In my last Security Policies Tip, I offered three best practices for developing your organization's information classification policy to help users determine how to classify information assets. Your organization's information classification policy should address two types of confidential information: competitive-advantage (trade secret) and personal information. When writing your policy, it's important to take into consideration the laws surrounding both types of information.
The laws regarding competitive-advantage information were developed from the duty of good faith imposed generally in commercial dealings. A trade secret is commonly defined as information deriving actual or potential economic value by virtue of its not being readily ascertainable through proper means by the public, and which is the subject of reasonable efforts to maintain its secrecy. The legal system protects the owner (in our case the organization) from someone who uses improper means to learn the trade secret, either directly or indirectly. Therefore, anyone using improper means to learn the trade secret has breached a duty of good faith dealing with the trade secret owner.
The breach of that duty of good faith usually takes the form of an abuse of a confidence, the use of improper means to ascertain the secret or a breach of contract. Anyone involved in the breach of that duty is liable for trade secret stealing.
The laws governing trade secret and competitive-advantage information are well established and offer substantial penalties for non-compliance. The Economic Espionage Act (EEA) of 1996 provides... ...that individuals and organizations convicted of violating the EEA are subject to severe penalties. Persons convicted of violating the EEA may be fined up to $500,000 or imprisoned up to 15 years, or both, while organizations that commit any offense prohibited by the act may be fined up to $10,000,000. A person convicted of violating/receiving protected information faces a fine of up to $500,000 or a prison sentence of up to 10 years, or both, while any organization that receives protected information may be fined up to $5,000,000.
Any policy and supporting standards on information classification levels must also address personal information about employees, customers, clients and other third parties.
The area of protecting personal information has become hotter during the past couple of years. The passage of the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), European Union privacy laws and organizations like Privacy International are working to increase the safeguards required for personal information. The new acts create two concerns for the writer of information security policies. The existing or new policies must comply with the law, or the enterprise can face penalties and fines. Also, the customers, clients and employees will trust an organization that has policies in place that protect their non-public, personal information.
When developing your information classification policy it will be necessary to take into account both competitive advantage or trade secret and personal (customer and employee) information. For some organizations these two types of information are given separate classification categories. The personal information is often classified as Private and the competitive advantage information is classified as Confidential. Your organization will have to determine what is best and implement the appropriate category naming conventions.
About the author:
Tom Peltier has been an information security professional for more than 25 years. He has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.
MORE SECURITY POLICIES TIPS BY THOMAS R. PELTIER: