Organizations do not operate in legal vacuum. Their actions or inactions, words and deeds carry legal responsibilities and consequences.  With Cyber security issues popping up by the seconds and becoming increasingly very complex by the day, organization must be at the forefront of the efforts in the IT and Cyber security communities to address the issues.  As a starting point, organizations must beef up their legal policies to guide their IT and Cyber security practices for effectiveness and not avoid or minimize legal liabilities.

What are the sources?

The three main sources of legal issues or concerns in any organization are:

• Statutory
• Your own promises (shooting yourself in the foot)
• Negligence

Statutes

• These are a patch-work of regulations
• Current statutes tend towards process, i.e. requirements to inform or to handle data a certain way -- not oriented towards technology
• Fines and other sanctions through the FTC, SEC or states’ attorney generals
• Gramm Leach Bliley, California laws -- over different laws govern elements of private d shoppers club cards license information.
• Federal privacy law is still proposed – like the others it is likely to be process and notification oriented. Consider the EU’s privacy requirements for global companies.
• Sarbanes Oxley (SOX) is heavily process oriented.
• SOX doesn’t directly talk to IT or IT security, but, rather requires executives to adequate internal co procedures for financial accounting.
• Financial controls are by IT.

Promises

• Promises to consumers or to your trading partners about p the handling of data.
  • Choicepoint paid $10 million in fines and $5 million in restitution

• Look at the promises you are making in contracts.
  • Mastercard and its outsourcing partner

Negligence

• The basic measure of negligence is “reasonable under the circumstances”
• The recent problem at the Veteran’s Administration can be an example. Was it reasonable for the database to be full downloadable? Were the precautions reasonable when the database was taken home every day for 3 years? Was it reasonable that the employee failed to mention the burglary for more than a week?

What is negligence?

Merriam-Webster defines negligence as failure to exercise the care that a reasonably prudent person would exercise in like circumstances.

• Minimally adopting trade practices is not necessarily a defense
• Legal experts present an example with “TJ Hooper.” In the TJ Hooper case, 1932, it was not a defense that tug boats didn’t usually have radios to call for help – the fact that radios were available and not deployed was the operative factor.

What TJ Hooper means to you

• The tug boat operator was held to have been negligent even though few in the industry were using radios in 1932.
• The court said: “A whole calling may have unduly lagged in the adoption of new and available devices…”
• Substitute the word “solutions,” or “services” instead of “devices.”
• Industry practices are not necessarily a defense – they are likely only a threshold.

Aggravating factors:

The aggravating factors that lends to legal liabilities are:

• Another’s reliance on your promises or expertise
• Over use of superlatives when describing your service or solutions, such as: “Best,” “Guaranteed,” “Highest”
• Public disclosure of private facts that are not of legitimate concern to the public
• Intentional harm

Example: How does this apply to Cyber security?

There are different ways this could apply to an organization.

• Unfortunately, the “circumstances” of many of the IT industries (i.e. the web services industry) are likely to lead to a heightened standard
• The dangers of an open protocol are well known
• There is increasing reliance on your expertise
• For example, in the Web services industry, Meta data and XML identification of information is a known danger
• Hacking is a type of sport
• Well publicized problems become lessons that need to be heeded
• Audits pointing out the problems

 What should organizations be doing?

Organizations should:

• Recognize that not enough time is being spent protecting data “at rest” as opposed to the amount of time spent on data “in flight”
• Recognize that security is a people problem & not a technology problem
• Start talking to legal. They (legal) do not know your issues but can help if educated
• Don’t shoot yourself in the foot: examine public & contractual promises, consider your use of the words “Best practices.”

Call to Action:  What organizations must do to limit liabilities

Finally, to mitigate potential legal liabilities, organizations must shore up their legal basis and can take any number of actions to do so.  In addition to several other, organizations should:

1. Create an umbrella security policy. A policy is an indicator of reasonable activity
2. Put into place mechanisms and resources to enforce the security policy
3. Educate your employees to be your eyes and ears
4. Be aware that SOX is a de facto standard for everyone – public or not. Act accordingly
5. Conduct regular external audits. But first, set up the audits within the attorney client privilege!!!
6. Remember the Y2K your business model. Ask your business partners about what they are doing. Keep your chain intact
7. Insurance – transfer risk to someone else.
8. Prepare for failures