May 01 2006

Avoiding Legal Landmines

It takes more than firewalls and strong encryption to safeguard your data, if you want to keep legal and PR nightmares at bay.


Photo: David Orndorf

Thomas J. Smedinghoff, Attorney at Wildman Harrold, Chicago

Have you adequately protected your company’s data? And is your security sufficient to satisfy your legal obligations?


In this age of electronic records, information security is rapidly emerging as one of the most critical legal and public relations issues facing companies today. The potential liability that could result from a security breach, not to mention the public relations disaster that often follows, can do serious damage to any company. As last year’s well-publicized security breaches show, inadequate protection for corporate data is a time bomb waiting to explode.

Most businesses now have two key legal obligations: (1) a duty to implement information security measures to protect their own data, and (2) a duty to disclose security breaches that involve sensitive personal information.

Legal obligations to implement security measures are set forth in an expanding patchwork of federal and state laws, regulations and enforcement actions, plus common law fiduciary duties and other requirements to provide “reasonable” security. Obligations to disclose security breaches involving personal information are set forth in a growing list of state laws.

Stepped-up enforcement activity is also raising the stakes. The Federal Trade Commission and several state attorneys general have taken an aggressive position in pursuing suspected violators. The $15 million fine levied against ChoicePoint Inc. in January — after the financial records of more than 163,000 consumers in its database had been compromised — is a case in point.

Implementing a legally adequate security program is not an easy task, however. The law does not specify, for example, whether or not companies must encrypt their data, install firewalls or use minimum eight-character passwords for access control.

Instead, the law requires companies to engage in an ongoing and repetitive process to address security. That process begins with a risk assessment to identify the threats the company faces, assess its vulnerabilities, determine the likelihood that the threats will materialize and quantify the significance of the resulting damage. Based on that assessment, the company must then identify and implement responsive security measures, verify that they are working properly and ensure that they are continually updated to address new developments, such as changes in threats, technology and the company’s business.

The key is to be responsive to the threats facing your company. It is not enough to deploy impressive-sounding security controls. Firewalls, intrusion detection and data encryption are often effective ways to protect sensitive data from outside attack. But if a company’s major vulnerability is careless (or malicious) employees who inadvertently (or intentionally) disclose passwords or protected information, then even those sophisticated technical security measures won’t adequately address the problem.

When security measures are properly responsive to a risk assessment, they can help protect a company from legal liability in the event of a breach. A recent case involving the theft of a computer containing unencrypted personal data from an employee’s home illustrates this. The plaintiff sued the company, claiming that the failure to encrypt the data was a breach of its obligation to provide reasonable security. But a federal court rejected the argument, noting that the company had followed the proper “process” as required by applicable law.

Additional legal liability isn’t the only danger posed by a data secuity breach, however. The public disclosure required by the new state laws can also damage a company’s reputation. Just ask ChoicePoint.

Thomas J. Smedinghoff is an attorney with Wildman Harrold in Chicago.