Law Policy and Case Study
Technological advancements have enabled many companies to create, communicate and store sensitive corporate information in electronic format. However, this ability has its drawbacks, as well. It enhances the potential for unauthorized access, alteration, disclosure, loss and destruction of the information (Kenneally, 2000). As a result, concerns touching on corporate governance, accountability for fiscal data, individual privacy, integrity and authenticity of transaction data, as well as security of the organization’s information, have led to the enactment of laws and regulations that are designed to ensure that organizations sufficiently address the security of their own data (Kiefer & Randy, 2002). Such laws impose obligations on all organisations to implement information security measures to protect their data, as well as disclose breaches of security in case of their occurrence.
There is a lacuna in the law, in that there is no single law, statute, or regulation that governs an organization’s obligations to provide security for its information. Hence, both government and organizational policies are formulated for coming up with legal obligations for organizations to implement security measures for their data (Kiefer & Randy, 2002). With respect to government policies, a patchwork of state, federal, international laws, and regulations are being employed as necessary measures for every organization to provide sufficient or reasonable security for their corporate data.
From the foregoing, organizations formulate their own policies to implement security measures for their information. This is because there is no “one size fits all” approach with respect to security measures for organizations. Organizations differ in context, size, purpose and capability; therefore, security measures for their data are different (Kiefer & Randy, 2002). Government policies are formulated on a platform of protecting organizations, its stakeholders, shareholders and investors. Inasmuch as organizational policies are cast from the same stone, their focus is more towards ensuring customer satisfaction, employee motivation and future prospects. In a similar vein, government policies are industry-specific; they are concerned with the well-being of an entire industry (Kenneally, 2000). However, organizational policies are data-specific; they are interested in personal information or fiscal data. Nonetheless, the foundation for securing information systems in organizations is ensuring growth and sustainability.
With regard to statutes and regulations, many of them impose obligations to ensure information security. They are packaged as privacy laws and regulations that require organizations to implement information security measures. This is meant to guarantee personal data privacy. E-transaction laws are designed to ensure that organizations comply with information security measures. This necessity has spread to corporate governance legislation and regulations meant to protect investors, stakeholder and shareholders. Similarly, unfair business practice laws are being amended to inculcate information security clauses (Raul et al., 2001). The same case applies for sector-specific regulations that impose security obligations regarding specific data.
Organisational policies are normally self-imposed, this is achieved through statements in private policies, advertising materials, and private policies. Many companies make representations with respect to the level of security they provide for personal data. Such statements are normally directed to their clientele. The impact of such statements is that the organisations impose an obligation to meet or comply with the standard they have represented to the world (Raul et al., 2001). However, if they fall short of meeting the standards, or if such statements culminate into falsehoods, misleading the public can lead to deceptive trade practices lawsuits.
The legal environment for information systems is ultimately concerned on securing electronic corporate data. However, doing so requires addressing means through which such data is created, stored, and communicated (Kenneally, 2000). As a result, statutes, regulations and policies (both government and organization) focus on the protection of information systems; computer systems, software and network, as well as data that are recorded on, processed by, stored in, communicated via, transmitted to, or received from information systems (Kiefer & Randy, 2002). Corporate information entails fiscal information, personal information, tax-related records, transaction information, trade secrets, employee information and other confidential information. In addition, such information takes the form of databases, text documents, e-mails, spreadsheets, voicemail messages, video, pictures, and so on.
Protection of personal data is a fundamental component in any organization. Therefore, it is necessary to formulate policies that ensure sustenance of this attribute. It is no wonder that many organizational and government policies have incorporated security as a central component. This is exhibited in the European Union Data Protection Directive that has made it a legal duty to provide security for the protection of personal information (Directive 94/95). The directive has guaranteed protection of rights of data subjects with regard to processing of personal data is dependent on the implementation of appropriate security measures.
Additionally, the directive required that all EU member states enact legislation that obligates the controllers of personal data to formulate appropriate technical, as well as organizational measures to protect personal data from accidental or unlawful destruction, alteration, unauthorised access or disclosure (Raul et al., 2001). Following suit, many country privacy laws, like Japan, Canada, Argentina, Hong Kong and Australia, have imposed general duties to all organisations, within their boundaries, to ensure protection of information systems, as well as personal information.
In summary, the duty of organizations to accord security may emanate from a myriad of sources, as well as different jurisdictions, perhaps each regulating a different facet of corporate information, but the net result is a general obligation to provide security for all information systems and corporate data. Information security is no longer a facet in good business practice; it is rapidly becoming a legal obligation.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data .
Kiefer K., & Randy V. S., (2002). Openness of Internet Creates Potential for Corporate Information Security Liability, BNA Privacy & Security Law Report, Vol. 1, No. 25 at 788.
Raul A. C., Frank R. V., & Gabriel S. M., (2001) Liability for Computer Glitches and Online Security Lapses, BNA Electronic Commerce Law Report, Vol. 6, No. 31 at 849 .
Kenneally E., (2000) The Byte Stops Here: Duty and Liability for Negligent Internet Security, Computer Security Journal, Vol. XVI.