The legal background to information security

An introduction to information security law

Legal Challenges in Information Security, Understanding the Intersection of Information Security and the Law
As the Internet has evolved from a raw and innovative network to a large-scale infrastructure consumed by billions of people every day, so too has the way entities have approached securing information in the digital world. Gone are the days when businesses, governments and individuals could afford to be laissez-faire about information security. The persistent threat of cyber attacks, data breaches, and information leaks make it imperative for entities to secure sensitive information. Further complicating matters, public and private organizations are facing growing demands from the public, governments, and regulators for more transparency and accountability when it comes to safeguarding sensitive information, particularly in the face of a data breach.
What is Information Security?
Information security involves the protection of information assets, including data and information technology ("IT") systems. Generally defined, information security is the process of protecting information and IT systems from unauthorized access, use, disclosure, disruption, modification, and destruction.
What Legal Frameworks Govern Information Security?
The demand for accountability is being addressed through an ever-growing number of legal frameworks that require entities to implement security measures to protect information. For example, nearly all U.S. states have enacted data breach notification laws, requiring businesses that experience a data breach involving personal information to notify affected individuals and, in some instances, state regulators . These laws vary from state to state in complexity, applicability, and definition of terms. Moreover, federal sector regulators have issued security regulations and guidance for various regulated entities, including financial and healthcare organizations.
More broadly, rising public concern in recent years surrounding privacy and data breaches has resulted in the introduction of legislation to expand privacy rights for consumers. For instance, California has enacted the California Consumer Privacy Act ("CCPA"), which goes into effect January 1, 2020, giving California consumers much more control over the collection and sale of their personal information. The CCPA requires for-profit companies doing business in California to inform consumers about the information the company has collected about them, to explain how that information is used, and afford them with the ability to opt-out of the sale of the information. Other states have introduced similar legislation. Although the CCPA only applies to businesses that do business in California, the passage of this law is likely to affect organizations beyond the borders of California. Consequently, other states may also decide to adopt similar consumer privacy laws. A national privacy law could be on the horizon, particularly in light of Facebook’s challenges with the FTC and the recent experience with Cambridge Analytica. Whether or not there should be a national privacy law is debated, but privacy and data security are matters of national importance today. Whatever the outcome of the debate on what a law should look like, new legal requirements for security measures are coming, and companies will need to be prepared to manage them.

Key statutes affecting information security

In addition to the three legal concept areas mentioned above, there are several laws and regulations that have a direct impact on how organizations should think about and operate their information security programs. In this section we will briefly discuss these laws, with examples from major economies around the world.
EU Regulation 2016/679, more commonly known as the General Data Protection Regulation ("GDPR"), applies to any organization anywhere in the world that processes personal information (PI) of EU citizens, regardless of where the organization itself is located. Organizations hold either PI about their customers or employees. Given the growing scrutiny data processing operations increasingly face in terms of the "consent" of the data subjects, data processing operations in democracies must be fair and human-centric. As a result, an organization’s security of PI will increasingly need to be designed with this in mind.
GDPR introduces new concepts and legal obligations, not only for data protection, but also for information security, which will become vital for legal compliance. GDPR also introduces significant penalties for non-compliance, including fines that can amount to the greater of 4% of a business’ global revenue or EUR 20,000,000. Non-compliance with the GDPR will become a potential reputational risk for organizations, and will require a significant investment in legal costs and management resources.
Any information security strategy must account for, and be covered by, contractual relationships. A breach of an information security obligation often results in the other party taking the position that a consequential damage claim is available. There are two contractual aspects:
There is a growing trend for contracting parties to require an information security incident be reported to the other party within 24 hours or, if feasible, by no later than the party’s next business day.
In the UK, the relevant legislation is the UK Data Protection Act 2018 and the UK Computer Misuse Act 1990. The Computer Misuse Act was introduced primarily to criminalize unauthorized access to computer material. The UK Data Protection Act 2018 implements the GDPR in the UK.
In Australia, the relevant legislation is the Privacy Act 1988 and the Australian Criminal Code.
In Singapore, the relevant legislation is the Personal Data Protection Act 2012. Section 26 of this act requires an organization to report eligible data breaches to the Personal Data Protection Commission.
Other jurisdictions around the world are also implementing more stringent laws and regulations in order to regulate information security and data protection.

The consequences of breaches of information security

A data breach that results in the acquisition of personal information is presumed to be an unfair act or practice by the FTC. However, FTC enforcement actions do not generally address the liability of what the FTC calls the "third party breach" – the hacker or person who steals the information. Rather, the FTC has focused on the legal consequences for businesses that are alleged to have failed to take reasonable precautions to protect consumer data, although not usually with great success.
Two key FTC cases described in detail below illustrate the legal principal that the FTC applies when assessing potential breaches. Generally, the FTC has defined "reasonable and appropriate" as requiring the adoption of written policies and procedures that are based on an assessment of the risks that requires a risk assessment, a written information security policy, appointment of an information security coordinator, implementation of reasonable access controls, the storage of sensitive consumer information in locked or secure places, and informing consumers by mail in the event their personal information is acquired and then providing identity theft protection services. The FTC has also found that the use of a third-party service provider (also called an agent) does not absolve companies from liability, and that such companies can be held liable for the activities of their agents. Moreover, FTC cases have involved the transfer of personal information to a third-party service provider without first requiring sufficient data security measures.
In its case against Life is good, Inc., Life is Good had hired a third-party provider to operate its online sale website and to store customer credit card information. The FTC alleged that Life was Good failed to maintain adequate security, resulting in an alleged breach of 2.7 million credit card and 2.3 million non-credit card customers. The FTC alleged that it sought to hold Life is Good liable for: "repeatedly failed to employ reasonable and appropriate measures to protect against unauthorized access to personal information stored on the Participating Merchant’s [Life is Good’s] computer network." The FTC alleged that Life is Good failed to implement and maintain an information security program and failed to implement a vulnerability management program. The FTC also claimed that Life is Good retained cardholder information longer than necessary. It was also alleged that Life is Good failed to secure the personal information of 590,000 consumers who called Life is Good customer service, 500,000 customer service email addresses, and 92,000 customer accounts used to contact the website’s customer service. In the second example, Café Press provided a custom product design service that allowed each individual customer to upload an image or photograph and then make it available for sale to other customers who might purchase the image. The FTC took issue with Café Press’ use of Snapfish as a platform to process orders. According to the FTC, Café Press continually made or allowed Snapfish to make multiple public Internet exposures of consumer personally identifiable information, including names, addresses, email addresses and sometimes phone numbers of approximately 4.6 million targeted U.S. consumer participants. The FBI investigated the Snapfish breach, and the estimates of the number of identified personal information breaches ranged from 750,000 to 2.5 million.

Balancing privacy with security: the legal requirements

The legal challenges related to privacy and security are often in direct conflict with one another. On the one hand, maintaining user privacy is a fundamental right that is enshrined in the US Constitution as well as various state constitutions, in addition to several international treaties. Yet, the unique nature of online data collection, monitoring, and analysis creates a significant challenge to privacy rights as individuals may not even be aware of the data that they generate. At the same time, there are strong legal interests in requiring online companies to take security measures to protect the data that they collect from or maintain about their users. Laws such as the Gramm-Leach-Bliley Act (15 U.S.C. § 6801) and the Healthcare Insurance Portability and Accountability Act (HIPAA) (codified as 42 U.S.C. § 1171 et seq.) require financial institutions and healthcare entities, respectively, to take appropriate measures to protect the privacy of their customers and patients, create safeguards for that data including the establishment of reasonable security procedures. Violations of these laws can result in substantial fines, and in some circumstances criminal penalties.
The paradox at the heart of these two seemingly conflicting legal principles is that, the more security procedures are implemented the more sensitive and private data is generated and stored on the systems. In other words, the implementation of security measures generates more data that is subject to protection (and potentially to disclosure). This creates a practical paradox: in order to maintain security, systems must log and store data but storing too much data risks compromising privacy. Further complicating this paradox, security incidents, such as data breaches, hacking, system compromise (etc.) increase the amount of information that must be reviewed to assess the extent of the incident and the potential impact on individual privacy.

Information security and intellectual property rights

Information security plays a huge part in protecting intellectual property rights. Infringement of rights, derivative works and numerous other legal issues surrounding intellectual property can arise if the protected information is hacked, lost, shared or misused. Even inadvertent sharing, through an email virus for instance, can become a security issue. The dissemination of information in the flash of a finger press is a growing danger in the workplace and needs to be addressed, for example, with a restrictive information sharing policy.
As we see with more regularity, an increasing number of civil and criminal cases deal with the unauthorized use, disclosure, theft or misappropriation of trade secrets, confidential proprietary information, source code, customer lists, confidentiality agreements, patent or copyright infringement allegations and misappropriation of staff, to name just a few. Many claims are initiated under the Uniform Trade Secrets Act (UTSA), which provides statutory protection for proprietary information that is not otherwise protected by, for example, patent, trademark or copyright law.
The UTSA has been adopted in most states and provides injunctive and monetary damages for the breach or threatened breach of this type of information. While the UTSA does not provide remedies for the misuse of patent, trade secret or copyright information, even if claims involving these types of information have different statutory bases, liability under the UTSA can sometimes follow liability under these types of statutes . For example, a defendant may be liable for damages under both the UTSA and the Copyright Act for the infringement of source code.
Federal criminal law prohibits the unauthorized copying, downloading, distributing or accessing of protected proprietary information, such as source code. Trade Secrets Protection Improvement Act of 2012 address these federal criminal offenses. First, the maximum sentence for individuals convicted under the Act is increased from 10 to 15 years. Second, the maximum fine for individuals is increased from $5,000,000 to $10,000,000. Third, the maximum penalty for an organization is increased from $5,000,000 to the greater of $5,000,000 or 3 times the value of the stolen trade secret to the organization that is in the economic interest of the organization.
There are many new issues regarding information security, both physical and electronic, that have yet to be tested in courts. For example, what happens when all the physical security measures in place to protect trade secrets have been breached? Does the answer differ if the information is misappropriated by an employee or another source? What happens when the information is disseminated after being sufficiently secured? Do the security measures and safeguards matter and are they a proper defense?

Auditing for cybersecurity and the law

Cybersecurity Audits and Legal Compliance
For any given incident, company A will have different legal and regulatory burdens than company B. No two businesses are the same; this gives organizations certain responsibilities as it relates to technology and protecting sensitive personal and/or proprietary information.
Fortunately, a fundamental contract of doing business is that service providers to companies of every size will be held to the standard imposed by industry best practices. Just as a manufacturing company needs safety precautions and machinery maintenance, so too does a data-driven business need safeguards for its information and its information systems.
This is where preventive cybersecurity audits can be invaluable in not only keeping information secure but also ensuring that the business maintains legal compliance and protects itself against future legal liability. A cybersecurity audit goes beyond the traditional cybersecurity or IT audit of a given company’s infrastructure and policies. Such a procedure can be a necessary tool with regard to compliance as well as safeguarding against potential breaches.
From our experience, there is a surprising amount of confusion between cybersecurity audits, HIPAA compliance assessments, penetration tests, and information security audits. Each category atop the list above plays a different role in the security strategy of a company. Depending on the business’s regulatory environment, certain audits may be more important than others.
Regardless, our experience indicates that most businesses would benefit from at least one type of cybersecurity audit. As an example, if the business must comply with HIPAA mandated security measures, the security assessments and audits performed during security initiatives can be evaluated to determine whether the organization is in or out of compliance with such measures.
If not, the organization can make informed decisions on how to remedy the problem. This could be as simple as updating the company’s policies to include the security requirement, or making more significant investments such as upgrading user authentication measures.

Future developments in information security law

With information security legislation continuing to evolve and expand, it is critical for businesses to stay ahead of emerging trends in this area. Marketing privacy law expert Amy Werlen recently shared insights with the IAPP on several key emerging trends in this area of law:
Encryption. The EU’s GDPR recommends encryption as a best practice for securing personal data. Germany has adopted GDPR’s recommendations regarding the use of pseudonymization and encryption. Recent laws in Hawaii, New Jersey, Massachusetts and other jurisdictions expressly include encryption requirements. The National Institute of Standards and Technology, through its Cyber Security Framework, recommends use of encryption, calling it a high impact practice.
Privacy by design. The Canadian Evidence Act is the first legislative document of its type we’ve seen to mandate an organization or third party to have processes in place that protect confidentiality, integrity and availability of information and system resources. In the context of cyber security, it is specific about protecting against abuse of privilege (i . e., privileges conferred upon users to control devices, systems or information).
Data protection officer. Wisconsin was the first state to include data protection officers within its final data breach bill, which was signed into law on May 20, 2017. The bill requires covered entities to designate an individual to act as their data protection officer, or utilize third-party services for the functions.
Frameworks and modeling. Businesses can expect an uptick in the adoption of frameworks like the NIST Cyber Security Framework and the International Organization for Standardization/International Electrotechnical Commission 27001 standard. These are models for organizations to apply to manage the relationship between information security and business assets.
Fines and private litigation. Not only do we see penalties in the EU GDPR and Canada’s Bill S-4 (Protecting Canadians from Online Crime Act) having increased penalties and damage awards, but the litigation boom we saw after California’s breach statute went into effect in 2003 will be seen again.