The State of Information Security Law: A Focus on the Key Legal Trends
2008; Taylor & Francis; Volume: 37; Issue: 1-2 Linguagem: Inglês
10.1080/07366980701838449
ISSN1936-1009
Autores Tópico(s)Information and Cyber Security
ResumoClick to increase image sizeClick to decrease image size Notes 1. "As a result of increasing interconnectivity, information systems and networks are now exposed to a growing number and a wider variety of threats and vulnerabilities. This raises new issues for security." OECD Guidelines for the Security of Information Systems and Networks, July 25, 2002, at p. 7, available at www.oecd.org/dataoecd/16/22/15582260.pdf. 2. Although not the subject of this article, it is important to note that countries are also enacting cybercrime legislation to make clear that certain online activities are illegal and to assist law enforcement in efforts to prosecute cyber criminals. To that end, the Privacy and Computer Crime Committee of the American Bar Association Section of Science & Technology Law has recently undertaken a project to develop a Model Cybercrime Law for the UN International Telecommunication Union's (ITU) Cybersecurity Work Programme to Assist Developing Countries. See also the International Guide to Combating Cybercrime published by this Committee, available at http://www.abanet.org/dch/committee.cfm?com=ST202003. 3. See the Appendix for a compilation of some of the key laws and regulations governing information security. 4. See, e.g., EU Data Protection Directive and HIPAA, cited in the Appendix. 5. See, e.g., E-SIGN, UETA, and UN Convention cited in the Appendix. 6. See, e.g., Kimberly Kiefer and Randy V. Sabett, Openness of Internet Creates Potential for Corporate Information Security Liability, BNA Privacy & Security Law Report, Vol. 1, No. 25 at 788 (June 24, 2002); Alan Charles Raul, Frank R. Volpe, and Gabriel S. Meyer, Liability for Computer Glitches and Online Security Lapses, BNA Electronic Commerce Law Report, Vol. 6, No. 31 at 849 (August 8, 2001); Erin Kenneally, The Byte Stops Here: Duty and Liability for Negligent Internet Security, Computer Security Journal, Vol. XVI, No. 2, 2000. 7. See, e.g., Wolfe v. MBNA America Bank, 485 F.Supp.2d 874, 882 (W.D. Tenn. 2007); Guin v. Brazos Higher Education Service, Civ. No. 05-668, 2006 U.S. Dist. Lexis 4846 (D. Minn. February 7, 2006); and Bell v. Michigan Council, 2005 Mich. App. Lexis 353 (Mich. App. February 15, 2005) (all affirming a negligence cause of action). See also, In Re TJX Companies Retail Security Breach Litigation, 2007 U.S. Dist. Lexis 77236 (D. Mass. October 12, 2007) (rejecting a negligence claim due to the economic loss doctrine, but allowing a negligent misrepresentation claim to proceed). 8. See, e.g., American Express v. Vinhnee, 2005 Bankr. Lexis 2602 (9th Cir. Bk. App. Panel, 2005); Lorraine v. Markel, 2007 U.S. Dist. Lexis 33020 (D. MD. May 4, 2007). 9. Available at www.pcisecuritystandards.org. 10. Available at www.cabforum.org. 11. ISO/IEC 27001, Information Technology—Security Techniques—Information Security Management Systems—Requirements (October 2005) (hereinafter "ISO/IEC 27001"), available for purchase at http://www.standards-online.net/InformationSecurityStandard.htm. 12. Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter "EU Data Protection Directive"). 13. See statutes listed in the Appendix. 14. See statutes listed in the Appendix. 15. Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 42 U.S.C. 1320d-2 and 1320d-4, (providing that "each person … who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards: (A) to ensure the integrity and confidentiality of the information; (B) to protect against any reasonably anticipated: (i) threats or hazards to the security or integrity of the information; and (ii) unauthorized uses or disclosures of the information; and (C) otherwise to ensure compliance with this part by the officers and employees of such person," at 42 U.S.C. 1320d-2(d)(2). 16. Gramm-Leach-Bliley Financial Services Modernization Act ("GLB"), Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), at §§ 501 and 505(b), 15 U.S.C. §§ 6801, 6805, providing that "[E]ach financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information." 17. See, Gramm-Leach-Bliley Act ("GLB"), Public Law 106-102, §§ 501 and 505(b), 15 U.S.C. §§ 6801, 6805, and implementing regulations at 12 C.F.R. Part 30, Appendix B (OCC), 12 C.F.R. Part 208, Appendix D (Federal Reserve System), 12 C.F.R. Part 364, Appendix B (FDIC), 12 C.F.R. Part 568 (Office of Thrift Supervision) and 16 C.F.R. Part 314 (FTC). 18. Final HIPAA Security Regulations, 45 C.F.R. Part 164. 19. There have also been efforts in the United States to pursue comprehensive federal privacy similar to the approach taken by many other countries. See e.g., Microsoft position paper at www.microsoft.com/presspass/download/features/2005/PrivacyLegislationCallWP.doc. Although it remains to be seen whether that approach will ultimately be adopted, it is clear that the combination of U.S. state and federal law has, in effect, imposed a comprehensive obligation of security with respect to all personal information held by all companies. 20. See, e.g., FTC enforcement actions regarding In the Matter of Sunbelt Lending Services, Inc.; In the Matter of Petco Animal Supplies, Inc.; In the Matter of MTS, Inc., d/b/a Tower records/Books/Video; In the matter of Guess?, Inc.; FTC V. Microsoft; and In the Matter of Eli Lilly and Company cited in the Appendix. 21. See, e.g., FTC enforcement actions regarding In the Matter of CardSystems Solutions, Inc.; United States v. ChoicePoint, Inc.; In the Matter of DSW Inc.; and In the Matter of BJ's Wholesale Club, Inc. cited in the Appendix. 22. See list in the Appendix. 23. See, e.g., Guin v. Brazos Higher Education Service, Civ. No. 05-668, 2006 U.S. Dist. Lexis 4846 (D. Minn. February 7, 2006) and Bell v. Michigan Council, 2005 Mich. App. Lexis 353 (Mich. App. February 15, 2005). 24. 205 Mich. App. Lexis 353 at ∗16 (Mich. App. 2005). 25. 2006 U.S. Dist. Lexis 4846 at ∗9 (D. Minn. 2006). 26. Wolfe v. MBNA America Bank, 485 F.Supp.2d 874, 882 (W.D. Tenn. 2007). 27. In Re TJX Companies Retail Security Breach Litigation, 2007 U.S. Dist. Lexis 77236 (D. Mass. October 12, 2007), at pp. 28–29. 28. Ibid. 29. The Homeland Security Act of 2002 defines the term "information system" to mean "any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information, and includes—(A) computers and computer networks; (B) ancillary equipment; (C) software, firmware, and related procedures; (D) services, including support services; and (E) related resources." Homeland Security Act of 2002, Pub. L. 107-296, at Section 1001(b), amending 44 U.S.C. § 3532(b)(4). 30. See, e.g., Australia, Information Privacy Principles under the Privacy Act 1988, Principle No. 4, available at www.privacy.gov.au/publications/ipps.html; AICPA and the Canadian Institute of Chartered Accountants (CICA), Generally Accepted Privacy principles, Principle No. 8, available at http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles; APEC, Privacy principles, Principle No. 7, available at http://austlii.edu.au/∼graham/APEC/APECv10.doc; US-EU Safe Harbor Privacy Principles, available at www.export.gov/safeharbor/SHPRINCIPLESFINAL.htm; Direct Marketing Association, Online Marketing Guidelines, available at www.the-dma.org/guidelines/onlineguidelines.shtml. 31. Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter "EU Data Protection Directive"). 32. EU Data Protection Directive, Preamble at Para. 46. 33. EU Data Protection Directive, Article 17(1). 34. See statutes listed in the Appendix. 35. See statutes listed in the Appendix. 36. See generally, Bruce H. Nearon, Jon Stanley, Steven W. Teppler, and Joseph Burton, Life after Sarbanes-Oxley: The Merger of Information Security and Accountability, Jurimetrics Journal, Vol. 45, 379–412 (2005). 37. American Express v. Vinhnee, 336 B.R. 437; 2005 Bankr. Lexis 2602 (9th Cir. December 16, 2006). 38. Ibid., at p. 444. 39. Ibid., at p. 445. 40. Ibid., at pp. 446–447. 41. Ibid., at p. 449. 42. See, e.g., National Association of Corporate Directors, Information Security Oversight (2007). 43. Sarbanes-Oxley Act, Section 302. 44. See, e.g., GLB Security Regulations (Federal Reserve) 12 C.F.R. 208, Appendix D-2.III(A). 45. HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(2). 46. See, FTC Decisions and Consent Decrees listed in the Appendix, including Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of Discontinuance, Para. 27(a), p. 7; Eli Lilly Decision at II.A. 47. FISMA, 44 U.S.C. 3544(a). 48. E. Michael Power and Roland L. Trope, Sailing in Dangerous Waters: A Director's Guide to Data Governanc e , American Bar Association (2005), p. 13; Roland L. Trope, "Directors' Digital Fiduciary Duties," IEEE Security & Privacy, January/February 2005 at p. 78. 49. Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996). 50. Bell v. Michigan Council, 2005 Mich. App. Lexis 353 (Mich. App. February 15, 2005), at pp. 11–13 (noting that harm was foreseeable, but Board took no action). 51. Securing Cyberspace: Business Roundtable's Framework for the Future, Business Roundtable, May 19, 2004 at pp. 1, 2; available at www.businessroundtable.org/pdf//20040518000CyberSecurityPrinciples.pdf. The Business Roundtable is an association of chief executive officers of leading U.S. corporations with a combined workforce of more than 10 million employees in the United States. See www.businessroundtable.org. 52. Information Security Governance: A Call to Action, Corporate Governance Task Force Report, National Cyber Security Partnership, April 2004, pp. 12–13, available at www.cyberpartnership.org/InfoSecGov4_04.pdf. The National Cyber Security Partnership (NCSP) is led by the Business Software Alliance (BSA), the Information Technology Association of America (ITAA), TechNet, and the U.S. Chamber of Commerce in voluntary partnership with academicians, CEOs, federal government agencies, and industry experts. Following the release of the 2003 White House National Strategy to Secure Cyberspace and the National Cyber Security Summit, this public–private partnership was established to develop shared strategies and programs to better secure and enhance America's critical information infrastructure. Further information is available at www.cyberpartnership.org. 53. GLB Security Regulations (OCC), 12 C.F.R. Part 30, Appendix B, Part III.A and Part III.F. 54. See, e.g., Homeland Security Act of 2002 (Federal Information Security Management Act of 2002) 44 U.S.C. Section 3542(b)(1); GLB Security Regulations (OCC), 12 C.F.R. Part 30 Appendix B, Part II.B; HIPAA Security Regulations, 45 C.F.R. Section 164.306(a)(1); Microsoft Consent Decree at II, p. 4. 55. See, e.g., 44 USC 3532(b)(1), emphasis added. See also FISMA, 44 U.S.C. Section 3542(b)(1). Most of the foreign privacy laws also focus their security requirements from this perspective. This includes, for example, the EU Privacy Directive, Finland's Privacy Law, Italy's Privacy Law, and the UK Privacy Law. Also in this category is the Canadian Privacy Law. 56. Although they often focus on categories of security measures to address. See, e.g., HIPAA Security Regulations, 45 C.F.R. Part 164. 57. See, e.g., FDA regulations at 21 C.F.R. Part 11 (procedures and controls); SEC regulations at 17 C.F.R. 257.1(e)(3) (procedures); SEC regulations at 17 C.F.R. 240.17a-4 (controls); GLB regulations (FTC) 16 C.F.R. Part 314 (safeguards); Canada, Personal Information Protection and Electronic Documents Act, Schedule I, Section 4.7 (safeguards); EU Data Privacy Directive, Article 17(1) (measures) available at http://europa.eu.int/comm/internal_market/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf. 58. See, e.g., HIPAA 42 U.S.C. 1302d-2, and HIPAA Security regulations, 45 CFR 164.306; COPPA, 15 U.S.C. 6502(b)(1)(D), and COPPA regulations 16 C.F.R. 312.8; IRS Rev. Proc. 97-22, sec. 4.01(2); SEC regulations 17 C.F.R. 257. See also UCC Article 4A, Section 202 ("commercially reasonable" security procedure), and Microsoft Consent Decree. 59. "Appropriate" security required by: HIPAA 42 U.S.C. 1302d-2, and HIPAA Security regulations, 45 CFR 164.306; EU Data Protection Directive, Article 17(1). 60. EU Data Protection Directive, Article 17(1) (emphasis added) 61. See, e.g., Belgium—Belgian Law of 8 December 1992 on Privacy Protection in relation to the Processing of Personal Data, as modified by the law of 11 December 1998 Implementing Directive 95/46/EC, and the law of 26 February 2003, Chapter IV, Article 16(4); Denmark—Act on Processing of Personal Data,; Act No. 429 of 31 May 2000 (unofficial English translation), Title IV, Part 11, Section 41(3); Estonia—Personal Data Protection Act; Passed February12, 2003 (RT1 I 2003, 26, 158), entered into force October 1, 2003, Chapter 3, Sections 19(2); Greece—Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data (as amended by Laws 2819/2000 and 2915/2001); Article 10(3); Ireland—Data Protection (Amendment) Act 2003; Section 2.-(1)(d) and First Schedule Article 7; Lithuania—Law on Legal Protection of Personal Data, January 21, 2003, No. IX-1296, Official translation, with amendments April 13, 2004, Article 24(1); Netherlands—25 892—Rules for the protection of personal data (Personal Data Protection Act) (Unofficial translation); Article 13; Portugal—Act on the Protection of Personal Data (transposing into the Portuguese legal system Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data), Article 14(1); Slovakia—Act No 428 of July 3, 2002 on personal data protection; Section 15(1); Sweden—Personal Data Act (1998:204); issued April 29, 1998, Section 31; and UK—Data Protection Act 1998, Schedule 1, Part I, Seventh Principle. 62. See, e.g., Finland—The Finnish Personal Data Act (523/1999), given on 22.4.1999, Section 32(1); Germany—Federal Data Protection Act as of January 1, 2003, Section 9; Hungary—Act LXIII of 1992 on the Protection of Personal Data and Public Access to Data of Public Interest, Article 10(1); Italy—Personal Data Protection Code, Legislative Decree No. 196 of 30 June 2003, Sections 31 and 33; Spain—Organic Law 15/1999 of December 13 on the Protection of Personal Data, Article 9. 63. 5 USC Sec. 552a. 64. 5 U.S.C. § 552a (d)(10) (emphasis added). 65. 42 U.S.C. 1320d-2(d)(2). 66. See, Gramm-Leach-Bliley Act ("GLB"), Public Law 106-102, §§ 501 and 505(b), 15 U.S.C. §§ 6801, 6805, and implementing regulations at 12 C.F.R. Part 30, Appendix B (OCC), 12 C.F.R. Part 208, Appendix D (Federal Reserve System), 12 C.F.R. Part 364, Appendix B (FDIC), 12 C.F.R. Part 568 (Office of Thrift Supervision) and 16 C.F.R. Part 314 (FTC) (emphasis added). 67. Cal. Civil Code § 1798.81.5(b). 68. See UN Convention at Article 9(3), 9(4), and 9(5). 69. ISO/IEC 27001, Information Technology—Security Techniques—Information Security Management Systems—Requirements (October 2005). See text at footnotes 157–169, infra. 70. 66 Fed. Reg. 8616, February 1, 2001; 12 C.F.R. Part 30, Appendix B (OCC), 12 C.F.R. Part 208, Appendix D (Federal Reserve System), 12 C.F.R. Part 364, Appendix B (FDIC), 12 C.F.R. Part 568 (Office of Thrift Supervision). 71. 67 Fed. Reg. 36484, May 23, 2002; 16 C.F.R. Part 314. 72. 44 U.S.C. Section 3544(b). 73. 45 C.F.R. Parts 164. 74. See Prepared Statement of the Federal Trade Commission on Identity Theft: Innovative Solutions For An Evolving Problem, Presented by Lydia Parnes, Director, Bureau of Consumer Protection, Before the Subcommittee On Terrorism, Technology and Homeland Security of the Senate Committee on the Judiciary, United States Senate, March 21, 2007 at p. 7 (noting that "the FTC Safeguards Rule promulgated under the GLB Act serves as a good model" for satisfying the obligation to maintain reasonable and appropriate security); available at www.ftc.gov/os/testimony/P065409identitytheftsenate03212007.pdf. See also, Prepared Statement of the Federal Trade Commission before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, Committee on Government Reform, U.S. House of Representatives on "Protecting Our Nation's Cyberspace," April 21, 2004, at p. 5 (noting that "security is an ongoing process of using reasonable and appropriate measures in light of the circumstances"), available at www.ftc.gov/os/2004/04/042104cybersecuritytestimony.pdf. 75. See, e.g., FTC Decisions and Consent Decrees listed in the Appendix. 76. See, e.g., National Association of Insurance Commissioners "Standards for Safeguarding Customer Information Model Regulation" IV-673-1 available at www.naic.org (adopted in at least 9 states so far) 77. See, e.g., State Attorneys General Consent Decrees listed in the Appendix. 78. See, e.g., Guin v. Brazos Higher Education Service, Civ. No. 05-668, 2006 U.S. Dist. Lexis 4846 (D. Minn. February 7, 2006) and Bell v. Michigan Council, 2005 Mich. App. LEXIS 353 (Mich. App. February 15, 2005). 79. Guin v. Brazos Higher Education Service, Civ. No. 05-668, 2006 U.S. Dist. Lexis 4846 (D. Minn. February 7, 2006). 80. Bell v. Michigan Council, 2005 Mich. App. Lexis 353 (Mich. App. February 15, 2005). 81. New Jersey Advisory Committee on Professional Ethics, Opinion 701 (2006) available at http://www.judiciary.state.nj.us/notices/ethics/ACPE_Opinion701_ElectronicStorage_12022005.pdf. 82. See, e.g., Italy—Personal Data Protection Code, Legislative Decree No. 196 of 30 June 2003, Annex B, § 19.3; Slovakia Act No 428 of 3 July 2002 on personal data protection, § 16(5). 83. From the Appendix, see Italy Act, Annex B, Section 19.3; Slovak Republic Act, Section 16(5) 84. From the Appendix, see Argentina Act, Article 9(1); Estonia Act, Section 19(1); Belgium Act, Art. 16(4); Denmark Act, Section 41(3); Estonia Act, Section 19(1) ("IT"); Finland Act, Section 32(1); German Act, Section 9; Greece Act, Article 10(3); Hungary Act, Article 10(1); Lithuania Act, Article 24(1); Netherlands Act, Article 13; Portugal Act, Article 14(1); Slovak Republic Act, Section 15(1); Spain Act, Article 9; Sweden Act, Section 31; UK Act, Schedule 1, Part I, Seventh Principle; Swiss Act, Article 7. 85. From the Appendix, see Australia Act, Schedule 2, Section 3.1(b); Belgium Act, Art 16(2)(3); Canada Act, Schedule 1, 4.7 Principle 7, Clause 4.7.4; Estonia Act, Section 20(3); Ireland Act, Section 2C(2); Italy Act, Annex B, Sections 4 and 19.6; Slovak Republic Act, Sections 17 and 19(3). 86. From the Appendix, see German Act, Section 9a (audit); Poland Ordinance, Attachment A (Basic Security Measures) § VII (monitor); Slovak Republic Act, Section 16(6)(d); Spain Royal Decree 994/1999—Medium (audit). 87. From the Appendix, see Spain Royal Decree 994/1999—Basic. 88. From the Appendix, see Australia Act, Section 14, Principle 4; Austria Act, Article 15(2); Belgium Act, Article 16; Denmark Act, Sections 41 and 42; Estonia Act, Section 20; Finland Act, Section 32(2); Ireland Act, Section 2C-(3); Italy Act, Annex B, Sections 4 and 19.6; Slovak Republic Act, Sections 17 and 19(3). 89. Bruce Schneier, Secrets & Lies: Digital Security in a Networked World (John Wiley & Sons, 2000) at p. XII. 90. See, e.g., HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(1)(ii)(A). 91. See, e.g., Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of Discontinuance, Para. 25(b), p. 5; Eli Lilly Decision at II.B; GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part III.B(1) 92. See, e.g., Microsoft Consent Decree at II, p. 4; Eli Lilly Decision at II.B. 93. See, e.g., FISMA, 44 U.S.C. Sections 3544(a)(2)(A) and 3544(b)(1); GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part III.B(2) 94. See, e.g., Authentication In An Electronic Banking Environment, July 30, 2001, Federal Financial Institutions Examination Council, page 2; available at www.occ.treas. gov/ftp/advisory/2001-8a.pdf. 95. See, e.g., Microsoft Consent Decree at II, p. 4; GLB Security Regulations (OCC), 12 C.F.R. Part 30 Appendix B, Part II.A; Eli Lilly Decision at II.B; HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(1)(i); Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. Section 3544(b). 96. See, e.g., Microsoft Consent Decree at II, p. 4; GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.A; HIPAA Security Regulations, 45 C.F.R. Section 164.316(b)(1); Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. Section 3544(b). 97. See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.A; Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. Section 3544(b). 98. See, e.g., Microsoft Consent Decree at II, p. 4; GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.B. 99. See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.B(2); HIPAA Security Regulations, 45 C.F.R. Section 164.306(a)(2). 100. See, e.g., HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(1)(ii)(B) 101. See, e.g., United States v. Carroll Towing, 159 F.2d 169, 173 (2d Cir. 1947). 102. See, e.g., DCR Inc. v. Peak Alarm Co., 663 P.2d 433, 435 (Utah 1983); see also Glatt v. Feist, 156 N.W.2d 819, 829 (N.D. 1968) (the amount or degree of diligence necessary to constitute ordinary care varies with facts and circumstances of each case). 103. See, e.g., HIPAA Security Regulations, 45 C.F.R. Section 164.306(b)(2); GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.A and Part II.C; FISMA, 44 U.S.C. Sections 3544(a)(2) and 3544(b)(2)(B); Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of Discontinuance. 104. HIPAA Security Regulations, 45 CFR Section 164.306(b)(1). 105. Richard D. Marks and Paul T. Smith, Analysis and Comments on HHS's Just-released HIPAA Security Rules, Bulletin of Law/Science & Technology, ABA Section of Science & Technology Law, No. 124 April 2003, at p. 2, available at http://www.abanet.org/scitech/DWTSecurityRules021703. pdf. 106. See, e.g., HIPAA regulations 45 C.F.R. Sections 164.308, 164.310, and 164.312; GLB Regulations, 12 C.F.R. 208, Appendix D-2.II(A) and 12 C.F.R. Part 30, Appendix B, Part II; Microsoft Consent Decree, at p. 4. 107. HIPAA Security Regulations, 45 C.F.R. Section 164.310(a)(2)(ii). 108. GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part III.C. 109. HIPAA Security Regulations, 45 C.F.R. Section 164.310(d). 110. HIPAA Security Regulations, 45 C.F.R. Sections 164.310(b) and (c). 111. GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part III.C; HIPAA Security Regulations, 45 C.F.R. Section 164.310(a). 112. HIPAA Security Regulations, 45 C.F.R. Section 164.308 (a)(3). 113. HIPAA Security Regulations, 45 C.F.R. Section 164.308 (a)(3)(ii); GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part III.C. 114. HIPAA Security Regulations, 45 C.F.R. Section 164.308 (a)(4) and 164.312(a); Ziff Davis Assurance of Discontinuance, Para. 25, p. 6. 115. HIPAA Security Regulations, 45 C.F.R. Section 164.312 (d). 116. HIPAA Security Regulations, 45 C.F.R. Section 164.308 (a)(3)(ii)(C). 117. HIPAA Security Regulations, 45 C.F.R. Section 164.308 (a)(5)(ii)(C). 118. GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part III.C; Ziff Davis Assurance of Discontinuance, Para. 24(d), p. 5 and Para. 25, p. 6. 119. HIPAA Security Regulations, 45 C.F.R. Section 164.308 (a)(5)(ii)(B). 120. GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part III.C. 121. GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part III.C. 122. GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part III.C; Ziff Davis Assurance of Discontinuance, Para. 25, p. 6. 123. GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part III.C; Ziff Davis Assurance of Discontinuance, Para. 25, p. 6; HIPAA Security Regulations, 45 C.F.R. Sections 164.312(c) and (e). 124. Ziff Davis Assurance of Discontinuance, Para. 25, p. 6. 125. Ziff Davis Assurance of Discontinuance, Para. 25, p. 6. 126. HIPAA Security Regulations, 45 C.F.R. Section 164.310 (d)(2)(i). 127. HIPAA Security Regulations, 45 C.F.R. Section 164.310 (d)(2)(ii). 128. HIPAA Security Regulations, 45 C.F.R. Section 164.310 (a)(2)(iv). 129. HIPAA Security Regulations, 45 C.F.R. Section 164.312 (b). 130. HIPAA Security Regulations, 45 C.F.R. Section 164.308 (a)(7). 131. Ziff Davis Assurance of Discontinuance, Paras. 24(d) and 26, pp. 5,6; HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(6)(i); GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part III.C. 132. See, e.g., FISMA, 44 U.S.C. Section 3544(b)(4); HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(5)(i); Ziff Davis Assurance of Discontinuance, Para. 24 (d), p. 5. 133. Ziff Davis Assurance of Discontinuance, Para. 27(c), p. 7. 134. HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(1)(ii)(C). 135. Microsoft Consent Decree at II, p. 4. 136. FISMA, 44 U.S.C. Section 3544(b)(5); Eli Lilly Decision at II.C; GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part III(c)(3). 137. Ziff Davis Assurance of Discontinuance, Para. 27(e) and (f), p. 7; Eli Lilly Decision at II.C. 138. HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(1)(ii)(D). 139. Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of Discontinuance, Para. 27(e) and (f), p. 7; Eli Lilly Decision at II.D, GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part III.E; HIPAA Security Regulations, 45 C.F.R. Section 164.306(e) and 164.308(a)(8). 140. GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.E; HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(8); Microsoft Consent Decree at II, p. 4; Eli Lilly Decision at II.D. 141. Microsoft Consent Decree at III, p. 5. 142. Ziff Davis Assurance of Discontinuance, Para. 27(h), p. 7. 143. See, e.g., Office of the Comptroller of the Currency, Administrator of National Banks, OCC Bulletin 2001-47 on Third Party Relationships, November 21, 2001 (available at www.OCC.treas.gov/ftp/bulletin/2001-47.doc). 144. See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.D(1). 145. See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.D(2); HIPAA Security Regulations, 45 C.F.R. Section 164.308(b)(1) and 164.314(a)(2). 146. GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.D(3). 147. Wolfe v. MBNA America Bank, 485 F.Supp.2d 874, 882 (W.D. Tenn. 2007). 148. See Bell v. Michigan Council, 2005 Mich. App. Lexis 353 (Mich. App. February 15, 2005). 149. See Guin v. Brazos Higher Education Service, Civ. No. 05-668, 2006 U.S. Dist. Lexis 4846 at ∗13 (D. Minn. February 7, 2006) (finding that where a proper risk assessment was done, the inability to foresee and deter a specific burglary of a laptop was not a breach of a duty of reasonable care). 150. The Federal Financial Institutions Examinations Counsel (FFIEC) is a group of U.S. federal regulatory agencies, that include the Board of Governor's of the Federal Reserve System, Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision. 151. "Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment," August 8, 2006 at p. 5, available at http://www.ncua. gov/letters/2006/CU/06-CU-13_encl.pdf. 152. "Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment," August 8, 2006 at p. 5, available at www.ffiec.gov/pdf/authentication_faq.pdf. 153. Small Entity Compliance Guide for the Interagency Guidelines Establishing Information Security Standards, December 14, 2005, available at www.federalreserve.gov/boarddocs/press/bcreg/2005/20051214/default.htm. 154. FFIEC IT Examination Handbook, Information Security Booklet, July 2006, available at www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf. 155. See National Institute of Standards and Technology, "Risk Management Guide for Information Technology Systems," NIST Special Publication No. 800-30; available at 156. ISO/IEC 27001, Information Technology—Security Techniques—Information Security Management Systems—Requirements (October 2005) (hereinafter "ISO/IEC 27001"). 157. ISO/IEC 27001 § 0.1. 158. ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards, and is comprised of a network of the national standards institutes of 155 countries, with one member per country, and a Central Secretariat in Geneva, Switzerland, that coordinates the system. The American National Standards Institute (ANSI), represents the United States. See, www.iso.org/iso/home.htm. 159. The IEC (International Electrotechnical Commission), also based in Geneva, Switzerland coordinates, designs, and publishes international standards in fields related to electronics, including telecommunications. The electrotechnical standards organizations of each participating country make up its membership, with ANSI representing the United States. See www.iec.ch. 160. ISO/IEC 27001, § 0.2 (emphasis added). 161. ISO/IEC 27001, § 4.2.1. 162. ISO/IEC 27001, § 4.2.1. 163. ISO/IEC 27001, § 4.2.1. 164. ISO/IEC 27001, § 4.2.2. 165. ISO/IEC 27001, §§ 4.2.3 and 6. 166. ISO/IEC 27001, §§ 4.2.4 and 8. 167. ISO/IEC 27001, §§ A.10.2. 168. ISO/IEC 27001 itself specifically states that "Compliance with an International Standard does not in itself confer immunity from legal obligations," p. 1. 169. EU Data Protection Directive, Article 8. 170. Article 29 Data Protection Working Party, Working Document on the processing of personal data relating to health in electronic health records (EHR), 00323/07/EN, WP 131, February 15, 2007, at pp. 19–20; available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp131_en.pdf (emphasis in original). 171. See list of state laws in GAO Report, Social Security Numbers: Federal and State Laws Restrict Use of SSN's, Yet Gaps Remain, September 15, 2005 at Appendix III; available at www.gao.gov/new.items/d051016t.pdf. 172. Maryland Commercial Code, § 14-3402(a)(4); Nevada Rev. Stat. 597.970. 173. Available at www.pcisecuritystandards.org. 174. See list in the Appendix. 175. See, e.g., 16 CFR Section 682.3. 176. Health Insurance Portability and Accountability Act (HIPAA) Security Regulations, 45 C.F.R. § 164.312(d). HIPAA security regulations apply to medical records in the healthcare sector. 177. Gramm Leach Bliley Act (GLBA) Security Regulations, 12 C.F.R. Part 30 Appendix B, Part III.C(1)(a). GLBA security regulations apply to customer information in the financial sector. 178. Homeland Security Act of 2002 § 1001(b), amending 44 U.S.C. § 3532(b)(1)(D), and § 301(b)(1) amending 44 U.S.C. § 3542(b((1) ("'information security' means protecting information and information systems from unauthorized access, …") 179. Food and Drug Administration regulations, 21 C.F.R. Part 11. 180. See, e.g., Cal. Civil Code § 1798.81.5(b). 181. See FCC Order re Pretexting, April 2, 2007—In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information IP-Enabled Services, CC Docket No. 96-115, WC Docket No. 04-36, April 2, 2007, at Paragraphs 13-25; available at http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-22A1.pdf (hereinafter "FCC Pretexting Order"). 182. Wolfe v. MBNA America Bank, 485 F.Supp.2d 874, 882 (W.D. Tenn. 2007). 183. Authentication in an Internet Banking EnvironmentOctober 12, 2005 ("FFIEC Guidance"), available at http://www.ffiec.gov/pdf/authentication_guidance.pdf. This was later supplemented by an FAQ titled "Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment," August 8, 2006, available at http://www.ncua.gov/letters/2006/CU/06-CU-13_encl.pdf. 184. Monetary Authority of Singapore, Circular No. SRD TR 02/2005, November 25, 2005. 185. The FCC Pretexting Order, however, is an exception. 186. See, e.g., HIPAA Security Regulations, 45 C.F.R. § 164.308 (a)(1)(ii)(A). 187. FFIEC Guidance, at p. 6. 188. Ibid., at p. 3. 189. Ibid. 190. Pisciotta v. Old National Bancorp., 2007 U.S. App. Lexis 20068 (7th Cir., August 23, 2007), at p. 13. 191. See, e.g., Recommended Practices on Notice of Security Breach Involving Personal Information, Office of Privacy Protection, California Department of Consumer Affairs, April 2006 (hereinafter "California Recommended Practices"), at pp. 5–6 (available at www.privacy.ca.gov/recommendations/secbreach.pdf); Interagency Guidance supra note 4 , at p. 15752. 192. For a chronology of such breaches in the United States and a running total of the number of individuals affected, see Privacy Rights Clearinghouse at www.privacyrights.org/ar/ChronDataBreaches.htm. 193. IRS Rev. Proc. 98-25, § 8.01. 194. See list of statutes in the Appendix. 195. Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, Part III of Supplement A to Appendix, at 12 C.F.R. Part 30 (OCC), 12 C.F.R. Part 208 (Federal Reserve System), 12 C.F.R. Part 364 (FDIC), and 12 C.F.R. Part 568 (Office of Thrift Supervision), March 29, 2005, Federal Register, Vol. 70, No. 59, March 29, 2005, at p. 15736 (hereinafter "Interagency Guidance"). 196. Except where the business maintains computerized personal information that the business does not own, in which case the laws require the business to notify the owner or licensee of the information, rather than the individuals themselves, of any breach of the security of the system. 197. See, e.g., Ark. Code § 4-110-101 et seq.; La. Rev. Stat. § 51:3071 et seq.; Md. Code, § 14-3501 et. seq.; Neb. Rev Stat 87-801 et. seq.; N.J. Stat. 56:8-163; N.C. Gen. Stat § 75-65; N.D. Cent. Code § 51-30-01 et seq.; Oregon, 2007 S.B. 583. The Federal banking Interagency Guidance also includes any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name and password or password and account number. 198. See, e.g., Thomas J. Smedinghoff, "Security Breach Notification: Adapting to the Regulatory Framework" Review of Banking & Financial Services, December 2005. 199. 15 USC Section 7001 et. seq. This generally requires that companies comply with the requisite consumer consent provisions of E-SIGN at 15 USC Section 7001(c). 200. Arkansas, Connecticut, Delaware, and Louisiana are examples of states in this category. 201. Montana and Nevada are examples of states in this category. 202. See, Ethan Preston and Paul Turner, "The Global Rise of a Duty to Disclose Information Security Breaches," 22 J. Marshall Computer & Info. L. 457 (Winter 2004). 203. See Miriam Wugmeister, Saori Horikawa, and Daniel Levison, "What You Need to Know About Japan's New Law Concerning the Protection of Personal Information," BNA Privacy & Security Law Report, Volume 4 Number 19, p. 614, May 9, 2005. 204. See Communication at http://europa.eu.int/information_society/policy/ecomm/doc/info_centre/public_consult/review/staffworkingdocument_final.pdf. 205. "Opinion 8/2006 on the review of the regulatory Framework for Electronic Communications and Services, with focus on the ePrivacy Directive," September 26, 2006, available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/wp126_en.pdf. 206. Science and Technology Committee, House of Lords, "Personal Internet Security" 5th Report of Session 2006–07, July 24, 2007, at Para. 5.55. 207. Office of the Privacy Commissioner of Canada, Key Steps for Organizations in Responding to Privacy Breaches, August 28, 2007; available at www.privcom.gc.ca/information/guide/2007/gl_070801_02_e.asp. 208. See Privacy Breach Guidance Material, Office of the Privacy Commissioner, August 2007, available at www.privacy.org.nz/library/privacy-breach-guidelines. 209. Privacy Commissioner, Media Release, August 27, 2007, available at www.privacy.org.nz/filestore/docfiles/5001509.doc. 210. See, Australian Government, Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Privacy—Issues Paper 31, February 28, 2007, at paragraphs 127–129; available at www.privacy.gov.au/publications/submissions/alrc/all.pdf. 211. Available at www.austlii.edu.au/au/other/alrc/publications/dp/72/. 212. Available at www.austlii.edu.au/au/other/alrc/publications/dp/72/60.pdf . 213. Applies to information brokers only. 214. Applies to state agencies only.
Referência(s)