Threaded Mode | Linear Mode

***mandy*** · 02-23-2006, 10:02 AM,

It would seem that writing a security policy and telling the court your company took reasonable precautions to protect data is enough to avoid any liability in the event of a data breach, regardless of whether your security policy was enforced or tested.

Quote:A recent case involving a stolen laptop containing 550,000 people's full credit information sheds new night on what "reasonable" protections a company must make to secure its customer data - and what customers need to prove in order to sue for damages...

What is "reasonable?"

In order to prevail, Guin had to show that the loan company owed him a duty to protect his information, that the theft of the laptop was reasonably foreseeable, and that Brazos failed to take reasonable efforts to prevent the loss of the data. Guinn would also have to show that this failure was the legal cause of some damage or injury.

The standard of care for the prevention of harm is typically what the law calls the "reasonable man" standard. What would a reasonable person (or company) of ordinary prudence do? In addition, laws or regulations can impose a higher standard of care than ordinary negligence, and failure to adhere to a law or regulation is typically deemed to be negligence per se. So, what would a "reasonable" holder of personal information have done?

The law doesn't define reasonable...

full article: http://www.securityfocus.com/print/columnists/387

PDF of a recent Minnesota court case: http://www.nysd.uscourts.gov/courtweb/pd...-00529.PDF