Security - Duty to Provide Security

	About Us \| Contact Us \| Search

	Thursday, November 20, 2008
Home Join Seminars Webinars Library IT Directory Resource Center Member Services Membership

Security Alert- Duty to Provide Security

Submitted by Baker & McKenzie

In This Alert:

Corporate Duty to Provide Information Security:
What Companies Need to Do Now

Duty to Provide Information Security

Source of the Duty

The Legal Standard for Compliance

What Companies Need to Do

Corporate Duty to Provide Information Security:
What Companies Need to Do Now

We are in the midst of a significant expansion of corporate obligations regarding security for digital information. Most businesses are, or soon will be, subject to two key legal obligations:
• A duty to provide security for their corporate data and information systems; and
• A duty to disclose information security breaches to those who may be adversely affected by such breaches.
This Alert will focus on the corporate legal obligation to provide information security. A companion Alert will address the duty to disclose security breaches.

Duty to Provide Information Security
As a general rule, most companies are now subject to a legal obligation to implement "reasonable” or “appropriate” physical, technical, and organizational information security measures to ensure the availability of their systems and information, control
access to their systems and information, and ensure the confidentiality, integrity, and authenticity of their information. Stated differently, companies must adequately protect
their corporate systems and information against unauthorized access, use, disclosure and transfer, alteration, processing, and accidental loss or destruction.

Source of the Duty
These information security obligations are set forth in an ever-expanding patchwork of federal and state laws, regulations, and government enforcement actions, as well as common law fiduciary duties and other implied obligations to provide “reasonable
care.” Many of the requirements are industry-specific (e.g., focused on the financial industry or the healthcare industry) or data-specific (e.g., focused on personal
information or financial data). But increasingly, laws are imposing generally applicable obligations on all companies and all data, accelerated in large measure by a series of high-profile security breaches in 2005.

Examples of key sources of the duty to provide security include the following:
• Corporate governance legislation and case law designed to protect the company
and its shareholders, investors, and business partners.

Get the complete Baker & McKenzie Security Alert

Free Webcasts

Free Webcast of the Week Newsletter!

Register Now

Seminar Calendar

Get Event Info sent to you weekly with Free Club Newsletter

Dec 11, 2008
Chicago
IT Trends Forecast & Holiday Reception
Dec 17, 2008
BI Strategies & Trends
Jan 14, 2009
Project Management Trends
Jan 22, 2009
Chicago
IT Security Best Practices
Feb 11, 2009
IT Security Briefings
Feb 19, 2009
Chicago
Project Management
Complete Upcoming
Event Calendar