Businesses May Have Legal Obligation to Combat Phishing

"Where a con man deceives a bank customer into investing his life savings in a fraudulent scheme, the bank that held the customer’s account presumably has no liability whatsoever for the customer’s foolhardy actions. But with phishing there is one key difference. That is, the con man (i.e., the phisher) may be exploiting the security choices made by the spoofed company. In other words, the approach to information security taken by the spoofed company may somehow contribute to the success of the attack.

Role of Information Security

The law governing a company’s obligation to implement information security usually requires a process-oriented approach to security, based on an ongoing risk assessment. Thus, in light of the prevalence and the significance of phishing attacks, companies likely to be affected need to expressly consider the threats that such attacks pose, and their anticipated impact. Based on the results of this risk assessment, such companies should design and implement an information security program to manage and control the risks posed by phishing attacks identified during the risk assessment. For companies at risk, a failure to expressly consider and address phishing attacks within the overall context of their information security program may well be considered as a failure to comply with its legal obligations."

From this Baker and McKenzie article.