Rounding out your duty to secure information are obligations your organization has imposed on itself. Through statements in privacy policies, on Web sites, or in advertising materials, your organization will often make claims regarding the level of security it will provide for the data it collects or maintains. By doing so, you impose on yourself an obligation to comply with the standard you have represented to the public.

The legal standard for compliance The laws, regulations, contracts, and other obligations that impose a duty to provide security typically require only that you provide "reasonable" or "appropriate" security. They offer little guidance as to what kind of security measures are required or how much security is enough. This raises a very difficult question: What constitutes "reasonable" or "appropriate" security?

Yet a careful review of newer statutes and regulations, court decisions, and government enforcement actions reveals an amazingly consistent approach for defining the parameters of a "legal" standard for compliance. That standard focuses on process, not on specific security controls.

The legal standard does not dictate what measures are required to achieve reasonable security. Instead, it requires companies to undertake a risk-based process to identify and implement measures that are reasonable under the circumstances to achieve the desired security objectives. This means companies must assess the risks they face, identify and implement appropriate security measures in response to those risks, verify that those security measures have been effectively implemented, and ensure that they are continually updated in response to new developments. And when that is done, the law requires that the process be repeated periodically.

As a result, security measures necessary for legal compliance vary depending on the situation, with decisions regarding the specifics of your security strategy being left up to your company. In Guin v. Brazos Higher Education Service, for example, the court rejected an argument that a specific security measure—in that case, encryption of personal data on a laptop—was legally required. Instead, the court noted that the security controls in place were reasonable in light of the risk assessment done.

In other words, the focus is on risk assessment, and then on adopting security controls that are responsive to the threats your company faces. It is not enough merely to implement impressive-sounding security measures.

For example, posting armed guards around a building or requiring key-card access may give the appearance of security, but if the primary threat the company faces is unauthorized remote access via the Internet, physical security measures are of little value. Likewise, firewalls and intrusion detection software are often effective ways to stop hackers and protect sensitive databases, but if a company's major vulnerability is careless (or malicious) employees who inadvertently (or intentionally) disclose passwords or protected information, then even those sophisticated technical security measures, although important, will not adequately address the problem.