Tactical Advice

Avoiding Legal Landmines

It takes more than firewalls and strong encryption to safeguard your data, if you want to keep legal and PR nightmares at bay.
This story appears in the June 2006 issue of BizTech Magazine.


Photo: David Orndorf

Thomas J. Smedinghoff, Attorney at Wildman Harrold, Chicago

Have you adequately protected your company’s data? And is your security sufficient to satisfy your legal obligations?


In this age of electronic records, information security is rapidly emerging as one of the most critical legal and public relations issues facing companies today. The potential liability that could result from a security breach, not to mention the public relations disaster that often follows, can do serious damage to any company. As last year’s well-publicized security breaches show, inadequate protection for corporate data is a time bomb waiting to explode.

Most businesses now have two key legal obligations: (1) a duty to implement information security measures to protect their own data, and (2) a duty to disclose security breaches that involve sensitive personal information.

Legal obligations to implement security measures are set forth in an expanding patchwork of federal and state laws, regulations and enforcement actions, plus common law fiduciary duties and other requirements to provide “reasonable” security. Obligations to disclose security breaches involving personal information are set forth in a growing list of state laws.

Stepped-up enforcement activity is also raising the stakes. The Federal Trade Commission and several state attorneys general have taken an aggressive position in pursuing suspected violators. The $15 million fine levied against ChoicePoint Inc. in January — after the financial records of more than 163,000 consumers in its database had been compromised — is a case in point.

Implementing a legally adequate security program is not an easy task, however. The law does not specify, for example, whether or not companies must encrypt their data, install firewalls or use minimum eight-character passwords for access control.

Instead, the law requires companies to engage in an ongoing and repetitive process to address security. That process begins with a risk assessment to identify the threats the company faces, assess its vulnerabilities, determine the likelihood that the threats will materialize and quantify the significance of the resulting damage. Based on that assessment, the company must then identify and implement responsive security measures, verify that they are working properly and ensure that they are continually updated to address new developments, such as changes in threats, technology and the company’s business.

The key is to be responsive to the threats facing your company. It is not enough to deploy impressive-sounding security controls. Firewalls, intrusion detection and data encryption are often effective ways to protect sensitive data from outside attack. But if a company’s major vulnerability is careless (or malicious) employees who inadvertently (or intentionally) disclose passwords or protected information, then even those sophisticated technical security measures won’t adequately address the problem.

When security measures are properly responsive to a risk assessment, they can help protect a company from legal liability in the event of a breach. A recent case involving the theft of a computer containing unencrypted personal data from an employee’s home illustrates this. The plaintiff sued the company, claiming that the failure to encrypt the data was a breach of its obligation to provide reasonable security. But a federal court rejected the argument, noting that the company had followed the proper “process” as required by applicable law.

Additional legal liability isn’t the only danger posed by a data secuity breach, however. The public disclosure required by the new state laws can also damage a company’s reputation. Just ask ChoicePoint.

Thomas J. Smedinghoff is an attorney with Wildman Harrold in Chicago.
Sign up for our e-newsletter


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.