Q

Are there legal cases that demonstrate the importance of security policies?

I work for a company that went public about a year ago. In the time since the IPO, I have deployed several NIDS (network intrusion-detection system) sensors along with a management server for the company. When I agreed to do this, I indicated that several policies would have to be written to adequately support the NIDS use in a professional, ethical and legal manner. I submitted a list of the policies I felt needed to be written, and...

management agreed. Since that time, I have submitted several policy documents on appropriate use, warning banners and incident response -- none of which have even been acknowledged.

I'm concerned if something serious does happen (and there have already been several close calls), that the company won't have a legal leg to stand on because of their lack of policy.

Are there legal cases that I can use to show upper-level management the importance of a sound security stance which include policies?

American law generally does not require companies to have written security, incident response or acceptable use policies or warning banners. General exceptions are:

1. Under HIPAA, health care-related firms need to have written data security policies related to protecting patient data

2. Under the Gramm-Leach-Bliley, financial institutions are required to have written data security policies for protecting customer data

However, well-written policies and banners are often wise. They can help to mitigate liability if the company makes a mistake, and they can help when disciplining hackers, criminals, unruly employees or offensive competitors.

Even though it is true that written policies and banners can, as I say, be helpful, precious few reported judicial decisions actually illustrate the point. There is EF Cultural Travel BV v. Zefer Corporation, No. 01-2001 (1st Cir., January 28, 2003), in which the court endorsed the posting of banners on a Web site to delineate what visitor activity is authorized and what is criminal. In that case the visitor was a competitor trying to scrap valuable data off of the Web site. The court upheld an injunction against the visitor. http://business.cch.com/computer/1020/EFCultural.pdf.

You sound like a conscientious security professional. If you tactfully persist in suggesting that the company adopt wise written policies and banners, management may eventually be persuaded. But, you may have to be patient. For most companies, policies and banners are good practice, but not necessarily a mandatory requirement.

This is not legal advice for any particular situation. If you need legal advice, you should consult your lawyer.


For more info on this topic, visit these SearchSecurity.com resources:
  • Tip: Downstream liability makes the case for security spending
  • February 2004 Information Security magazine: Stop! Read & react
  • Security Policies Tip: Issues to address in your incident management policy
  • This was first published in May 2004

    Dig deeper on Information Security Policies, Procedures and Guidelines

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close