Material Vulnerabilities: Data Privacy, Corporate Information Security and Securities Regulation


This article undertakes a normative and empirical legal inquiry into the manner information security vulnerabilities are being addressed through law and in the marketplace. Specifically, this article questions the current legislative paradigm for information security regulation by presenting a critique grounded in information security and cryptography theory. Consequently, this article advocates shifting our regulatory approach to a process-based security paradigm that focuses on improving security of our system as a whole. Finally, this article argues that in order to accomplish this shift with least disruption to current legal and economic processes, expanding an existing set of well-functioning legal structures is preferable to crafting new legal structures. Securities disclosure law is already focused on regulating the most connected points in our economy, publicly traded entities. Public companies provide a good starting point for spreading better information security behaviors because of this connectedness; disclosure of public companies' information security behaviors will assist them in maximizing shareholder value and will assist regulators in finding the inadequately secure points in our economy.


Business Organizations Law | Computer Law | Consumer Protection Law | Intellectual Property Law | Internet Law | Science and Technology Law

Date of this Version

March 2005