SAN FRANCISCO -- Most organizations think of a security policy as a technical or business matter when, in fact, it is just as much a legal one. Having a sound policy in place and enforcing it can save a company's hide in the event of a security breach, according to legal experts at RSA Conference 2003.
The message: organizations should stop thinking of security policy as merely a technical matter. Don't just ensure that particular ports are blocked and certain appliances are installed -- and keep in mind that virtually every element of information security has legal ramifications.
"A written policy equals diligence," said Benjamin Wright, a Dallas-based attorney who specializes in computer security and e-commerce law. Courts love to see "routine" when evaluating whether a company did the right thing, he said.
For example, business records can be exempt from the hearsay rule and be admitted as evidence in court because they are built upon a pattern of behavior, Wright said during a panel discussion at the show.
Of course, creating a security policy and living by it are two different things. Having a policy that does little more than collect dust on the shelf might actually be worse than not having one at all, experts advised.
A sound security policy is more than just writing rules. It should begin with a risk assessment, so an organization gets a sense of where dangers lie. Federal laws -- such as the Gramm-Leach-Bliley Act and the Health Insurance
When contemplating risks, remember that both direct and indirect costs are associated with security incidents. The direct costs include obvious losses, such as system damage, theft of valuable information, damage caused by vandalism and interruption of business.
The indirect ones can be trickier to discern and may cause security and legal issues to overlap. For example, a security breach may result in privacy or shareholder lawsuits, said Joseph Burton, a law partner with Duane Morris LLP, a firm with offices in the U.S. and U.K. Third-party lawsuits brought against companies whose compromised systems are used in distributed denial-of-service attacks pose another threat.
Companies need to include steps in their policies "to push liability upstream to put the costs onto someone else," Burton said.
But the consequences of security incidents go beyond civil liability. Companies need to be aware of the criminal sanctions established by laws like the Computer Fraud and Abuse Act, Burton said.
That's why the written policy should reflect the legal ramifications, as well as the business and technical issues behind information security. A company should then implement, enforce and regularly review its policy. It's helpful to have upper management or the board of directors sign the policy, said Behnam Dayanim, an attorney who specializes in technology operations and policy with the law firm of Paul, Hastings, Janofsky & Walker LLP, in Washington, D.C.
Generally, policies will be judged on their process. "Did the company have reasonable processes under the circumstances?" Dayanim said.
FOR MORE INFORMATION: