Data Protection: Information Security and Privacy Law
Information security law is an emerging area of law focusing on one of our society’s most valuable sources of wealth – information. Information security law is nothing new. Nonetheless, information security law is “emerging” in the sense that it has arisen largely in the last two decades, as opposed to more traditional areas of law, like real estate, that have been with us since the founding of the United States. It is also “emerging” because developments in the law have been accelerating in recent years.
Returning to the original question, then, what is information security law? Also, what do information security lawyers do?
Information security law, or infosec law, is in some ways a new area of law. In other ways, it is a new area of practice for law firms. And in yet other ways, it has an industry-specific focus. This article discusses all of these dimensions of information security law.
Information security, as an emerging area of law, includes a number of components. First and foremost, information security lawyers counsel their clients on requirements to keep data and information systems secure. These requirements may stem from public law (statutes and regulations) or private arrangements made via contracts. Infosec lawyers help clients answer the key question: What does my company really need to do to comply with infosec requirements under applicable law and contracts?
Second, infosec law addresses liability that arises from security breaches or defects in security products or services. Parties injured by a security breach may sue to seek damages or an injunction against the parties responsible for the breach. When the perpetrators are unable to be found or it isn't worth suing them, injured parties may sue others who allowed the breach to occur or failed to stop it. Companies purchasing security products or services may sue their vendors when the products or services don't work as advertised or whey they fail to prevent a breach. Infosec lawyers bring suit on behalf of the injured party or defend these kinds of suits.
Third, infosec law covers secure electronic commerce. Secure electronic commerce answers questions such as:
- How do parties form contracts online?
- Are online contracts treated the same as paper contracts under the law?
- What must a person or business do to authenticate himself, herself, or itself to another party online?
- What must be done to tie an individual or business to an online transaction and hold that party accountable for it?
- What can show that a person has agreed to an online transaction: an electronic signature, a secure form of electronic signature, or a digital signature (a particular kind of secure electronic signature)? (I leave the discussion of the differences among these kinds of signatures for another day and article.)
Secure electronic commerce systems or programs may, for instance, establish a trading community in which a large organization can procure products or services from its vendors. Electronic "commerce" can also include e-government services. For example, an environmental regulatory agency may establish an online presence to accept submissions of environmental reports and disclosures. E-commerce lawyers counsel clients concerning ways to establish secure e-commerce systems, the interplay between background law and contracts involved in establishing these systems, and liability concerns arising from e-commerce activities.
Information security law, in addition to being an area of law, is also a law practice. Lawyers from a variety of traditional practice areas may work in the information security area. For instance, lawyers specializing in government regulatory matters may advise clients on federal or state statutes that impose infosec requirements. Attorneys working in government affairs in Washington or state capitols may become involved in lobbying efforts for or against new infosec legislation, such as the federal breach notification bills. Litigation lawyers are likely to be the professionals handling disputes arising from security breaches. Finally, members of technology transactions groups are often the first lawyers called in to counsel clients seeking to engage in secure e-commerce, although technology attorneys with the specialized skills needed to provide in-depth advice have created a distinct sub-specialty within the technology transactions umbrella.
Finally, information security lawyers focus on a particular industry: the information technology industry. Some law firms have IT law groups whose work includes addressing the specific needs of vendors of information security products and services. Infosec lawyers need to develop deep IT experience and exposure to clients that depend on IT for their operations and sometimes their entire livelihood. More recent trends, such as cloud computing, pose even greater challenges to the legal community.
Infosec lawyers cultivate contacts among IT professionals, and infosec professionals in particular. Servicing clients' infosec legal needs is a multi-disciplinary endeavor, and lawyers are creating fruitful partnerships and relationships with outside and in-house technical experts. Lawyers in the infosec field simply cannot perform their jobs alone. They require considerable assistance from experts with the technical expertise to provide comprehensive advice to clients.
In sum, information security is at once an emerging area of law, an area of practice, and an industry focus. As with new areas of the law in the past, attorneys practicing infosec law are those who have experience in allied areas of law, who have practices touching on a number of traditional practice areas, and who have IT and infosec technical expertise. The mix of technical and legal issues, the need to work with multi-disciplinary teams, and the novelty of the field challenge infosec lawyers, but make for a fascinating area of the law.