The ISSA Journal was recently kind enough to provide me with the opportunity to publish an article entitled "The Legal Defensibility Era" (the cover article for its May 2010 publication, which focuses on legal issues impacting information security). Here is the abstract for the article:
The era of legal defensibility is upon us. The legal risk associated with information security is significant and will only increase over time. Security professionals will have to defend their security decisions in a foreign realm: the legal world. This article discusses implementing security that is both secure and legally defensible, which is key for managing information security legal risk.
So, what does "legal defensibility" mean in the security context?
While some security professionals have begun to address the concept from the security side, my article comes at it from an attorney’s perspective. In a nutshell legal defensibility is an integrated and holistic strategy for reducing legal risk with respect to an organization’s information security program. The goals are not only "good security" (which is paramount for both preventing a breach and for defending it in court), but also security that can be adequately defended in a legal context with the goal of reducing legal and liability risk:
The focus of legal defensibility is understanding how a plaintiff ’s attorney, judge, jury, or regulator will view an organization’s security posture in light of applicable legal requirements. Under a legal defensibility analysis security choices become legal positions or arguments to be used to persuade legal decision-makers that an organization’s security was legally sound, and increase the likelihood that a judge, jury, or regulator will find a company legally compliant. Ultimately, there may not be a clear “right” or “wrong” answer, but rather a more or less persuasive legal argument/position on security.
Employing a legal defensibility strategy goes beyond superficial "checklist-oriented" compliance and recognizes that ambiguities exist in the law, that if not properly addressed could adversely impact a company. It recognizes the need for a close working relationship between legal and security that allows both roles to understand how the other operates. It requires changing the security team’s frame of reference slightly so enable them to understand how their decisions will be scrutinized in a legal realm. Under a legal defensibility model, security decisions become legal positions to address issues like "reasonable security," risk and compliance with specific regulatory mandates.
Even the communication mode is altered — best practice is to establish attorney-client privilege to attempt to shield the "sausage making" (and related paper trail) that sometimes goes into developing a security program. Documentation of decisions and rationales for decisions become important to create a historical artifact to be unearthed in the event of legal action. This documentation will allow the organization to justify its processes and put itself in the best light in front of a legal decision maker.
For legally defensible security a key consideration is the process for making security decisions. A an established decision-making process that takes into account accepted and relevant security standards, risk management and legal requirements is better than an ad hoc approach. It provides for consistency across an organization and over time, provides a basis for courts to analyze the adequacy of a company’s security program, and is easier to defend if reasonable and followed. Coupled with documentation, having a well-conceived and consistent process can assist an organization’s position in a legal context and reduce risk.
Final thoughts. As legal risk increases a legal defensibility approach will become more important and eventually commonplace. Our data driven society, and the legal risks arising out of it, dictate that we work together. Now is the time for legal, privacy and security professionals to break down arbitrary and antiquated walls that separate their professions. The distinctions between security, privacy and compliance are becoming so blurred as to ultimately be meaningless. Like it or not, it all must be dealt with holistically, at the same time, and with expertise from multiple fronts. In this regard we must all develop thick skins and be not afraid to stop zealously guarding turf. The reality is, the legal and security worlds have collided, and most lawyers don’t know enough about security, and most security professionals don’t know enough about the law. Let’s change that. With the era of legal defensibility upon us, it is past time that this conversation went to the next level. So please take a look at my article. I sincerely look forward to your comments and constructive criticism on my thoughts.