To begin, I am not a lawyer by any means, but I have worked in the industry for almost two decades; the last ten years being heavily involved in the world of information security. I have seen and learned how many legal issues can come from security incidents, leading to a company ending up in court. I am writing this blog to let you know what can be done to take measures against potential legal tangles.

In today’s high-tech information based society, there are cyber crimes taking place every day somewhere in the world. Hacking attacks are on the rise and increasing exponentially! If you are a security professional, there is a chance that you may legally get involved with an information related computer fraud, no matter which industry you are working in.

In order to get a quick understanding of current cyber crimes, just browse through http://www.cybercrime.gov/. You can see that just few days ago, an alleged international hacking ring was caught in a $9 Million Fraud: Major Credit Card Processor Victimized in Elaborate Theft of Account Numbers (November 10, 2009). Imagine that you are the security professional at the company where this theft occurred! You are in hot water as these crimes need to be reported under the law. Not only could your institution get sued by credit card victims, but you may end up in court.

In a legal case such as this, what would you present in the courts? Most security professionals are worried about day-to-day technical issues and hardly have any time for them to learn and understand the legal side of computer crimes and their legal responsibilities.

There are a couple of important things that courts are going to look at when a company gets sued related to information breach and fraud cases.  Companies should come up with not only security controls related to confidentiality, integrity and availability on critical data, but also the strategies related to liability and responsibilities. If you are storing credit card numbers in a database, you are supposed to encrypt them, and the related server should be hardened. Strict access controls should also be in placed along with other security controls in the network path in a layered manner so a hacker has to break many security barriers to get into the treasure. If these security controls are not in place, and the credit card numbers are compromised, then in this case you are legally liable to the victims, stock holders and whoever else is affected by this. These victims can most likely sue the company for financial loss.  In order for a company to protect itself from these legal liabilities, they need to practice due diligence, meaning that the company must investigate all of its potential security gaps and vulnerabilities.

In addition to practicing due diligence, a company needs to practice due care as well, meaning that the company should investigate the due diligence process findings and make the best attempt as a prudent person would do to place administrative, preventive, detective and corrective security controls to ensure that if a security breach did happen, then the security controls are in place to mitigate the damages. A jury would look at this case and see that the company has done everything in their power to protect the data with security controls, and their legal liability may be at a minimum or the company may not be held liable at all.
Happy Reading!

Ref Sources:

http://www.giac.org

http://www.nist.org

All In One CISSP Exam Guide – Shon Harris

“Safety is not in the Absence of Danger.”

What a profound statement. In light of the saddening events at Fort Hood this is hits very close to home. A soldier deployed to Iraq had to call her husband at Fort Hood, to ensure he was safe. How ironic. It’s even more ironic that I once convinced a friend that it was archaic not to have a bank account and a debit card. How times have changed. Now with the rise in “money mules” and bank scams involving unauthorized account transfers, are our banks any safer than the sock drawer?

Happy Friday everyone!

Another great video from the Volkswagen folks that take a mundane task like recycling bottles and turn the process into a game. It’s good (read:fun) for the individual participating, good for the onlookers, and best for the environment. We think you can be just as creative for audit, risk, and compliance initiatives. Thanks to designer extraordinaire @itsjustbrent of the Habadashery for keeping this on our radar.

Given the recent headlines from Jason Rodriguez, personnel or ex-personnel committing murders by gunning down fellow employees, how can your emergency plan be prepared?  The Army can’t protect itself from a high ranking officer, who decides to go on a shooting spree.  How does a company plan for an ex-employee, who was fired two years ago, to come back and shoot at random people in the office.  Does your emergency plan include mock scenarios of anything similar?  How can we plan for something as horrific as this?  Unfortunately we have to plan for the worse, it is better to be prepared than not.

Are there panic buttons readily available?  Do employees know where to go or what to do if confronted with this kind of situation?  Is this included in you’re your emergency response plan?  While we can’t possibly list every and all possible scenarios, we can walk through the possible worse, so if it does happen your employees will have some idea of what to do.