ISSA Talk: Legally Defensible, Proactively Protected
Ben Tomhave and I had the pleasure of speaking at the recent ISSA International Conference. We spoke on the topic of legally defensible security. If interested, you can find a copy of our slides as well as the audio of our talk. Ben and I will be speaking on this topic (along with other panelists) at the RSA Conference in February 2011. Please let us know what you think.
A Privacy Checklist for Global Enterprises
Nymity, a provider of international compliance resources, recently interviewed me about managing risk and compliance in a global enterprise that handles protected personal information about customers, employees, website visitors, and other individuals in multiple jurisdictions. Based on experience with many multinationals, large and small, I came up with a discovery checklist that a company might find useful in identifying and prioritizing these data flows. We also discussed several issues of common concern to global organizations:
- enforcement and litigation trends
- the moving target of "sensitive" data
- the role of privacy commissions and other data protection authorities
- the increasing interest of trade unions and works councils in employee privacy issues
- the value of referring to information security standards
- the practicalities of using cross-border compliance vehicles such as model contracts, Safe Harbor, and binding corporate rules.
The full interview is available here.
Court in Domain Hijacking Case, Reminds Parties: You Can't Contractually Limit Liability in NY for Willful or Grossly Negligence Conduct
As a big fan of the late Paul Harvey, who's signature closing catch-phrase was “and now you know the rest of the story,” there are times that posts analyzing cases, statutes or developments are held until additional information is in. The opinion early this year by U.S. Circuit Judge Denny Chin in the hijacked domain case of Baidu, Inc. et al v. Register.com, Inc., 2010 U.S. Dist. LEXIS 73905 (July 22, 2010) (1:10-cv-00444-DC), proved just such a situation and I waited to see what the defendant's Answer might hold followed by how the parties responded thereafter.
J. Chin's rejection of Register.com's summary judgment motion - allowing Baidu's action to proceed on its claims for breach of contract, gross negligence and recklessness - likely surprised many who've come to view the typical extremely broad limitations of liability language frequently found in today's contracts as near iron-clad protection.
Continue Reading...California Department of Public Health Breach Fines and Legally Defensible Security
The California Department of Public Health (“CDPH”) recently announced its imposition of $675,000 in fines to six hospitals that had reported security breaches involving medical records (since January 1, 2009, the CDPH has issued fines totaling $1.1 million). The story has been extensively reported on in the media . You can listen to the CDPH’s press conference here. The total number of records exposed was only 244, for an average fine of around $2,766 per record. To put that in perspective, if a California hospital suffered a breach involving 100,000 medical records, using the average stated here, their potential fines could be $276 million (assuming no cap for fines and penalties -- the relevant laws do have a cap of $250,000 per incident).
In this post we take a deeper look at the CDPH fines and the legal framework that gave rise to them, and explore the concept of legally defensible security in this context.
Continue Reading...The Legal Defensibility Era is Upon Us
The ISSA Journal was recently kind enough to provide me with the opportunity to publish an article entitled "The Legal Defensibility Era" (the cover article for its May 2010 publication, which focuses on legal issues impacting information security). Here is the abstract for the article:
The era of legal defensibility is upon us. The legal risk associated with information security is significant and will only increase over time. Security professionals will have to defend their security decisions in a foreign realm: the legal world. This article discusses implementing security that is both secure and legally defensible, which is key for managing information security legal risk.
So, what does "legal defensibility" mean in the security context?
Continue Reading...
