Management of risk in an enterprise – in particular the legal risk growing out of IT insecurity – is not a stable state of existence. It is a process, a never-ending process.
To ignore or mishandle this risk management process exposes the modern enterprise (public agency, private corporation, nonprofit institution) to growing peril. So observes a wise man named Nick Gifford.
Gifford is the author of Information Security: Managing the Legal Risks, a book that is disrupting my thinking about cyber security law. I am indebted to Mr. Gifford for his ideas.
Lawsuits are happening. The data breach at TJX cost the company a quarter billion dollars after all the fees, remediation, investigations, legal settlements and so on are accounted for.
More lawsuits are coming. Gifford surveys the different headings of law – negligence, breach of contract (think non-disclosure agreements) and on and on – that aggressive plaintiff lawyers and regulatory authorities will exploit as the inevitable data security disasters materialize in the coming months and years.
Hear this wise man: “In short . . . a tidal wave of information security based threats is gathering momentum and heading in our direction. . . . In our litigious society . . . legal actions based on a wide variety of heads of claim . . . will be flying in all directions.” (Pages 314 - 315)
Gifford’s prescription is not the implementation of an easy checklist. It’s the implementation of a hard checklist. Sure, any enterprise that processes information should install sound security technology like firewalls. Sure, it should insert smart language into contracts to shift risk or to ensure vendors take security seriously. Those steps are relatively easy.
But the more powerful checklist Gifford recommends entails a change in skillsets and corporate culture. He says the lawyers, executives, IT professionals and risk managers who set and execute policy need to adopt a “radical shift in thinking and behaviour.” (Page 316) They need to cross out of their respective disciplines, break out of their intellectual silos and recognize risks they are not trained to recognize. When they comprehend the big picture – the waterfront of looming legal and public image risk -- they see that the greatest “security dividend” comes not from implementing a new firewall (mere technology) or inserting a few amendments to contract or policy documents (mere lawyer wordsmanship). It comes from enlightened risk analysis and policy leadership.
What is enlightened risk analysis and policy leadership? Here's an example. After ChoicePoint’s public reputation suffered severely on the heels of a data breach in 2004 (it paid a $15 million fine to the Federal Trade Commission), the company reassessed the data security risk in its business. Then it initiated a dramatic new policy: It withdrew from a profitable line of business (selling sensitive personal data to certain small businesses like debt collectors, private investigators, and check-cashing outfits)! Such a bold, executive move – directly impacting the corporate bottom line – is very difficult for any enterprise.
I am not finished studying, and learning from, Information Security: Managing the Legal Risks, published by CCH Australia Limited. I recommend the book highly.
Mr. Wright teaches social media, information assurance and other IT law at the SANS Institute.