The Legal Defensibility Era: The Convergence of Security and Legal Risk
With each passing day we are providing more and more personal data to companies through online transactions, social networks, and cloud computing. Concurrently, there is also a growing framework of laws, regulations and contractual obligations in how companies should treat this information. These colliding paths are creating what has been dubbed the "The Legal Defensibility Era." David Navetta of the Information Systems Security Association (ISSA) has written an excellent article outlining this trend and highlighting several important issues that companies must focus on to properly handle data in this new era.
The focus of legal defensibility is understanding how a plaintiff ’s attorney, judge, jury, or regulator will view an organization’s security posture in light of applicable legal requirements. Under a legal defensibility analysis security choices become legal positions or arguments to be used to persuade legal decision-makers that an organization’s security was legally sound, and increase the likelihood that a judge, jury, or regulator will find a company legally compliant. Ultimately, there may not be a clear “right” or “wrong” answer, but rather a more or less persuasive legal argument/position on security.
To create an effective legal defense, companies should create a security plan with the view that a security incident is a "when" and not an "if." Companies must create an adequate security policy, abide by that policy, comply with the appropriate laws, regulations, and industry standards; and ensure that its vendors are also handling personal information with the appropriate level of care. With the advent of cloud based services, the last point is becoming extremely important. Companies should effectively scrutinize their vendors' security policies and procedures before agreeing to transmit personal information to them. Focusing on legal defensibility will require more communication and cooperation between a company's IT and legal departments to effectively implement security policies in this new era. Additionally, for a viewpoint from the security professional side, check out this article.
