Decision Support: You Can't Outsource Liability For Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

12:22 PM

Decision Support: You Can't Outsource Liability For Security

Security requires a process, people, policies, education, and technologies to work together

Companies are increasingly concerned about the threat of being found liable as a result of negligence in security. To protect themselves, businesses should adopt and comply with information-security best practices and standards to validate due diligence.

Tort law in the United States requires four fundamental components: duty, negligence, damage, and cause. Each has an effect on information security:

  • Duty answers the question as to whether you have a responsibility to protect information. With media awareness and a push from governments to see that systems are secured, one would have to be blind not to be aware of the need to protect information. In fact, your security and privacy policies may automatically assign you the understanding of your duty.
  • Negligence defines a breach of duty. Can evidence be produced that shows the defendant didn't fulfill his or her duty of care? If the company had left a system in a default-insecure state or not applied a security patch it was aware of, this shows negligence.
  • Damage demonstrates the plaintiff has suffered some quantifiable harm. If a system was broken into and used to attack another organization, the damages can be identified. If private information was stolen and resulted in identity theft, the damages also can be identified.
  • Cause answers the question of whether the breach of duty related to the damages is close enough to be considered a primary cause. This plugs the duty, negligence, and damage together to see if the case is valid.
  • To combat the threat of liability, businesses should adopt and be able to prove compliance to information-security standards and best practices. Many companies adopt standards in word but not in deed, and this may only further their liability problems. To truly combat this threat, companies will have to show due diligence through compliance to standards and best practices.

    As businesses struggle to secure their systems, many are turning to managed security services providers to handle specific areas of security such as firewalls, vulnerability assessment, intrusion detection, and monitoring. While this relieves them of the burden of managing systems in-house, it doesn't take away a company's liability if there's a security breach.

    Hypothetically, let's look at Nirvana Corp., which has just outsourced its vulnerability assessment to ABC Service Provider. ABC delivers monthly reports to Nirvana regarding the vulnerabilities found in its environment. But Nirvana gets hacked and sensitive client information is stolen that causes a civil lawsuit, and Nirvana is found liable. Nirvana can't, in turn, push liability back to the service provider. ABC can't be aware of and detect all vulnerabilities, and system configuration and maintenance are in the hands of Nirvana. If ABC is like other service providers, this is all carefully worded and stated in the services contract.

    The scenario applies to intrusion detection and monitoring as well. If ABC should miss identifying an incident that causes significant harm to Nirvana, the services contract clearly states that ABC can't identify all incidents and, thus, can't assume responsibility in the case of an attack. In any case, intrusion detection and monitoring services are reactive; alerts go off after the incident occurs.

    Companies that outsource components or processes of their security program to managed security services providers should clearly read their service contracts and understand that they're not outsourcing liability. The business owns liability, and it can't be successfully transferred, with the exception being insurance policies. But even in those cases, a company may never recover the damages done to its reputation as a result of an information-security breach. Adding fuel to this are scenarios such as outsourced service providers being forced by temporary restraining orders to turn off Internet access to clients because the client systems were compromised and attacking others.

    Additionally, companies must exercise due diligence in understanding the services and investigating the references of a managed security services provider before contracting with it. There are companies appearing in this space that don't truly understand security. The process you thought you were outsourcing could very well be placed in the hands of a rookie who has never seen a firewall before.

    A recurring theme in the defined common mistakes is that companies over the years repeatedly have failed at security, because they think it's something you can buy or a policy statement that's ignored. Security doesn't exist in products and verbiage alone; it requires a process, people, policies, education, and technologies working together.

    Robert K. Weiler is chairman, president, and CEO of Giga Information Group, a global technology advisory firm. Reach him at [email protected]. Senior industry analyst Mike Rasmussen contributed to this column.

    To discuss this column with other readers, please visit the Talk Shop.

    We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
    Comment  | 
    Print  | 
    More Insights
    State of the Cloud
    State of the Cloud
    Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
    COVID-19: Using Data to Map Infections, Hospital Beds, and More
    Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
    Enterprise Guide to Robotic Process Automation
    Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
    How Startup Innovation Can Help Enterprises Face COVID-19
    Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
    Register for InformationWeek Newsletters
    Current Issue
    IT Careers: Tech Drives Constant Change
    Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
    White Papers
    Twitter Feed
    Sponsored Live Streaming Video
    Everything You've Been Told About Mobility Is Wrong
    Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
    Sponsored Video
    Flash Poll