What is information security?
Information security refers to ‘the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide for its confidentiality, integrity and available’ (FISMA;2002). As such, information security management is the process by which an organization protects and secures its information assets and the system on which they reside.
When it comes to managing information security, there is an entrenched belief in many organizations that it is purely a technology issue. In other words, many believe the use of physical security measures (i.e. security measures which are designed to protect tangible items that comprise the physical computer systems and networks) and technical security measures (i.e. the use of safeguards incorporated into computer hardware, software and related devices) are sufficient to ensure the safety of their information assets and sufficient to fulfil their legal obligations in relation to information security (Smedinghoff;2015). This is best demonstrated by a FAQ posed to the US’s Federal Financial Institutions Examination Council (“FFIEC”) in which an enquirer asked whether a financial institution could forgo risk assessment and move immediately to implement additional strong authentication controls. To some extent, this shows that many organizations have strong incentives to protect their information assets but are not willing to invest the same commitment and responsibility towards information security management as compared to other businesses agendas. In most cases, they only seek the simplest and quickest solutions, and would simply delegate such responsibilities to the lower management level.
As a response, it appears that in recent years there is a legal trend of demanding organizations to put information security as one of the corporate governance issues. This is evident from a few aspects.
Legal Requirements & Best Practice
Corporate governance is defined as ‘the system by which companies are directed and controlled’ (UK Corporate Governance Code;2012). In other words, it is about establishing clear expectations for business conducts and ensuring organizations to achieve those expectations. In some sectors, law or standards are in place requiring an organization to treat information security management as one of the central issues of their businesses. For example, the US Sarbanes-Oxley Act 2002 requires CEOs and CFOs to personally certify that effective ‘internal controls’ are maintained. The Act did not define ‘internal controls’, but it seems logical to include organizational and procedural measures that deal with the IT infrastructure. Similarly, in the UK, under the new FCA/PRA Senior Management Arrangements, Systems and Controls (“SYSC”), senior managers are personally accountable for malfeasance, nonfeasance and controls over delegation of authority. It follows that if the directors of an organization, for instance, fail to oversee those who are responsible for implementing an effective information system, such directors will be in breach of the SYSC. In the health sector, the UK NHS Code of Practice in relation to information security management explicitly provides that ‘responsibility for information security resides, ultimately, with an organization’s Chief Executive, senior partners or equivalent responsible offices’. Therefore, at least in these cases, there is a legal obligation or standard that expects organizations to treat information security management as a corporate governance issue.
However, in most sectors, the legal requirement to provide information security is often vaguely stated. Organizations are only required ‘to implement reasonable or appropriate security measures’. As a result, this gives rise to the emergence of non-legally binding best practice for the purpose of providing a benchmark of what constitutes ‘reasonable’ security measures. Although they may be non-legally binding by nature, it is believed they nonetheless supplement the law and set a certain level of standard in the eyes of regulators.
Rather than implementing boilerplate measures, organizations are required by best practice to implement adequate security measures in light of their business needs and specific risks in order to ensure information security. For example, in the financial sector, the US’s Federal Trade Commission’s Safeguards Rule, which implements the Gramm-Leach Bliley Act (“GLBA”), requires organizations to ‘assess and address the risks to customer information in all areas of their operation’. In the health sector, pursuant to the US’s HIPPA’s Security Rule requirements, relevant organizations must ‘perform a security risk analysis that identifies and analyses risks to ePHI’ before implementing security measures (The Office of the National Coordinator for Health Information Technology;2015). In essence, these best practices require organizations to conduct a comprehensive risk analysis (i.e. an accurate and thorough assessment of potential risks and vulnerabilities to confidentiality, integrity, and availability of information assets held) and then implement corresponding risk management (i.e. security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with different legal obligations).
Accordingly, best practices imply the following features in information security management:
Consequences of Data Breach
Recent legislative developments and case law also suggest that the regulators are ramping up in the event of data breach. For example, non-compliance with the GDPR may lead to a sanction of up to 4% of the organization’s total global annual turnover or 20 million EURO, whichever is greater. In the US, inadequate security measures are deemed as an unfair trade practice by the FTC, and it will pursuit equitable relief, including consumer redress, for violation. In the ChoicePoint case, the organization ultimately agreed to pay $10 million in civil penalties and $5 million in consumer redress (CRS Report;2014). In the UK, it has been established by Vidal-Hall v Google that claims for damages under the Data Protection Act 1998 are permissible even where the only type of damage claimed for is distress. Arguably, this is not a difficult hurdle for potential claimants.
In addition to sanctions and litigations, senior managers should not forget other adverse consequences that data breaches might bring to the organization. This includes damage of reputation, customers loss of confidence in their services, loss of stock price and exposure of vulnerabilities which may be further exploited by individuals with ill-intention.
Conclusion – A Corporate Governance Issue?
This article examined various legal frameworks and best practices in different sectors in the UK and US. While in many sectors it remains true that the legal requirements on information security is often vaguely stated, best practices have emerged to fill in the gaps and may have set a certain level of standards expected by the regulators. The article also considered the potential consequences of data breaches to organizations, including litigations, sanctions and other adverse costs.
To adequately address and manage all of the above, it appears that it is essential to have relevant in-depth knowledge in relation to the business environment and the organization, as well as a certain level of management power within the organization. Therefore, it is suggested that information security management is no longer purely a ‘technology issue’. Instead, it resembles more like a corporate governance issue, whereby senior managers now have duties and incentives to treat information security as one of the core values of the organizations and should lead all colleagues to adhere to the legal rules and best practice.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the AIFC Academy of Law, or AIFC body or entity, or any other agency, organization, employer or company. Assumptions made in the analysis are not reflective of the position of any entity other than the authors and these views are always subject to change, revision, and rethinking at any time.
