Decision Support: You Can't Outsource Liability For Security
Security requires a process, people, policies, education, and technologies to work together
Companies are increasingly concerned about the threat of being found liable as a result of negligence in security. To protect themselves, businesses should adopt and comply with information-security best practices and standards to validate due diligence.
Tort law in the United States requires four fundamental components: duty, negligence, damage, and cause. Each has an effect on information security:
Duty answers the question as to whether you have a responsibility to protect information. With media awareness and a push from governments to see that systems are secured, one would have to be blind not to be aware of the need to protect information. In fact, your security and privacy policies may automatically assign you the understanding of your duty.
Negligence defines a breach of duty. Can evidence be produced that shows the defendant didn't fulfill his or her duty of care? If the company had left a system in a default-insecure state or not applied a security patch it was aware of, this shows negligence.
Damage demonstrates the plaintiff has suffered some quantifiable harm. If a system was broken into and used to attack another organization, the damages can be identified. If private information was stolen and resulted in identity theft, the damages also can be identified.
Cause answers the question of whether the breach of duty related to the damages is close enough to be considered a primary cause. This plugs the duty, negligence, and damage together to see if the case is valid.
To combat the threat of liability, businesses should adopt and be able to prove compliance to information-security standards and best practices. Many companies adopt standards in word but not in deed, and this may only further their liability problems. To truly combat this threat, companies will have to show due diligence through compliance to standards and best practices.
As businesses struggle to secure their systems, many are turning to managed security services providers to handle specific areas of security such as firewalls, vulnerability assessment, intrusion detection, and monitoring. While this relieves them of the burden of managing systems in-house, it doesn't take away a company's liability if there's a security breach.
Hypothetically, let's look at Nirvana Corp., which has just outsourced its vulnerability assessment to ABC Service Provider. ABC delivers monthly reports to Nirvana regarding the vulnerabilities found in its environment. But Nirvana gets hacked and sensitive client information is stolen that causes a civil lawsuit, and Nirvana is found liable. Nirvana can't, in turn, push liability back to the service provider. ABC can't be aware of and detect all vulnerabilities, and system configuration and maintenance are in the hands of Nirvana. If ABC is like other service providers, this is all carefully worded and stated in the services contract.
The scenario applies to intrusion detection and monitoring as well. If ABC should miss identifying an incident that causes significant harm to Nirvana, the services contract clearly states that ABC can't identify all incidents and, thus, can't assume responsibility in the case of an attack. In any case, intrusion detection and monitoring services are reactive; alerts go off after the incident occurs.
Companies that outsource components or processes of their security program to managed security services providers should clearly read their service contracts and understand that they're not outsourcing liability. The business owns liability, and it can't be successfully transferred, with the exception being insurance policies. But even in those cases, a company may never recover the damages done to its reputation as a result of an information-security breach. Adding fuel to this are scenarios such as outsourced service providers being forced by temporary restraining orders to turn off Internet access to clients because the client systems were compromised and attacking others.
Additionally, companies must exercise due diligence in understanding the services and investigating the references of a managed security services provider before contracting with it. There are companies appearing in this space that don't truly understand security. The process you thought you were outsourcing could very well be placed in the hands of a rookie who has never seen a firewall before.
A recurring theme in the defined common mistakes is that companies over the years repeatedly have failed at security, because they think it's something you can buy or a policy statement that's ignored. Security doesn't exist in products and verbiage alone; it requires a process, people, policies, education, and technologies working together.
Robert K. Weiler is chairman, president, and CEO of Giga Information Group, a global technology advisory firm. Reach him at email@example.com. Senior industry analyst Mike Rasmussen contributed to this column.
To discuss this column with other readers, please visit the Talk Shop.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.