The criteria for evaluating the legal requirements for implementing safeguards is to evaluate the cost (C) of
instituting the protection versus the estimated loss (L) resulting from the exploitation of the corresponding
vulnerability. Therefore, a legal liability may exists when:

A.
(C < L) or C is less than L

B.
(C < L – (residual risk)) or C is less than L minus residual risk

C.
(C > L) or C is greater than L

D.
(C > L – (residual risk)) or C is greater than L minus residual risk

Explanation:
If the cost is lower than the estimated loss (C < L), then legal liability may exists if you fail to implement the
proper safeguards. Government laws and regulations require companies to employ reasonable security
measures to reduce private harms such as identity theft due to unauthorized access. The U.S. Gramm-LeachBliley Act (GLBA) Safeguards Rule and the broader European Directive 95/46/EC, Article 17, both require that
companies employ reasonable or appropriate administrative and technical security measures to protect
consumer information. The GLBA is a U.S. Federal law enacted by U.S. Congress in 1998 to allow
consolidation among commercial banks. The GLBA Safeguards Rule is U.S. Federal regulation created in
reaction to the GLBA and enforced by the U.S. Federal Trade Commission (FTC). The Safeguards Rule
requires companies to implement a security plan to protect the confidentiality and integrity of consumer
personal information and requires the designation of an individual responsible for compliance. Because these
laws and regulations govern consumer personal information, they can lead to new requirements for information
systems for which companies are responsible to comply. The act of compliance includes demonstrating due
diligence, which is defined as “reasonable efforts that persons make to satisfy legal requirements or discharge
their legal obligations”. Reasonableness in software systems includes industries standards and may allow for
imperfection. Lawyers representing firms and other organizations, regulators, system administrators and
engineers all face considerable challenge in determining what constitutes “reasonable” security measures
for several reasons, including:
1. Compliance changes with the emergence of new security vulnerabilities due to innovations in information
technology;
2. Compliance requires knowledge of specific security measures, however publicly available best practices
typically include general goals and only address broad categories of vulnerability; and
3. Compliance is a best-effort practice, because improving security is costly and companies must prioritize
security spending commensurate with risk of non-compliance.
In general, the costs of improved security are certain, but the improvement in security depends on unknown
variables and probabilities outside the control of companies.
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 315.
http://www.cs.cmu.edu/~breaux/publications/tdbreaux-cose10.pdf