This Guide is a revised version of a paper that first appeared in 2005 in Information Security Management Handbook, Fifth Edition, Volume 2.
The paper examines the emerging body of law surrounding an enterprise’s responsibility for securing information, together with the emerging body of information security management principles and practices for doing so. Seven key information security management elements are identified which we believe constitute an information security minimum standard of due care. Enterprises failing to implement these seven management elements could face significant legal exposure should they suffer a security breach resulting in damage to a 3rd-party.
The paper applies explores the application to information security of appellate rulings in several negligence cases to the questions of Duty of Care and Breach of Duty: Kline v. 1500 Massachusetts Avenue Apartment Corp, United States v. Carroll Towing Co, Texas & P.R v Behymer, T. J. Hooper v. Northern Barge and People Express Airlines v. Consolidated Rail Corp.