• United States



Overreacting to Information Security

Dec 10, 20122 mins

If you have been reading my postings for the last several years, you know I am hardly one to be lax when it comes to information security measures – particularly when information will be shared with business partners and vendors.  That said, I am finding a common overreaction among businesses to this issue.  

Sophisticated businesses have now developed form information security language for inclusion in their business partner and vendor agreements.  That language is frequently very extensive, designed to cover the myriad of business and regulatory issues that arise when they entrust their most sensitive information to a third party.  The overreaction I am referring to is when a business has reduced the analysis of whether to require all of these extensive to a binary question:  Is any sensitive information at risk, regardless of how limited?  If the answer is “yes,” all security language is required.  If the answer is “no,” the security language can be foregone.

Let me be more specific.  Businesses have developed very thorough contractual language to protect their highly confidential information.  The overreaction we are seeing is that those businesses frequently use an all-or-nothing approach to the use of this language.  If “any” personal information is at risk, even if it is very basic information involving, say customer names, the entirety of the extensive information security language is required.  There is no scaling of the language depending on the actual risk presented.

I am not saying that customer names aren’t deserving of protection, but, rather, I am merely trying to highlight the problem of the all-or-nothing approach.  I suggest scaling the protections required to actually reflect the risk may be a more appropriate approach, avoid costly negotiations over security provisions that provide only incremental or no real additional protection, and likely decrease the overall time for negotiations.

One-size seldom fits all in real life.  My suggestion is that businesses consider a scaled approach to information security, while, of course, still complying with all legal and regulatory requirements for the relevant data.  It does not make sense to use the same level of protection for a very minor, even incidental, contact with sensitive information as that required in an engagement where a vendor will be hosting the entirety of a business’ customer database and transaction data.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author