If your organisation is a publicly traded company, a government agency, or does business with either, there may be legal constraints to choose your security approach.

Computer Security Act of 1987 requires government agencies to identify sensitive systems, conduct computer security training, and develop computer security plans. This law is a vague mandate ordering federal agencies in the United States to establish security measures without specifying any standards.

Sensitive information is any information, the loss, misuse, or unauthorised access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorised under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defence or foreign policy.

When considering what information needs to be secure, simply ask the question: Would the unauthorised access or modification of this information adversely affect my organisation? If the answer is “yes,” then you must consider that information “sensitive” and in need of security precautions.

Computer Misuse Act 1990 is the base law for all other computer related laws in the UK. It applies to the whole of UK and is usually the underlying law used to charge a suspect over a computer crime. Crimes like credential stealing, hacking and phishing are considered Section 1 offences, which can lead to 6 months to 2 years in prison. Section 2 crimes are the crimes intended to be performed, after a hacker has penetrated the system, such as using the credentials stolen to access a server, or committing fraud. Guilty with the section 2 act of the computer misuse act can lead to up to 5 years in prison.

Privacy laws (like Health Insurance Portability and Accountability Act [HIPAA], for medical records) also has a direct impact on computer security. If a system is compromised and data that is covered under any privacy statute is compromised, you might need to prove that you exercised due diligence to protect that data. A finding that you did not take proper precautions can result in civil liability.