Why is Security Liability Important?

In a famous civil liability case, a captain of a ship caught in a storm that resulted in an accident was found guilty of negligence for failing to use a two-way radio. Having a two-way radio was not a regulatory requirement of the time; in fact, most other ships did not carry two-way radios. Nonetheless, the judge said, "There are precautions so imperative that even their universal disregard will not excuse their omission."

That judge's words are a guide to 21st century organizations. The best liability protection is to take measures that will be interpreted as "reasonable and prudent."

Another important principal of liability law is that when a manager is in unfamiliar territory, a reasonable and prudent person should become even more cautious. Unfamiliarity with generally accepted computer security and information privacy best practices describes the current reality for virtually every organization. Manger and executives in organization that use computers, or interact with customers or vendors who use computers should exercise extra caution. Extra caution includes:

1. Protecting how client and business information is stored, accessed and transmitted

2. Regular privacy and security vulnerability assessments, staff training, and policy updates

3. Multi-layered security; perimeter and desktop firewalls; software patch management and upgrades; updated anti-virus, and updated malware protection, hardening and securing desktops and severs from known vulnerabilities

4. Industry-standard back-up procedures, disaster recovery plan and regular recovery drills

5. Appropriate fax machine(s), and printer(s) security

6. Individual passwords for each staffer; greater than seven characters, using the industry-accepted method of: multi-case alpha characters, numerics, and non-standard characters. Regular password auditing/updates.

7. Appropriate protocols for the de-commissioning of computer hard drives

8. Computer fileserver/repository password protected and physically secured

9. Password exception authorizations, protected storage and re-set methods

10. Mechanisms for restricting access for staff member who quit or are terminated

With ever-growing governmental regulatory requirements, awareness of liability due to security and privacy negligence needs to be addressed by every organization in the US today. At a growing number of organizations security and privacy policies are adopted in words only. This practice may only further the regulatory and liability exposure of the organization.

You May Be Held Personally Liable
A report entitled Security Negligence: Real Threat of Legal Liability, (Giga Information Group, May 9, 2002) tells us "...managers may incorrectly think that directors and officers (D&O) insurance [will] protect them from potential liability, or that if a situation arose, the company itself would be liable, not the individual manager...Knowingly making a business decision that places the company or its customers at risk could be named in legal actions that sought damages. D&O policies may not offer protection, since many of them ignore this vital area of a company's infrastructure... Ultimately, lawsuits arise because of poor business decisions, or lack of them."

In the same Giga report Michael Rasmussen continues urges that "Awareness of liability due to security negligence needs to be at the forefront of any business security strategy." Michael Rasmussen, the group's internet security research director says organizations in the United States should protect themselves by adopting and complying with information security best practices and standards to validate due diligence.

"Many enterprises adopt standards in words only, not in action, which may only further their liability exposure. Organizations must show due diligence through compliance to standards and best practices to demonstrate a best-effort attempt to protect information."

Today, organizations must protect themselves with on-going implementation of generally accepted computer security principals and best practices to validate due diligence.

The Privacy Technician is here to help by putting into place generally accepted principals of information security.

Find out more by starting with The Privacy Technician's Privacy and Security Analysis, an action that could be considered positive by the authorities--->