In recent years, the number of laws that regulate corporate IT and data infrastructures have increased at an alarming rate. Some, like Sarbanes-Oxley, are necessary to prevent corporate mismanagement, but others are too loosely defined, according to legal experts at last week's RSA Conference.
At the panel entitled "Traps for the Unwary: the 'Other' Information Security Laws," attorney Jon C. Stanley detailed some of vagaries of the Computer Fraud and Abuse Act (CFAA). The law, which was originally conceived to prosecute hackers and spammers, is so loosely defined that it can be used to sue those who break a non-disclosure agreement, infringe a copyright or break the terms of an ISP service agreement. It can also be applied to incidents of past infringement.
For example, employees who left corporations were successfully sued for breach of a non-compete agreement because their client list (though publicly available) could have been obtained during the time they were employed, according to Stanley.
"Breaking the terms of an agreement is one and the same thing as breaking the CFAA," said Stanley, "When the law was drafted, legislators were keen to help AOL stop spammers using its network, so they figured they could use a breach of the terms of service agreement to sue them."
The wording of the law defines the term "computer" to mean any electronic, magnetic, optical, electrochemical or other high speed data processing device performing logical, arithmetic, communication or storage functions.
It also includes any device operating in conjunction with these devices, for example an automobile fitted with Internet connectivity operates in conjunction with an ISP agreement, Stanley said.
Another panelist, Brian Brooks of the Washington, D.C., law firm O'Melveny & Myers LLP, which focuses on financial services-related litigation, talked about California's SB 1386, a law that requires companies to disclose security breaches of personally identifiable data to any California resident.
"There is a safe harbor in the legislation," he said. "If your company has already adopted a stringent security strategy, it can become exempt."
Another statute, the Fair Credit Reporting Act (FCRA), allows consumers to find out how their personal information was compromised and for what purpose. This means that the company must provide the details of a security breach.
Brooks said that Canada Protection of Personal Information In the Private Sector Act, which went into effect in January, is far more restrictive than SB1386 and applies to any company that wants to do business with Canadian citizens.
The act states that corporations need an individual's consent to collect their personal information, although it's uncertain what form this consent must take. Under that law even a person's name, address, financial information and opinions (survey information, for example) are considered personal information. There are guidelines governing the collection, storage and distribution of that information.
Brooks also said that U.S. Sen. Dianne Feinstein (D-Calif.) proposed a federal version of SB 1386 called The Federal Notification of Risk to Personal Data Act. So far legislators have rejected it, but it may reappear.
"In the beltway nothing ever goes away," said Brooks.