Ask the Expert

Are there legal cases that demonstrate the importance of security policies?

I work for a company that went public about a year ago. In the time since the IPO, I have deployed several NIDS (network intrusion-detection system) sensors along with a management server for the company. When I agreed to do this, I indicated that several policies would have to be written to adequately support the NIDS use in a professional, ethical and legal manner. I submitted a list of the policies I felt needed to be written, and management agreed. Since that time, I have submitted several policy documents on appropriate use, warning banners and incident response -- none of which have even been acknowledged.

I'm concerned if something serious does happen (and there have already been several close calls), that the company won't have a legal leg to stand on because of their lack of policy.

Are there legal cases that I can use to show upper-level management the importance of a sound security stance which include policies?

    Requires Free Membership to View

American law generally does not require companies to have written security, incident response or acceptable use policies or warning banners. General exceptions are:

1. Under HIPAA, health care-related firms need to have written data security policies related to protecting patient data

2. Under the Gramm-Leach-Bliley, financial institutions are required to have written data security policies for protecting customer data

However, well-written policies and banners are often wise. They can help to mitigate liability if the company makes a mistake, and they can help when disciplining hackers, criminals, unruly employees or offensive competitors.

Even though it is true that written policies and banners can, as I say, be helpful, precious few reported judicial decisions actually illustrate the point. There is EF Cultural Travel BV v. Zefer Corporation, No. 01-2001 (1st Cir., January 28, 2003), in which the court endorsed the posting of banners on a Web site to delineate what visitor activity is authorized and what is criminal. In that case the visitor was a competitor trying to scrap valuable data off of the Web site. The court upheld an injunction against the visitor. http://business.cch.com/computer/1020/EFCultural.pdf.

You sound like a conscientious security professional. If you tactfully persist in suggesting that the company adopt wise written policies and banners, management may eventually be persuaded. But, you may have to be patient. For most companies, policies and banners are good practice, but not necessarily a mandatory requirement.

This is not legal advice for any particular situation. If you need legal advice, you should consult your lawyer.


For more info on this topic, visit these SearchSecurity.com resources:
  • Tip: Downstream liability makes the case for security spending
  • February 2004 Information Security magazine: Stop! Read & react
  • Security Policies Tip: Issues to address in your incident management policy

    This was first published in May 2004

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: