The sheer number and variety of laws and regulations that can apply to even small businesses handling sensitive information can be daunting, if not overwhelming. In some instances, it may be almost impossible for even a large, sophisticated organization to identify all applicable laws, reconcile inconsistencies, and then implement a compliance program. In this discussion, the goal is not to discuss any specific laws or regulations, but to identify three common threads that run through many of them. By understanding those common threads, businesses can more easily understand their baseline compliance obligations.
As mentioned in the introduction, above, there are three common threads to consider. These threads run not only through laws and regulations, but also contractual standards such as the Payment Card Industry Data Security Standard (PCI DSS) and, even, common industry standards for information security published by organizations like CERT at Carnegie Mellon and the International Standards Organization (“ISO”). Embracing these common threads in designing and implementing an information security program will greatly increase a business’ ability to achieve overall compliance with the laws, regulations, and other requirements (e.g., PCI DSS, industry standards, etc.) applicable to it.
Confidentiality, Integrity, and Availability (“CIA”). The age-old concept of CIA found in every handbook on information security has now been codified into many laws and regulations. The three prongs of this concept address the most fundamental goals of information security: the data/information must be maintained in confidence, it must be protected against unauthorized modification, and it must be available for use when needed. The lack of any of the foregoing protections, would materially impact compliance and the value of the information asset.
Acting “Reasonably” or taking “Appropriate” or “Necessary” measures. The concept of acting “reasonably” is used in many state and federal laws in the United States, Australia, and other countries. The related concept of acting so as to take “appropriate” or “necessary” measures is used in the European Union and many other areas. Together, they form the heart of almost every information security and data privacy law. A business must act reasonably or do what is necessary or appropriate to protect its data. Note that this does not require perfection. Rather, as discussed in the next paragraph, the business must take into account the risk presented and do what is reasonable or necessary to mitigate that risk. If a breach, nonetheless, occurs, provided the business has established this basic requirement, it will not be generally found in violation of the applicable law or regulation.
Scaling security measures to reflect the threat. A concept that is closely related to acting reasonably or doing what is appropriate is the idea of scaling security measures to reflect the nature of the threat. That is, a business need not spend the entirety of its security budget to address a low risk threat. But, if the risk is substantial, the level of effort and expenditure by the business to address that risk must increase.