I work for a company that went public about a year ago. In the time since the IPO, I have deployed several NIDS (network intrusion-detection system) sensors along with a management server for the company. When I agreed to do this, I indicated that several policies would have to be written to adequately support the NIDS use in a professional, ethical and legal manner. I submitted a list of the policies I felt needed to be written, and management agreed. Since that time, I have submitted several policy documents on appropriate use, warning banners and incident response -- none of which have even been acknowledged.
I'm concerned if something serious does happen (and there have already been several close calls), that the company won't have a legal leg to stand on because of their lack of policy.
Are there legal cases that I can use to show upper-level management the importance of a sound security stance which include policies?
American law generally does not require companies to have written security, incident response or acceptable use policies or warning banners. General exceptions are:
1. Under HIPAA, health care-related firms need to have written data security policies related to protecting patient data
2. Under the Gramm-Leach-Bliley, financial institutions are required to have written data security policies for protecting customer data
However, well-written policies and banners are often wise. They can help to mitigate liability if the company makes a mistake, and they can help when disciplining hackers, criminals, unruly employees or offensive competitors.
Even though it is true that written policies and banners can, as I say, be helpful, precious few reported judicial decisions actually illustrate the point. There is EF Cultural Travel BV v. Zefer Corporation, No. 01-2001 (1st Cir., January 28, 2003), in which the court endorsed the posting of banners on a Web site to delineate what visitor activity is authorized and what is criminal. In that case the visitor was a competitor trying to scrap valuable data off of the Web site. The court upheld an injunction against the visitor. http://business.cch.com/computer/1020/EFCultural.pdf.
You sound like a conscientious security professional. If you tactfully persist in suggesting that the company adopt wise written policies and banners, management may eventually be persuaded. But, you may have to be patient. For most companies, policies and banners are good practice, but not necessarily a mandatory requirement.
This is not legal advice for any particular situation. If you need legal advice, you should consult your lawyer.
For more info on this topic, visit these SearchSecurity.com resources: