regular independent audits and reporting where appropriate; and * Oversee third party service provider arrangements. Finally, in addition to legal obligations to implement security measures to protect data, we are also witnessing a global trend to enact laws and regulations that impose an obligation to disclose security breaches to the persons affected. These laws had been enacted in most states in the U.S., and are now actively being considered or enacted in numerous other regions around the world, including the European Union, Canada, Australia, New Zealand, and Japan.