Jane K. Winn, Recent Developments in the Emerging Law of Information Security, 38 UCC L.J. 391 (2006), https://digitalcommons.law.uw.edu/faculty-articles/161
Recent Developments in the Emerging Law of Information Security
Uniform Commercial Code Law Journal
data security breach notification, information security, standards
In recent years, a body of law has emerged that explicitly establishes certain minimum duties with regard to the security of business information systems. Outside of certain regulated industries such as telecommunications or banking, there were not formerly any laws that directly and explicitly established duties with regard to information security. Of course, many laws can be construed as implicitly imposing a duty to maintain an appropriate level of information system security. For example, statutes that authorize commercial transactions in electronic form contain implicit information security requirements if they provide that electronic records will only be recognized as equivalent to paper records if the electronic records are accurate and accessible.
In addition, it is possible to infer duties to maintain minimum levels of information security from laws such as anti-money laundering laws, wiretap laws or securities laws. Recent information security legislation clearly departs from these earlier laws, for example by defining the subject of information security clearly or by spelling out concrete and specific duties that apply to business information systems.
The question of whether legislative mandates should be used to require businesses to raise the level of information security is controversial. Some commentators maintain that current levels of information security are inadequate and that, without law reform, developers of information technology and operators of information systems will lack adequate incentives to improve the security of their products and systems. Other commentators would counter that, in light of current knowledge in the area of computer security and currently available technology, it is unclear what positive benefits law reform would achieve and that market forces combined with existing laws provide adequate incentives to invest in information security.
In recent years, business and legal perspectives on information security have shifted away from what has been called the “fortress security” mentality that prevailed from the 1950s through the 1980s. During this period, there were fewer computers in use, networking was less common and less developed, and fewer organizations required strong information security. The development of ubiquitous computing environments and the wholesale migration of economic and social activities into information systems have created information system security challenges that cannot be resolved with older, more absolute concepts of security.
As a result, current business practice and current U.S. laws regulating information security all adopt a “risk management” approach, which requires an explicit articulation and balancing of costs and benefits. Although there is no general duty to maintain the security of information systems under U.S. law at present, in recent years a patchwork of different laws establishing more limited duties regarding information system security has emerged. Most of these laws apply to organizations in specific industries or to specific types of transactions or activities, and some involve quite detailed technical specifications. Others establish “standards” of conduct that require an analysis of the context within which information systems are being used. These standards reflect a risk management perspective and require the implementation of appropriate management processes to cope with information system security challenges as they emerge. These standards generally require information system operators to engage in an ongoing and repetitive process that is designed to assess risks, identify and implement appropriate security measures, verify their effectiveness, and establish procedures for continually updating them in light of new threats.
In addition, the number of laws creating a duty to disclose security breaches to anyone who might have been adversely affected by the breach is growing.
Note: Portions of this article are adapted from Law of Electronic Commerce, Fourth Edition, by Jane K. Winn and Benjamin Wright. © 2006 Aspen Publishers, Inc.