Many observers predict that tort law will eventually impose a general duty to keep information secure. These trends indicate that it will be increasingly important to stay ahead of the legal curve for information security.
Information security means the processes and measures by which organizations attempt to ensure the confidentiality, integrity and authenticity of data, as well as the availability and accessibility of data and systems. Businesses should employ information security measures to protect customer, vendor and business partner data, tax and financial records, trade secrets, and information systems and system components.
Threats to information security arise from numerous sources, including natural disasters, environmental problems such as excessive heat or cold, physical alteration or destruction of data, viruses, hacking and equipment malfunctions. Furthermore, every man-made threat can emanate from persons both within and outside of an organization.
There are numerous federal and state information security laws already in effect. These range from well-publicized laws such as the Sarbanes-Oxley Act to lesser known laws and regulations governing information security in federal agencies and financial institutions. There are also specific regulations applicable to tax, health care and financial records and information used in electronic transactions.
Moreover, even businesses that are not expressly subject to regulation may find that their business partners who are subject to regulation will insist on compliance by contractual means. In addition, the regulations are helping shape the standard of care for information security, which will, in turn, guide future legislation and business practices.
Information security fundamentals
Good information security starts with an initial risk assessment, which should encompass both information and technology systems and address all relevant areas of operation.
It is important that the assessment be conducted by personnel with the requisite expertise and credentials. In addition, it should identify internal and external security risks and the potential damage from those in light of the sensitivity of the information, match the current security measures with the risks and assess the sufficiency of current security for addressing the risks, in light of the nature and scope of the organization's operations and the sensitivity of the information.
Businesses should use the initial risk assessment to design and implement an information security program and designate employees with appropriate credentials to oversee and implement the program. The program should be enterprisewide and in writing, and should be regularly monitored and tested, evaluated and adjusted. The program should also allow for independent, third-party auditing.
The program must utilize appropriate administrative, physical and technical security measures. Administrative measures are procedural and include items such as documentation procedures, employee training and differential levels of access for employees. Physical measures can include the use of security guards, locked doors and access cards.
Technical measures can include firewalls, antivirus software and data encryption. Obviously, the measures that are appropriate will vary with the situation.
Businesses that use a vendor to implement or administer their information security program must exercise due diligence in evaluating vendors and contractually require them to follow appropriate procedures and implement appropriate security measures. Businesses must also subject their vendors to independent, third-party auditing.
Businesses should be similarly cautious in communicating with their customers regarding their information security program and policies. In particular, businesses must not act inconsistently with promises or representations regarding the use or sale of customer data and should not overstate the capabilities of their security measures or products.
Implementing sound information security measures is good business and is becoming a legal necessity. Businesses should consult with qualified legal and technical professionals to ensure that their business's information is secure and that the business properly documents and communicates its information security efforts.
Francis X. Taney Jr. is a shareholder in the Philadelphia office of Buchanan Ingersoll PC. He is chair of the firm's Information Technology Litigation Practice Group and focuses his practice on complex commercial litigation matters in a variety of substantive areas, including advising clients on ways to avoid or minimize disputes arising from IT related transactions. For more information on commercial litigation matters, especially those relating to information technology, reach Taney at (215) 665-3846 or firstname.lastname@example.org.