The Legal Defensibility Era is Upon Us
The ISSA Journal was recently kind enough to provide me with the opportunity to publish an article entitled "The Legal Defensibility Era" (the cover article for its May 2010 publication, which focuses on legal issues impacting information security). Here is the abstract for the article:
The era of legal defensibility is upon us. The legal risk associated with information security is significant and will only increase over time. Security professionals will have to defend their security decisions in a foreign realm: the legal world. This article discusses implementing security that is both secure and legally defensible, which is key for managing information security legal risk.
So, what does "legal defensibility" mean in the security context?
While some security professionals have begun to address the concept from the security side, my article comes at it from an attorney's perspective. In a nutshell legal defensibility is an integrated and holistic strategy for reducing legal risk with respect to an organization's information security program. The goals are not only "good security" (which is paramount for both preventing a breach and for defending it in court), but also security that can be adequately defended in a legal context with the goal of reducing legal and liability risk:
The focus of legal defensibility is understanding how a plaintiff ’s attorney, judge, jury, or regulator will view an organization’s security posture in light of applicable legal requirements. Under a legal defensibility analysis security choices become legal positions or arguments to be used to persuade legal decision-makers that an organization’s security was legally sound, and increase the likelihood that a judge, jury, or regulator will find a company legally compliant. Ultimately, there may not be a clear “right” or “wrong” answer, but rather a more or less persuasive legal argument/position on security.
Employing a legal defensibility strategy goes beyond superficial "checklist-oriented" compliance and recognizes that ambiguities exist in the law, that if not properly addressed could adversely impact a company. It recognizes the need for a close working relationship between legal and security that allows both roles to understand how the other operates. It requires changing the security team's frame of reference slightly so enable them to understand how their decisions will be scrutinized in a legal realm. Under a legal defensibility model, security decisions become legal positions to address issues like "reasonable security," risk and compliance with specific regulatory mandates.
Even the communication mode is altered -- best practice is to establish attorney-client privilege to attempt to shield the "sausage making" (and related paper trail) that sometimes goes into developing a security program. Documentation of decisions and rationales for decisions become important to create a historical artifact to be unearthed in the event of legal action. This documentation will allow the organization to justify its processes and put itself in the best light in front of a legal decision maker.
For legally defensible security a key consideration is the process for making security decisions. A an established decision-making process that takes into account accepted and relevant security standards, risk management and legal requirements is better than an ad hoc approach. It provides for consistency across an organization and over time, provides a basis for courts to analyze the adequacy of a company's security program, and is easier to defend if reasonable and followed. Coupled with documentation, having a well-conceived and consistent process can assist an organization's position in a legal context and reduce risk.
Final thoughts. As legal risk increases a legal defensibility approach will become more important and eventually commonplace. Our data driven society, and the legal risks arising out of it, dictate that we work together. Now is the time for legal, privacy and security professionals to break down arbitrary and antiquated walls that separate their professions. The distinctions between security, privacy and compliance are becoming so blurred as to ultimately be meaningless. Like it or not, it all must be dealt with holistically, at the same time, and with expertise from multiple fronts. In this regard we must all develop thick skins and be not afraid to stop zealously guarding turf. The reality is, the legal and security worlds have collided, and most lawyers don't know enough about security, and most security professionals don't know enough about the law. Let's change that. With the era of legal defensibility upon us, it is past time that this conversation went to the next level. So please take a look at my article. I sincerely look forward to your comments and constructive criticism on my thoughts.
Privacy's Trajectory
As many of our readers know, the International Association of Privacy Professionals (IAPP) will celebrate 10 years this Tuesday, March 16. In connection with that anniversary, the IAPP is releasing a whitepaper, "A Call For Agility: The Next-Generation Privacy Professional," tomorrow, March 15. Monday morning you can find the whitepaper here. I am honored that the IAPP has given me the opportunity to read and blog about the whitepaper in advance of its official release. Where exactly is privacy going in today's environment? What is the role of the privacy professional over the next 10 years? And, a lot of people I know and love (you know who you are) would ask, what in the world is a privacy professional anyway?
Of late, I have found myself reiterating, and getting a lot of positive feedback for, the following proposition: with data (massive amounts of it) as the new currency, the explosion in outsourcing to "trusted partners," and the growth of legal risks associated with an ever-expanding body of privacy and data security regulation, the role for professionals who understand privacy is becoming increasingly important. Further, such professionals are uniquely positioned to bring together various key stakeholders in an organization, including Information Security, Legal, IT, and various business units. Why? Because privacy professionals are, by virtue of what they do, multidisciplinary. And the growing opportunities for such professionals are inextricably intertwined with that quality. The IAPP has summed this up succinctly, and eloquently in its whitepaper, as follows:
The next 10 years will see more types of data collected from more people, and more privacy laws in more places. A deepening and broadening of data protection regulations in the industrialized world will spread to emerging markets and place a higher premium on legal and compliance acumen. In addition, an expansion of health information networks, smart grid networks and cloud computing platforms will make industry and technology expertise a more indispensable part of practicing privacy.
. . . the privacy professional’s success in the next decade will demand greater adaptability and most importantly, agility. The agile privacy professional is the next-generation privacy professional: an expert practitioner who is keenly attuned to cultural and regional distinctions as these continue to grow in an increasingly interconnected data economy; who can migrate and adapt to different roles within an organization and offer value at each; who exhibits both comfort and grasp of legal/compliance and technical disciplines; and who instills direction and leadership of privacy management within the organization.
The following analysis and discussion of the IAPP's whitepaper is completely my own. I think that the paper raises some incredibly important points about the need for privacy professionals to lead the way for more effective information governance. As an outside lawyer (with my own unique perspective), my key takeaway is the following -- privacy professionals must understand law AND technology, and must facilitate dialogue between those two disciplines and as between those disciplines, on the one hand, and the business side, on the other.
The importance of a "privacy professional" understanding both legal and technical disciplines cannot be overstated:
The central role of regulatory and IT drivers shaping the privacy profession almost ensures an ongoing need for privacy professionals to be conversant in not one, but both of these disciplines.
Regulation and "Reasonable Security"
I believe this is largely due to what the IAPP describes in the whitepaper as the "Second Wave of Regulation," which began in approximately 2003 with California's landmark data breach notification legislation, Civil Code section 1798.82 (for private entities), often called SB 1386. On the heels of that came 44 additional such state laws, DC, Puerto Rico, the Virgin Islands, and now some similar European legislation, as discussed in the whitepaper. And, with the light now shining on security risks and failures within private organizations, additional security standards and legislation began to emerge - most notably, as highlighted by the IAPP, the Payment Card Industry (PCI) Data Security Standard (DSS) and laws such as Nevada's (SB 227) that incorporate that Standard. For more on that, see Dave's posts here, here and here. Further, as noted in the whitepaper,
A number of factors have spurred North American (and particularly American) organizations to dedicate more resources to privacy process improvement: most notably, PCI DSS enforcement, FTC enforcement, and data breach notification.
Not discussed in the IAPP whitepaper in depth, but just as important, a number of states have crafted legislation designed to require "reasonable" security or safeguards to address security risks in a more proactive fashion, as opposed to the traditional reactive breach notification approach. Massachusetts, Massachusetts M.G.L. c. 93H and 201 CMR §§ 17.00-17.05, is of course the most recent, most detailed, and most well known, but many states require the same "reasonable security" (sometimes for all personal information, sometimes for just Social Security numbers), including, but not limited to, California (Civ. Code §§ 1798.81, 1798.81.5, and 1798.85), Arkansas (Code Ann. §4-110-104(b)), Colorado (Rev. Stat. Ann. §6-1-713), Connecticut (HB 5658), Maryland (Com. Law Code Ann. § 14-3503), Nevada, as mentioned above (Rev. Stat. § 603A.210 and SB 227), Oregon (Rev. Stat. § 646A.622), Rhode Island (Stat. § 11-49.2-2), Texas (Bus. & Com. Code Ann §§ 48.102(a) and 521.001, .052, .151) Utah (Code Ann. § 13-44-201), and Washington (Rev. Code Ann. §19.215.020 to .030). There are more, I could go on.
What in the world is "reasonable security"? A privacy professional who understands the law and traditional notions of negligence, various concepts of privacy (Fair Information Practice Principles, etc.) as embodied in different standards and legislation around the world (from EU to Australia), and the evolution of information security (as a technical matter) is ideally positioned to help assess what "reasonable security" means and determine what will be compliant, what will be legally defensible, what will be best practice, and what will be just good business. And such a privacy professional can facilitate discussions among stakeholders that speak somewhat different languages in this regard to reach solutions that are acceptable to all involved.
From Privacy to Information Governance
As a lawyer, I am also extraordinarily pleased to see, in the IAPP's whitepaper, a reference to the new ediscovery rules that came into play in the latter half of the 2000s, most notably the amendments to the Federal Rules of Civil Procedure in 2006. What does privacy have to do with ediscovery? Everything. As noted in the IAPP's whitepaper, the amended rules "increased the need for organizations to conduct data inventories and implement data-retention policies." How do you protect sensitive data (personally identifiable information, trade secrets, IP, etc.)? You figure out where it is first. And thus, as the IAPP points out, we start to see the "privacy" role evolve into an information governance role.
Speaking of information governance, let's return to technology. States the IAPP: cloud computing will set the pace for the next decade:
One of the clear directions of technology in the past 10 years as it pertains to personal data has been more—more types of data collected from more people in more ways, and shared with more entities. The emergence of cloud computing—essentially a new computing paradigm in which data is stored off-premises and by a range of third parties—sets the pace for the next decade. Short of a wholesale social movement to opt out of information technology and “go dark,” the conveniences and commercial benefits of more data collection and sharing seem to point in the direction of more. People will not 'go dark,' we estimate, because the utility of sharing information will continue to well exceed the risks of doing so.
Thus, the IAPP stresses the need for agility and identifies five strategies for action:
(1) Redefine the privacy role [information governance]; (2) Rotate through departments/business units; (3) Develop multi-cultural literacy; (4) Understand legal and technical disciplines; and, (5) Instill direction and leadership.
Bottom line? Proactive, multidisciplinary solutions to information governance that incorporate information technology savvy and that address compliance, legal defensibility, and best practices, are now and will become increasingly crucial to any organization that handles sensitive data. Privacy professionals are well positioned to lead those efforts. Congratulations to the IAPP on its 10th anniversary! I look forward to the next 10 years.
Analyzing the Risk-Based Factors of Massachusett's Data Security Law
SearchSecurity.com published an article by me yesterday (a copy can be found here the original is here) concerning the risk-based elements of Massachusetts' data security regulation (201 CMR 17.00, et. al). The gist of the article is that any company that chooses anything less than "strict compliance" with the specific written information security policy ("WISP") and control requirements of the regulation must be able to legally support their decision based on the regulation's risk elements. What this amounts to is developing a legal opinion interpreting and applying those risk-based factors to the organization's particular circumstances.
While a legal exercise is necessary for determining compliance with any and all statutes that mandate security or privacy requirements, the Massachusetts regulation's hybrid approach (e.g. specific controls mandated with a general risk-based hedge) potentially complicates the analysis. Without a legal analysis to interpret and apply the risk-based factors and resolve ambiguities in the regulation, or a legal understanding of how regulators, judges and plaintiff's counsel may interpret the regulation, companies run a serious liability risk. Moreover, companies may get into trouble if they fail to document their rationale -- if/when a breach occurs or regulators come knocking the organization must be able to explain their risk-related decisions and how they complied with the law. The task is further complicated because risk is a moving target for organizations. As the company gets bigger or retains more personal information, or when new attacks or technologies arise, the company must reevaluate its risk, and the WISP and controls it has in place to address that risk.
To minimize legal risk, compliance efforts should all be performed under attorney-client privilege to shield certain compliance communications from class action lawyers, regulators and courts. In short, companies need to treat compliance with the Massachusetts regulation (and other security laws) as a legal exercise as much as a security exercise. The main question in this specific context is: "if something goes wrong, do we have a reasonably defensible legal position concerning our WISP and security controls in light of the law?"
