« e-Legal Disclaimers | Hazards and Product Defects | Main | Deception | Impersonation by Online Investigators »

03/07/2010

Danger | Litigation | Data Breach

Policy

Management of risk in an enterprise – in particular the legal risk growing out of IT insecurity – is not a stable state of existence.  It is a process, a never-ending process.

To ignore or mishandle this risk management process exposes the modern enterprise (public agency, private corporation, nonprofit institution) to growing peril.  So observes a wise man named Nick Gifford.

Gifford is the author of Information Security: Managing the Legal Risks, a book that is disrupting my thinking about cyber security law.  I am indebted to Mr. Gifford for his ideas.

Lawsuits are happening.  The data breach at TJX cost the company a quarter billion dollars after all the fees, remediation, investigations, legal settlements and so on are accounted for. 

More lawsuits are coming.  Gifford surveys the different headings of law – negligence, breach of contract (think non-disclosure agreements) and on and on – that aggressive Corporate policy assessmentplaintiff lawyers and regulatory authorities will exploit as the inevitable data security disasters materialize in the coming months and years.

Hear this wise man: “In short . . . a tidal wave of information security based threats is gathering momentum and heading in our direction. . . . In our litigious society . . . legal actions based on a wide variety of heads of claim . . . will be flying in all directions.” (Pages 314 - 315)

Gifford’s prescription is not the implementation of an easy checklist.  It’s the implementation of a hard checklist.  Sure, any enterprise that processes information should install sound security technology like firewalls.  Sure, it should insert smart language into contracts to shift risk or to ensure vendors take security seriously.  Those steps are relatively easy.

But the more powerful checklist Gifford recommends entails a change in skillsets and corporate culture.  He says the lawyers, executives, IT professionals and risk managers who set and execute policy need to adopt a “radical shift in thinking and behaviour.” (Page 316) They need to cross out of their respective disciplines, break out of their intellectual silos and recognize risks they are not trained to recognize.  When they comprehend the big picture – the waterfront of looming legal and public image risk -- they see that the greatest “security dividend” comes not from implementing a new firewall (mere technology) or inserting a few amendments to contract or policy documents (mere lawyer wordsmanship).  It comes from enlightened risk analysis and policy leadership.

What is enlightened risk analysis and policy leadership?  Here's an example.  After ChoicePoint’s public reputation suffered severely on the heels of a data breach in 2004 (it paid a $15 million fine to the Federal Trade Commission), the company reassessed the data security risk in its business.  Then it initiated a dramatic new policy:  It withdrew from a profitable line of business (selling sensitive personal data to certain small businesses like debt collectors, private investigators, and check-cashing outfits)!  Such a bold, executive move – directly impacting the corporate bottom line – is very difficult for any enterprise.  

I am not finished studying, and learning from, Information Security: Managing the Legal Risks, published by CCH Australia Limited.  I recommend the book highly.

–Benjamin Wright

teaches social media, information assurance and other IT law at the SANS Institute.

Posted at 05:51 PM in Books, breach, information assurance, litigation, regulatory authorities, TJX, Web 2.0 |

Tags: executives, investigations, risk assessment

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Wright's Online SANS Education

My Photo

Blogger

  • Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

IT Administrators

Custom Professional Training

Important!

  • No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

    The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

    Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

    Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

    The only person responsible for Mr. Wright's words is Mr. Wright.

    Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

    Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

    Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

    Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

    Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

SANS Quote

  • Professional Education
    "The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

About

MY BLOGS HAVE LOADS OF CONTENT. SEARCH! ↓

Twitter

  • Follow benjaminwright on Twitter

Become a Fan

Benjamin Wright
Benjamin Wright

Find More on This Blog

Subscribe to this blog's feed