Information Security Law

Information Security Law: The Emerging Standard for Corporate Compliance

THOMAS J. SMEDINGHOFF
Copyright Date: 2008
Published by: IT Governance Publishing
Pages: 182
https://www.jstor.org/stable/j.ctt5hh7kw
  • Cite this Item
  • Book Info
    Information Security Law
    Book Description:

    Information Security Law: The Emerging Standard for Corporate Compliance is designed to help companies understand this developing law of information security, the obligations it imposes on them, and the standard for corporate compliance that appears to be developing worldwide. This book takes a high level view of the multitude of security laws and regulations, and summarizes the global legal framework for information security that emerges from them. It is written for companies struggling to comply with several information security laws in multiple jurisdictions, as well as for companies that want to better understand their obligations under a single law. It explains the common approach of most security laws, and seeks to help businesses understand the issues that they need to address to become generally legally compliant.

    eISBN: 978-1-905356-67-6
    Subjects: Business, Law

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. PREFACE
    (pp. 5-6)
  3. ABOUT THE AUTHOR
    (pp. 7-8)
  4. Table of Contents
    (pp. 9-10)
  5. INTRODUCTION
    (pp. 11-12)

    Information security is rapidly emerging as one of the most critical legal issues facing companies today. As the list of highly-publicized security breaches suffered by very reputable companies, organizations, and government agencies continues to expand at an exponential rate, it is becoming very clear that the vulnerability of all corporate data is, in many respects, a time bomb waiting to explode.

    The legal and public policy focus on information security stems from the fact that, in today’s business environment, virtually all of a company’s daily transactions and all of its key records are created, used, communicated, and stored in electronic...

  6. CHAPTER 1: SECURITY BASICS: THE LEGAL PERSPECTIVE
    (pp. 13-32)

    The law of information security is based on fundamental security concepts long recognized by security professionals. Thus, understanding security obligations from a legal perspective requires understanding those basic security concepts. The following sections will summarize those security concepts, as seen from the perspective of applicable laws.

    Security is the protection of assets (such as buildings, equipment, cargo, inventory, and in some cases, people) from threats. “Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.”²

    Information security is also sometimes...

  7. CHAPTER 2: LEGAL RESPONSE TO SECURITY
    (pp. 33-38)

    Understanding corporate obligations to address data security begins with a high level understanding of the legal response to security threats.

    The law essentially takes a two-pronged approach to addressing the challenges posed by the extensive use of electronic information, and the potential damages that can arise when security is breached and information is compromised. First, the law declares illegal certain conduct that breaches the security of one’s data, and provides punishment for those who engage in such conduct. Second, the law imposes on those businesses that possess data an obligation to protect that data and the corresponding information systems in...

  8. CHAPTER 3: THE GENERAL DUTY TO PROVIDE SECURITY
    (pp. 39-58)

    The obligation to provide security for corporate data is, in essence, a duty to provide “reasonable” or “appropriate” physical, technical, and administrative security measures to ensure the confidentiality, integrity, and availability of corporate data.

    The meaning of that obligation, and its various requirements, will be explored in Chapters 4, 5, and 6. This chapter will examine where the obligation comes from, which companies it applies to, what types of data are covered by the obligation, and who in the company is responsible for legal compliance.

    There is no single law, statute, or regulation that governs a company’s obligations to provide...

  9. CHAPTER 4: THE LEGAL STANDARD FOR COMPLIANCE
    (pp. 59-71)

    The general obligation to provide security for data is often simply stated in the law as an obligation to provide “reasonable” or “appropriate” security designed to achieve certain objectives. In some cases, statutes and regulations define those objectives in terms of positive results to be achieved, such as ensuring theavailabilityof systems and information, controllingaccessto systems and information, and ensuring theconfidentiality, integrity,andauthenticityof information.¹ In other cases, they define those objectives in terms of the harms to be avoided – e.g. to protect systems and information against unauthorized access, use, disclosure or transfer, modification...

  10. CHAPTER 5: DEVELOPING A COMPLIANT SECURITY PROGRAM
    (pp. 72-88)

    Implementing legally-compliant “reasonable security” requires the development of an appropriate comprehensive information security program. While much has been written about developing an information security program from a technical perspective, this chapter will focus on the legal requirements.

    As noted in Chapter 4, developing a legally-compliant information security program involves an iterative process that requires that a company do the following:

    Identify its information and system assets.

    Conduct periodic risk assessments to:

    identify the specific threats to those assets the company faces,

    identify its vulnerabilities to those threats, and

    estimate the resulting harm if a threat materializes and exploits a vulnerability....

  11. CHAPTER 6: SECURITY CONTROLS TO CONSIDER
    (pp. 89-119)

    As noted in Section 4.1, many security laws and regulations merely require “reasonable” or “appropriate” security, without any specification as to what security controls are required. Other security laws and regulations, however, do specify a variety of security controls that must be addressed by a company’s security program. But in almost all cases they list only thecategoriesof security controls that must be addressed, without requiring that any specific security controls or technologies be implemented. As explained in Section 5.3, the company selects which security controls to implement (so as to be legally compliant) by reference to the risk...

  12. CHAPTER 7: THE ROLE OF STANDARDS
    (pp. 120-137)

    Technical standards, guidelines, best practices, and industry customs all play an important role in assisting companies as they work through the process of addressing their information security needs. But what role do they play, if any, in addressing legal compliance? In particular, given the many laws and regulations addressing security worldwide, are there any standards that a business can comply with and be assured of meeting all of its legal obligations (particularly on a global basis)?

    Standards, guidelines, best practices, and industry custom and usage all offer possible approaches to determining what level of security is appropriate in a given...

  13. CHAPTER 8: SECURITY BREACH NOTIFICATION
    (pp. 138-158)

    In addition to the legal obligation toimplementsecurity measures to protect corporate data, many laws enacted during the past few years impose an obligation todisclosesecurity breaches to the persons affected. But unlike laws that impose a duty to provide security, these laws typically require only that companies disclose security breaches to those who may be adversely affected by such breaches.¹

    For the most part, laws imposing an obligation to disclose security breaches began as a direct reaction to a series of well-publicized security breaches involving sensitive personal information over the past few years,² and as part of...

  14. APPENDIX Statutes, regulations, and cases imposing information security obligations
    (pp. 159-180)
  15. ITG RESOURCES
    (pp. 181-182)