Cyber- Crime and Information Compromise. What does the notion of reasonable security entail?

by dxb625 (student)

Cyber-crime and information compromise is on the increase, presenting potentially fatal consequences to both the targeted individuals and the organisations under attack. Due to information being increasingly exposed to cyber-attacks which might compromise the informations' confidentiality, integrity and accessibility, government laws and regulations have required organisations to employ certain security measures to minimize the risk for vulnerability. These have been fuelled by the large amount of potentially sensitive and personal information that is collected, shared and stored in large databases around the globe, often of core importance to modern organisations1. For organisations to fully understand the scope of its obligations for the implementation of reasonable security measures, it is important to be aware that the law considers security a relative concept2.

What does the notion of ‘reasonable security’ entail?

Government laws and regulations require organisations to implement security measures that are 'reasonable', 'adequate' or 'appropriate', as exemplified in i.e. the California Security Breach Act3, subsequently implemented in forty-six other states4, and the European Directive 95/46/EC5. Legal compliance is defined as the organisation's ability to maintain a defensible position in a court of law6. Organisations therefore need to implement measures that prevent the impact of legal complaints, by deciding how to interpret the broad parameters of security obligations to decide the level of measures suitable to protect personal data. A comprehensive security plan, which includes the (1) identification of information and system assets, (2) completion of risk assessments to identify threats to those assets, (3) selection and implementation of security controls to monitoring of the identified risks, (4) monitoring and testing the effectiveness of the security plan and (5) continuous review and amendment of the security plan7, should in these instances be developed and maintained in the organisation. The plan will highly depend on the individual characteristics of the organisation, and the level of 'reasonable' security might as such vary tremendously from one organisation to another.

Are all corporate situations recognised being much the same, can companies carry out a risk assessment, implement a few policies and then relax in the knowledge that they have passed the information security test?

This is a preview of the whole essay

The existing information security laws and regulations aim to provide awareness and guidelines to organisations so that the protection of information is firmly planted within the organisation, in addition to protecting parties who fall victim to information compromise. The concept of 'reasonableness' allows for imperfections and adaption to the needs of the particular organisation. What constitutes as reasonable may however be difficult to determine as the compliance measures need to reflect constantly emerging new security vulnerabilities in the surrounding environment and might require a significant amount of investment that is influenced by factors outside of an organisation's control.

Because many security vulnerabilities often remain unknown until after they have occurred, the security measures and the concept of 'reasonableness' needs to be regularly updated by regulators8. It is perhaps therefore that such concepts are still utilized in laws, regulations and guidelines, as such a wide formulation leaves the organisation wholly responsible for, at all times, keeping on top of the developing threat-landscape surrounding them. The laws are as such more long-lived, but still able to offer basic guidelines.

1Solms v R & Solms v S.H 'Information Security Governance: A model based on the Direct-Control Cycle' 25 Computers & Security <http://www.sciencedirect.com.ezproxy.liv.ac.uk/science?_ob=MiamiImageURL&_cid=271887&_user=822084&_pii=S0167404806001167&_check=y&_origin=article&_zone=toolbar&_coverDate=2006-Sep-30&view=c&originContentFamily=serial&wchp=dGLbVlV-zSkWz&md5=a20d3709538ff6acb15e23eb91321397&pid=1-s2.0-S0167404806001167-main.pdf> accessed 01 May 2013

2Smedinghoff, J T Information Security Law: The Emerging Standard for Corporate Compliance (First Edition, IT Governance Publishing, 2008) p.61

3California Security Breach Act 2005 <http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.pdf> accessed 02 May 2013

4Stevens G 'Data Security Breach Notification Laws' (2012) Congressional Research Service <http://www.fas.org/sgp/crs/misc/R42475.pdf> accessed 29 April 2013

5Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data (EU Data Protection Directive) <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML> accessed 02 May 2013

6Breaux D T, Antón A I, Karat C M & Karat J 'Enforceability vs. Accountability in electronic policies' (2006) IEEE 7th International Workshop on Policies for Distributed Systems and Networks <http://www.cs.cmu.edu/~breaux/publications/tdbreaux-policy06.pdf> accessed 03 May 2013

7Lecture Notes 'Week 5: Legal Standards for Compliance' (2013) University of Liverpool LLM <https://elearning.uol.ohecampus.com/bbcswebdav/xid-142633_4> accessed 01 May 2013

8Breaux D T & Baumer L D 'Legally 'Responsible' Security Requirements: A 10-year FTC Restrospective' (2011) 30(4) Computers & Society <http://www.cs.cmu.edu/~breaux/publications/tdbreaux-cose10.pdf> accessed 03 May 2013

Cyber- Crime and Information Compromise. What does the notion of reasonable security entail?

This is a preview of the whole essay

Document Details

Related Essays

Future of cyber-law

It Law cyber Bulleying

It Law Cyber crime & criminology

Private and Public Spheres. Should our autonomy be traded in for protectio...