Making Promises an Enterprise Can’t Keep?
How to draft corporate policies? That is a key topic I address in my SANS courses on data security law.
I argue that conventional drafting style for enterprise policies – security policies, privacy policies, data retention policies – is too ambitious. Conventional style speaks in terms of requirements and seems to promise performance in the future.
For example, conventional drafting style might say, “The enterprise will maintain up-to-date anti-virus software.” or “The enterprise shall not give customer data to unauthorized people.”
As a business lawyer, I am skeptical of enterprises using such will, shall, must language. The truth is that data security, data privacy and data management are very difficult for any enterprise, whether it be a corporation, a government agency, a nonprofit or anything else. Technology changes constantly. Employees are imperfect. New threats arise every day. Social and legal expectations are evolving rapidly.
To sustain any data handling practice consistently across an extended period of time in a complex organization is an amazingly complicated challenge. An enterprise is a dynamic collection of people, subject to changes in budget, assets, personnel, and so on. (Have we recently witnessed the humbling of “powerful” institutions like the State of California or General Motors Corporation?)
When an enterprise adopts a policy that is too ambitious or unrealistic, I fear it increases its exposure to criticism and even liability.
Accordingly, in my course I teach students how to write softer, more general and more accurate language. An example is to say, “The enterprise strives to resist computer viruses.” or “The enterprise aspires to avoid giving customer data to unauthorized people.”
A published example of less ambitious, more accurate policy drafting is the LexisNexis Privacy Vision (notice the evocative word “vision”).
The vision states: “LexisNexis strives to protect personally identifiable information . . .” “We aspire to protect consumer privacy through the design of our products, by credentialing . . .” “LexisNexis seeks to limit the distribution of personally identifiable information consistent with . . .” [emphasis added]
These sentences are worded as verifiable, present statements of fact, rather than predictions about a future that is unpredictable.
–Benjamin Wright, SANS Institute Legal Instructor