The State of Information Security Law A Focus on the Key Legal Trends
• White Paper
Software Engineering Institute
Information security is rapidly emerging as one of the most critical legal and public relations issues facing companies today. As the series of highly-publicized security breaches over the past few years has demonstrated, it is in many respects a time bomb waiting to explode.
The problem stems from the fact that, in today's business environment, virtually all of a company's daily transactions and all of its key records are created, used, communicated, and stored in electronic form using networked computer technology. Most business entities are, quite literally, fully dependent upon information technology and an interconnected information infrastructure. This has, of course, provided companies with tremendous economic benefits, including significantly reduced costs and increased productivity. But the resulting dependence on electronic records and a networked computer infrastructure also creates significant potential vulnerabilities that can result in major harm to the business and its stakeholders. Creating, communicating, and storing corporate information in electronic form greatly enhances the potential for unauthorized access, use, disclosure, and alteration, as well as the risk of accidental loss or destruction.
Concerns regarding corporate governance, individual privacy, accountability for financial information, the authenticity and integrity of transaction data, and the security of sensitive business data are driving the enactment of new laws and regulations designed to ensure that businesses adequately address the security of their own data. These legislative and regulatory initiatives are imposing obligations on all businesses to implement information security measures to protect their own data and to disclose breaches of security that do occur.
Four legal trends in the U.S. are rapidly shaping the information security landscape for most companies. And increasingly, these trends are having a significant impact on the development of international law as well. They are:
- A continuing expansion of the duty to provide security;
- An emergence of a legal standard for compliance;
- A focus on security obligations regarding specific data elements and controls;
- The imposition of a duty to warn.
While the law is still in developing, and is often applied only in selective areas, these
three trends are posing significant new challenges for most businesses. This paper will
examine new developments as they relate to these three major trends.