Abstract

http://ssrn.com/abstract=1114246
 
 

Footnotes (215)



 


 



The State of Information Security Law: A Focus on the Key Legal Trends


Thomas J. Smedinghoff


Edwards Wildman Palmer LLP

May 2008


Abstract:     
Information security is rapidly emerging as one of the most critical legal issues facing companies today. Concerns regarding corporate governance, individual privacy, accountability for financial information, the authenticity and integrity of transaction data, and the security of sensitive business data are driving the enactment of new laws and regulations designed to ensure that businesses adequately address the security of their own data. These legislative and regulatory initiatives are imposing obligations on all businesses to implement information security measures to protect their own data and to disclose breaches of security that do occur.

Four legal trends are rapidly shaping the information security landscape for most companies. They are:

* A continuing expansion of the duty to provide security;
* The emergence of a legal standard for compliance;
* A focus on security obligations regarding specific data elements and controls;
* The imposition of a duty to warn - that is, to disclose security breaches to those that may be affected.

Corporate obligations regarding security come from numerous laws, regulations, common law obligations, industry standards, and contractual obligations. The net result, however, is that almost all companies are subject to a legal obligation to provide security for their own data. And this generally includes all forms of data, not just personal information.

The legal standard for information security focuses not on specific security measures, but rather, on implementation of a repetitive process designed to identify and address threats. The required process may be generally summarized as follows:

* Identify corporate information assets;
* Conduct periodic risk assessments to identify the specific threats and vulnerabilities the company faces;
* Develop and implement security controls to manage and control the risks;
* Monitor and test the program to ensure that it is effective;
* Continually review and adjust the program in light of ongoing changes, including obtaining regular independent audits and reporting where appropriate; and
* Oversee third party service provider arrangements.

Finally, in addition to legal obligations to implement security measures to protect data, we are also witnessing a global trend to enact laws and regulations that impose an obligation to disclose security breaches to the persons affected. These laws had been enacted in most states in the U.S., and are now actively being considered or enacted in numerous other regions around the world, including the European Union, Canada, Australia, New Zealand, and Japan.

Number of Pages in PDF File: 55

Keywords: cybersecurity, security, information security, law, privacy, electronic transactions, e-transactions, authentication, integrity, confidentiality, electronic records, corporate governance

JEL Classification: K10, K19, K20, K29, K30, K33, K39

working papers series


Download This Paper

Date posted: March 30, 2008  

Suggested Citation

Smedinghoff, Thomas J., The State of Information Security Law: A Focus on the Key Legal Trends (May 2008). Available at SSRN: http://ssrn.com/abstract=1114246 or http://dx.doi.org/10.2139/ssrn.1114246

Contact Information

Thomas J. Smedinghoff (Contact Author)
Edwards Wildman Palmer LLP ( email )
225 W. Wacker Drive, Suite 3000
3000
Chicago, IL 60606
United States
Feedback to SSRN


Paper statistics
Abstract Views: 2,690
Downloads: 625
Download Rank: 22,297
Footnotes:  215

© 2014 Social Science Electronic Publishing, Inc. All Rights Reserved.  FAQ   Terms of Use   Privacy Policy   Copyright   Contact Us
This page was processed by apollo6 in 0.281 seconds