As citizens in the age of information, we have no choice but to divulge our unique identifiers. The sharing of our personal information is mandatory in order to engage, and be a member of society. Without our personal information we cannot work, purchase the necessities of life, or even obey the law, such as by filing our annual tax returns. By divulging our personal information to government and private entities we are forced into a relationship of trust. We trust those who receive our information to safeguard it, thereby preventing the types of breaches previously discussed. Perfect security over personal information cannot be attained without never disclosing personal information and a complete and total withdrawal from society altogether.
Crime will always exist and identity theft will remain an opportune crime for the foreseeable future. Because of these threats, and because we will continue to be required to divulge our sensitive information, we must actively manage the risk posed by these threats. While we may never eliminate identity theft entirely, we can and should expect a certain degree of care to be taken by those to whom we entrust our sensitive personal information. We can expect that when reasonable steps are taken to safeguard our information, it will be less likely to be compromised.
Parents of young children spare no effort to keep their children safe from harm. Children are taught how to safely cross the street, how to obtain help when a parent is not near, and how to recognize dangerous situations. Parents certainly understand the impossibility of eliminating all threats to their children completely. However, by following a manageable number of precautions and safeguards, the risk of harm to children falls to acceptable levels and the family unit is able, in most cases, to safely engage society.
So it is with the care and protection of our sensitive information. We are subject to the consequences of our own decisions. If we routinely discard our personal information, un-shredded into the household trash, or if we routinely leave our mailbox full of mail for days at a time, we are creating opportunities for bad actors to come into possession of our personal information. We take precautions when the threats are numerous: we do not leave children unattended in shopping malls. We don’t take precautions when threats are scarce: there just aren’t that many people dumpster diving residential recycling bins. We can and should expect custodians of our personal information to be cognizant of the threats to the information they possess and to take precautions to protect it when we can’t.
Corporate Duty to Safeguard Personal Information
Corporations that collect, store and use our personal information have a duty to safeguard it. The duty of corporate directors to ensure the organization functions within the law to achieve its purposes, is well established in American jurisprudence. Further, corporate directors have a duty to monitor the enterprise’s internal controls over fraud, financial reporting and data protection. The U.S. Supreme Court has provided a line of cases establishing the duty of corporate directors to monitor: “The standard for assessing a director’s potential personal liability for failing to act in good faith in discharging his or her oversight responsibilities has evolved beginning with our decision in Graham v. Allis-Chalmers Manufacturing Company, through the Court of Chancery’s Caremark decision to our most recent decision in Disney.” – Stone v. Ritter (911 A.2d 362).
The Delaware State Supreme Court explained the duty to monitor in the case In Re Caremark Int’l, 698 A.2d 959 (Del. Ch. 1996): Generally where a claim of directorial liability for corporate loss is predicated upon ignorance of liability-creating activities within the corporation, as in Graham or in this case . . . only a sustained or systematic failure of the board to exercise oversight-such as an utter failure to attempt to assure a reasonable information and reporting system exists-will establish the lack of good faith that is a necessary condition to liability.
The Problem of Externalities
In theory, we pay for the protection of our personal information because the cost of doing business and operating government is passed on to consumers and taxpayers. Unfortunately, it isn’t that simple. Recent advances in information security theory have been made by leveraging economic and psychological concepts to explain some of the intractable problems faced by security experts. The economic incentive to protect information may not be readily apparent to those custodians of sensitive personal information. In fact, it may not exist at all.
An externality is an economic concept that describes situations where a transaction creates a cost (or benefit) for a third party not involved in the transaction. An externality occurs when “[t]he people who could protect a system are not the ones who suffer the costs of failure.” The cost of a data breach may be squarely focused on the victim whose data was compromised. Thus, there may be no economic incentive for custodians to go to great lengths to protect information when a breach of that information’s confidentiality results in no financial harm to the custodian.
Because of these externalities that are passed on to third parties, particularly victims of identity theft, free market forces are less likely to achieve a desired effect of creating economic incentives for good information security practices. Because “protecting individual privacy remains an externality for many companies . . . basic market dynamics won’t work to solve the problem. Because the efficient market solution won’t work, we’re left with inefficient regulatory solutions.” Indeed, getting data custodians to internalize externalities is typically done by regulation or by the specter of liability.
Data Protection Laws, and Regulations: Establishing a Duty To Meet a Standard Of Due Care For Information Security
Based on the number of individual data breaches and the number of sensitive records exposed each year, it is safe to say that both public and private institutions are hemorrhaging private, sensitive information into unauthorized hands. Custodians of information must take responsibility for the sensitive information in their possession and must be held accountable for failing to meet a standard of due care for protecting information. This enforcement can be accomplished either by the regulatory regime, by threat of punitive damages and civil suit by the subjects who own the compromised information, or both.
The statutory and regulatory environment for protecting information is an industry-specific and context-sensitive patchwork of state and federal laws that are insufficient to create and encourage private and public entities to apply the appropriate safeguards to protect personal information.
An Emerging Standard
The concept of tying the myriad data protection requirements found in a wide variety of laws, regulations, and contractual requirements into a comprehensive duty of care was set forth by attorney and author Thomas Smeddinghoff in his book “Information Security Law: The Emerging Standard for Corporate Compliance.” Other authors have also recognized a duty of care over the protection of information. Unfortunately, in order to be fully recognizable, the duty of care must be pieced together from a variety of sources. Laws and regulations may overlap different types of entities in different industries and jurisdictions. The applicability of each of the following sources will vary for each custodian; therefore, no single standard of care can be distilled and applied universally.
Despite the patchwork compliance many companies face, most regulated industries have a few core data protection obligations, as enforced by regulators. Two important outcomes are important: general counsel should oversee the adequate dispensing of legal advice supporting the compliance function, and chief information securities officers must maintain information security programs that blend technical, process and administrative controls in ways that meet both the regulatory environment, in addition to meeting such basic practices as those espoused in the SANS 20 Critical Controls, or other control frameworks.
 Bruce Schneier, “Economics and Information Security” available at: http://www.schneier.com/blog/archives/2006/06/economics_and_i_1.html, accessed March 4, 2013.
 Bruce Schneier, “The ‘Hidden Cost’ of Privacy” Schneier on Security, available at: http://www.schneier.com/blog/archives/2009/06/the_hidden_cost.html, accessed March 4, 2013.
 Published by ITG Governance, Ltd., October, 2008.