The Legal Liability of Information Security

Security UPDATE, Web exclusive, April 30, 2003

1.

IN FOCUS

(contributed by Mark Joseph Edwards, News Editor, [email protected])

* THE LEGAL LIABILITY OF INFORMATION SECURITY

In last week's Security UPDATE commentary, I discussed the changing legal landscape regarding security. I have a bit more to say about the subject. The SysAdmin, Audit, Network, Security (SANS) Institute recently offered the Webcast "Legal Liability For Information Security: Ask the Experts." [http://www.sans.org/webcasts/042303.php] If you didn't tune in, you missed some interesting perspectives. (For a rebroadcast of the SANS Webcast, you can register through the linked Webcast title above and follow the instructions to access the show in the archives.)

In one segment of the Webcast, attorney Marc Zwillinger offered his opinions about how torts will soon affect companies based on their information security practices (or the lack thereof). Without getting into complicated legal interpretations, one can define a tort as basically damage, injury, or a wrongful act that occurs either willfully or through negligence.

In the past, to get into trouble in the arena of information security, you typically had to either break the law or break or violate a contract. Legal experts now think we'll start to see litigants suing entities for torts civilly--and perhaps even prosecuting them criminally, depending on the circumstances.

For example, if your company is aware that it runs an open mail relay, and a spammer uses your mail system to send email in a way that causes harm or damage to another entity, your company has effectively committed a tort and might be found liable in a court of law. In another example, if you don't properly secure private user or customer information and that information becomes compromised, you might be held liable for civil damages.

In the United States, almost anyone can sue someone else for almost any reason. So staying out of court might become increasingly difficult in some security-related instances. The legal experts note several ways you can help prevent litigation regarding your information security.

One of the key factors in determining liability is whether you've taken reasonable steps toward keeping your systems and information secure. Another factor is how you respond to security incidents. These factors will probably determine whether and how you're found liable in the event that someone brings a legal action against you or your company. How you handle those matters--which steps you've taken to keep information secure and how you respond to security incidents--might also affect whether you qualify for cyber-insurance.

When asked which were the most important security-related steps to take, members of the legal panel recommended that you explicitly assign responsibilities for security matters, put those assignments in writing, and have the responsible parties sign them physically, digitally, or both. You should take appropriate action before something becomes a problem for your business. You must be aware of the different layers of law under which you operate (local, county, state, federal, international) and respond to requirements accordingly. Find a capable lawyer to help ensure you aren't caught off guard. Finally, be sure you assign access rights and responsibilities carefully, after assessing people's skill levels and their need for access relative to their specific tasks and your business needs. Doing so can help avoid liabilities stemming from negligence.

Do the insurance and the legal industries seem poised to start steering the information security industry more directly toward what it must do and how to do it? Will a day come when people won't be able to connect to the Internet without a proper license and cyber-insurance of some sort? I hope such potential changes won't occur--at least until after the day that computer software and hardware vendors become legally liable for defective products. I think many people agree that, like automobiles, software and hardware should have both better "precautionary devices" and more knowledgeable "drivers."

In any case, it's clear that your company's security practices must be stated, assigned, and carried out to keep your company out of court in case of a mishap. You should know which security elements will come into play when courts make decisions about liability and take steps to address those elements--not only to avoid litigation but also to protect your company, its customers, and you.