Cyber- Crime and Information Compromise. What does the notion of reasonable security entail?

Authors Avatar by dxb625 (student)

Cyber-crime and information compromise is on the increase, presenting potentially fatal consequences to both the targeted individuals and the organisations under attack. Due to information being increasingly exposed to cyber-attacks which might compromise the informations' confidentiality, integrity and accessibility, government laws and regulations have required organisations to employ certain security measures to minimize the risk for vulnerability. These have been fuelled by the large amount of potentially sensitive and personal information that is collected, shared and stored in large databases around the globe, often of core importance to modern organisations1. For organisations to fully understand the scope of its obligations for the implementation of reasonable security measures, it is important to be aware that the law considers security a relative concept2.

What does the notion of ‘reasonable security’ entail?

Government laws and regulations require organisations to implement security measures that are 'reasonable', 'adequate' or 'appropriate', as exemplified in i.e. the California Security Breach Act3, subsequently implemented in forty-six other states4, and the European Directive 95/46/EC5. Legal compliance is defined as the organisation's ability to maintain a defensible position in a court of law6. Organisations therefore need to implement measures that prevent the impact of legal complaints, by deciding how to interpret the broad parameters of security obligations to decide the level of measures suitable to protect personal data. A comprehensive security plan, which includes the (1) identification of information and system assets, (2) completion of risk assessments to identify threats to those assets, (3) selection and implementation of security controls to monitoring of the identified risks, (4) monitoring and testing the effectiveness of the security plan and (5) continuous review and amendment of the security plan7, should in these instances be developed and maintained in the organisation. The plan will highly depend on the individual characteristics of the organisation, and the level of 'reasonable' security might as such vary tremendously from one organisation to another.

Join now!

Are all corporate situations recognised being much the same, can companies carry out a risk assessment, implement a few policies and then relax in the knowledge that they have passed the information security test?

The existing information security laws and regulations aim to provide awareness and guidelines to organisations so that the protection of information is firmly planted within the organisation, in addition to protecting parties who fall victim to information compromise. The concept of 'reasonableness' allows for imperfections and adaption to the needs of the particular organisation. What constitutes as reasonable may however be difficult to ...

This is a preview of the whole essay