Decision Support: You Can't Outsource Liability For Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

12:22 PM

Decision Support: You Can't Outsource Liability For Security

Security requires a process, people, policies, education, and technologies to work together

Companies are increasingly concerned about the threat of being found liable as a result of negligence in security. To protect themselves, businesses should adopt and comply with information-security best practices and standards to validate due diligence.

Tort law in the United States requires four fundamental components: duty, negligence, damage, and cause. Each has an effect on information security:

  • Duty answers the question as to whether you have a responsibility to protect information. With media awareness and a push from governments to see that systems are secured, one would have to be blind not to be aware of the need to protect information. In fact, your security and privacy policies may automatically assign you the understanding of your duty.
  • Negligence defines a breach of duty. Can evidence be produced that shows the defendant didn't fulfill his or her duty of care? If the company had left a system in a default-insecure state or not applied a security patch it was aware of, this shows negligence.
  • Damage demonstrates the plaintiff has suffered some quantifiable harm. If a system was broken into and used to attack another organization, the damages can be identified. If private information was stolen and resulted in identity theft, the damages also can be identified.
  • Cause answers the question of whether the breach of duty related to the damages is close enough to be considered a primary cause. This plugs the duty, negligence, and damage together to see if the case is valid.
  • To combat the threat of liability, businesses should adopt and be able to prove compliance to information-security standards and best practices. Many companies adopt standards in word but not in deed, and this may only further their liability problems. To truly combat this threat, companies will have to show due diligence through compliance to standards and best practices.

    As businesses struggle to secure their systems, many are turning to managed security services providers to handle specific areas of security such as firewalls, vulnerability assessment, intrusion detection, and monitoring. While this relieves them of the burden of managing systems in-house, it doesn't take away a company's liability if there's a security breach.

    Hypothetically, let's look at Nirvana Corp., which has just outsourced its vulnerability assessment to ABC Service Provider. ABC delivers monthly reports to Nirvana regarding the vulnerabilities found in its environment. But Nirvana gets hacked and sensitive client information is stolen that causes a civil lawsuit, and Nirvana is found liable. Nirvana can't, in turn, push liability back to the service provider. ABC can't be aware of and detect all vulnerabilities, and system configuration and maintenance are in the hands of Nirvana. If ABC is like other service providers, this is all carefully worded and stated in the services contract.

    The scenario applies to intrusion detection and monitoring as well. If ABC should miss identifying an incident that causes significant harm to Nirvana, the services contract clearly states that ABC can't identify all incidents and, thus, can't assume responsibility in the case of an attack. In any case, intrusion detection and monitoring services are reactive; alerts go off after the incident occurs.

    Companies that outsource components or processes of their security program to managed security services providers should clearly read their service contracts and understand that they're not outsourcing liability. The business owns liability, and it can't be successfully transferred, with the exception being insurance policies. But even in those cases, a company may never recover the damages done to its reputation as a result of an information-security breach. Adding fuel to this are scenarios such as outsourced service providers being forced by temporary restraining orders to turn off Internet access to clients because the client systems were compromised and attacking others.

    Additionally, companies must exercise due diligence in understanding the services and investigating the references of a managed security services provider before contracting with it. There are companies appearing in this space that don't truly understand security. The process you thought you were outsourcing could very well be placed in the hands of a rookie who has never seen a firewall before.

    A recurring theme in the defined common mistakes is that companies over the years repeatedly have failed at security, because they think it's something you can buy or a policy statement that's ignored. Security doesn't exist in products and verbiage alone; it requires a process, people, policies, education, and technologies working together.

    Robert K. Weiler is chairman, president, and CEO of Giga Information Group, a global technology advisory firm. Reach him at [email protected]. Senior industry analyst Mike Rasmussen contributed to this column.

    To discuss this column with other readers, please visit the Talk Shop.

    We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
    Comment  | 
    Print  | 
    More Insights
    The State of Cloud Computing - Fall 2020
    The State of Cloud Computing - Fall 2020
    Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
    How to Create a Successful AI Program
    Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
    Think Like a Chief Innovation Officer and Get Work Done
    Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
    10 Trends Accelerating Edge Computing
    Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
    Register for InformationWeek Newsletters
    Current Issue
    [Special Report] Edge Computing: An IT Platform for the New Enterprise
    Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
    White Papers
    Twitter Feed
    Sponsored Live Streaming Video
    Everything You've Been Told About Mobility Is Wrong
    Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
    Sponsored Video
    Flash Poll