What are the legal requirements for ensuring information security relating to business organizations? Essay

For data or information to be useful, at the minimum, the key principles of confidentiality, integrity and availability of data upon which the concept of information security is built must be met and this inevitably is in tandem with the legal requirements for any jurisdiction.[1] Legal requirements for most jurisdictions usually have the internal looking requirements[2] which provide for steps that an organization is required to comply with and the outward requirements which are punitive measures in cases of breach or noncompliance.[3]

Internationally there is no uniform standard or approach for ensuring information security and different jurisdictions have adopted different approaches.[4] As private data has become increasing vulnerable to exposure, the focus in most jurisdictions is to ensure that the privacy of individuals during transactions is protected[5]. Smedinghoff has summarized the legal requirements generally as the duty to provide security, the legal standard upon which that duty or obligation is based and the duty of notification in case of breach.[6]

Therefore in the United States, the approach initially was sector specific[7] but is now increasingly moving towards general requirements,[8] while the approach in Europe[9] for example is the general / omnibus approach. Generally all jurisdictions make provision for protection of data,[10] etc. and then provide for offenses.[11]

Steps to be taken to meet these legal requirements

The first step is for the company to determine what the general and specific legal requirements are for its sector and for its jurisdiction[12]. For example the compliance requirements for a company in the health sector or financial sector in the United States or Europe may be different for each of those companies. The company then reduces it into a policy framework that is implementable within the company. Some organisations choose to reduce these into contractual obligations for the parties it transacts with.[13]

The company must then designate the person (s) who bears the overall responsibility for information security in the organization. Smedinghoff discusses changes in perspectives from information security initially being considered a technical matter and currently where it is considered critical and is a matter for corporate governance and therefore the responsibility would rest with the Board of Directors or senior management.[14]

The company will then put in place the necessary framework and take administrative steps to ensure compliance. For example the flow of processes and the persons responsible at every stage must be clear[15]. In addition the company with have to put in place the requisite technical measures and security measures to ensure that it meets the minimum standard for information security[16].

A company must be able to continually determine what the risks in its environment are, both within and outside the organization, and take steps to ensure that it keeps ahead of them[17]. It has been acknowledged that the best approach to information security is to focus on the preventive measures which are within the control of the company, rather than the punitive measures which may be hard to implement since most of the cyber criminals tend to be outside the company’s jurisdiction or faceless or difficult to identify[18]. The crux of the matter is that consumer confidence in electronic transactions is based on reliability and safety of the data processes[19].

[1] T.J. Smedinghoff, Information Security Law: The Emerging Standard for Corporate Compliance, IT Governance Publishing, 2008. ISBN-13: 978-1-904356-67-6. Chapters 1 and 2 pages

[2] See for example, the Payment Card Industry Data Security Standard (PCI DSS, or, more simply, PCI), at www.pcisecuritystandards.org.

[3] T.J. Smedinghoff, Ibid, at pages 23 – 44

See also the Council of Europe Cybercrime Convention, Budapest, 23 November 2001, also known as the Budapest Convention. The Convention is accompanied by an Additional protocol to the Convention on Cybercrime concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems.

The Convention focuses on ensuring deterrent action “directed against the confidentiality, integrity and availability of computer systems, networks and computer data as well as their misuse and the criminalisation of such conduct,”

[4] Smedinghoff at Ibid at pages 30 – 45

See also ANDREAS MITRAKAS, Information Security and Law in Europe: Risks Checked? European Network and Information Security Agency (ENISA), Greece, Information & Communications Technology Law, Vol. 15, No. 1, March 2006 accessed on HeinOline, at pages 1 -6 on the critical role that information security plays in the electronic era.

[5] See Smedinghoff Ibid, at pages 39 – 40

[6] Smedinghoff Ibid at page 28

[7] See for example reference by Smedinghoff Ibid, at pages 18 – 19 to the HIPAA Security Regulations for health sector requirements, GLB Security Regulations.

[8] See reference by Smedinghoff Ibid at page 36 discussing the FTC Act in respect security obligations for personal data

[9] See for example, the effect of the EU Cyber Convention and the EU Data Protection Directive in promoting uniformity in national laws of member states.

[10] T. J. Smedinghoff Ibid pages 17 – 22 discusses information security controls including preventive, detective, reactive security controls, and also administrative, technical and physical controls

[11] See the EU Cybercrime Convention, on the requirement for members to provide for criminal offences.

[12] See for example the Payment Card Industry Data Security Standard (PCI DSS, or, more simply, PCI), at www.pcisecuritystandards.org.

See also the FTC Act referred to footnote 8 above

[13] See Smedinghoff Ibid at page 33 discussing the requirements of the EU Data Protection Directive and US GLB Security Regulations on security obligations on outsource providers normally reduced into contractual obligations.

[14] See Smedinghoff at pages 45 – 48 (Who is responsible for information security)

[15] For example on the card-acquiring function, (discussing processes and parties in a card payment) see Ann Kjos, “The Merchant-Acquiring Side of the Payment Card Industry: Structure, Operations, and Challenges,” Federal Reserve Bank of Philadelphia Payment Cards Center discussion paper, October 2007 at


[16] See Smedinghoff Ibid at pages 38 – 43 on requirements for different category of data – corporate, electronic, etc.

[17] See Julia S. Cheney, et al, The Efficiency and Integrity of Payment Card Systems: Industry Views on the Risks Posed by Data Breaches, Discussion Paper, Payment Card Centre, October 2012, available at www.philadelphiafed.org/payment-cards-center/publications/discussion-papers/. This report is an evaluation of the risks and consequences for the Payment card industry.

[18] Brussels, 22.11.2010, COM(2010) 673 final, COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL: The EU Internal Security Strategy in Action: Five steps towards a more secure Europe, which emphasizes the borderless nature of cybercrime

[19]Julia Cheney, The Efficiency and Integrity of Payment Card Systems: Industry Views on the Risks Posed by Data Breaches, Discussion Paper, Payment Card Centre , October 2010 at pages 2 – 4, available at www.philadelphiafed.org/payment-cards-center/publications/discussion-papers/.