The company must then designate the person (s) who bears the overall responsibility for information security in the organization. Smedinghoff discusses changes in perspectives from information security initially being considered a technical matter and currently where it is considered critical and is a matter for corporate governance and therefore the responsibility would rest with the Board of Directors or senior management.[14]
The company will then put in place the necessary framework and take administrative steps to ensure compliance. For example the flow of processes and the persons responsible at every stage must be clear[15]. In addition the company with have to put in place the requisite technical measures and security measures to ensure that it meets the minimum standard for information security[16].
A company must be able to continually determine what the risks in its environment are, both within and outside the organization, and take steps to ensure that it keeps ahead of them[17]. It has been acknowledged that the best approach to information security is to focus on the preventive measures which are within the control of the company, rather than the punitive measures which may be hard to implement since most of the cyber criminals tend to be outside the company’s jurisdiction or faceless or difficult to identify[18]. The crux of the matter is that consumer confidence in electronic transactions is based on reliability and safety of the data processes[19].
[1] T.J. Smedinghoff, Information Security Law: The Emerging Standard for Corporate Compliance, IT Governance Publishing, 2008. ISBN-13: 978-1-904356-67-6. Chapters 1 and 2 pages
[2] See for example, the Payment Card Industry Data Security Standard (PCI DSS, or, more simply, PCI), at www.pcisecuritystandards.org.
[3] T.J. Smedinghoff, Ibid, at pages 23 – 44
See also the Council of Europe Cybercrime Convention, Budapest, 23 November 2001, also known as the Budapest Convention. The Convention is accompanied by an Additional protocol to the Convention on Cybercrime concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems.
The Convention focuses on ensuring deterrent action “directed against the confidentiality, integrity and availability of computer systems, networks and computer data as well as their misuse and the criminalisation of such conduct,”
[4] Smedinghoff at Ibid at pages 30 – 45
See also ANDREAS MITRAKAS, Information Security and Law in Europe: Risks Checked? European Network and Information Security Agency (ENISA), Greece, Information & Communications Technology Law, Vol. 15, No. 1, March 2006 accessed on HeinOline, at pages 1 -6 on the critical role that information security plays in the electronic era.
[5] See Smedinghoff Ibid, at pages 39 – 40
[6] Smedinghoff Ibid at page 28
[7] See for example reference by Smedinghoff Ibid, at pages 18 – 19 to the HIPAA Security Regulations for health sector requirements, GLB Security Regulations.
[8] See reference by Smedinghoff Ibid at page 36 discussing the FTC Act in respect security obligations for personal data
[9] See for example, the effect of the EU Cyber Convention and the EU Data Protection Directive in promoting uniformity in national laws of member states.
[10] T. J. Smedinghoff Ibid pages 17 – 22 discusses information security controls including preventive, detective, reactive security controls, and also administrative, technical and physical controls
[11] See the EU Cybercrime Convention, on the requirement for members to provide for criminal offences.
[12] See for example the Payment Card Industry Data Security Standard (PCI DSS, or, more simply, PCI), at www.pcisecuritystandards.org.
See also the FTC Act referred to footnote 8 above
[13] See Smedinghoff Ibid at page 33 discussing the requirements of the EU Data Protection Directive and US GLB Security Regulations on security obligations on outsource providers normally reduced into contractual obligations.
[14] See Smedinghoff at pages 45 – 48 (Who is responsible for information security)
[15] For example on the card-acquiring function, (discussing processes and parties in a card payment) see Ann Kjos, “The Merchant-Acquiring Side of the Payment Card Industry: Structure, Operations, and Challenges,” Federal Reserve Bank of Philadelphia Payment Cards Center discussion paper, October 2007 at
www.philadelphiafed.org/consumer-credit-and-payments/payment-cards-center/publications/discussion-papers/2007/D2007OctoberMerchantAcquiring.pdf.
[16] See Smedinghoff Ibid at pages 38 – 43 on requirements for different category of data – corporate, electronic, etc.
[17] See Julia S. Cheney, et al, The Efficiency and Integrity of Payment Card Systems: Industry Views on the Risks Posed by Data Breaches, Discussion Paper, Payment Card Centre, October 2012, available at www.philadelphiafed.org/payment-cards-center/publications/discussion-papers/. This report is an evaluation of the risks and consequences for the Payment card industry.
[18] Brussels, 22.11.2010, COM(2010) 673 final, COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL: The EU Internal Security Strategy in Action: Five steps towards a more secure Europe, which emphasizes the borderless nature of cybercrime
[19]Julia Cheney, The Efficiency and Integrity of Payment Card Systems: Industry Views on the Risks Posed by Data Breaches, Discussion Paper, Payment Card Centre , October 2010 at pages 2 – 4, available at www.philadelphiafed.org/payment-cards-center/publications/discussion-papers/.