Harboring Data: Information Security, Law, and the Corporation

Privacy and Security

Article Snapshot


Andrea Matwyshyn


Andrea Matwyshyn, ed., California: Stanford Law Books, 2009


Information security must become a higher corporate priority right now, as it will only continue to grow in importance.

Policy Relevance

In the short term corporations must institute much stricter regulations on themselves to protect information. In the long term they must cultivate a culture of information security and develop a sense of responsibility for it.

Main Points

  • People use the Internet frequently when doing information-sensitive activities. This creates an information trail full of data, which corporations hoard, and these large collections of data are susceptible to attack.
  • Information criminals are on the leading edge of technology and always looking for new ways to exploit and use unsecured data. Unfortunately, security regulation is a hodgepodge of federal and state law that is relatively narrow and does not adequately regulate corporations.
  • The security of data is only as good as the weakest link in the chain between a corporation and those it does business with.
  • Presently corporations do not value information security as highly as they ought to. Costs – such as lost goodwill, loss of consumer confidence, and employee time spent rectifying breaches – are not seen as worth the upfront security expenditure to prevent the risk of breach.
  • However, more corporations are learning through experience that information security breaches do entail significant, and in some cases, crippling costs – monetary and otherwise.
  • There are five common security errors:

    • Lack of planning;
    • Ignoring external reports;
    • Letting criminals in;
    • Theft by rogue employees;
    • Failure to update existing security.
  • The need for corporations to address the vulnerability of information is now, before it is too late, and because it will be an issue for years to come.
  • There are four obvious lessons for regulators and organizations:

    • Security requires a focus on humans, not just technology;
    • Information security is always evolving and constant monitoring is necessary;
    • Information security falls across various business and social contexts;
    • A proactive corporate and legal approach is necessary to provide the needed security.

Get The Article

Find the full article online

Search for Full Article