16 May 2007

Defensible Standard of Care: Legal Risk...

A "Defensible Standard of Care" is a hot topic these days around the Board of Directors Audit Committee conference table. Information Security standards are consistently being discussed by the CIO and CSO in the context of compliance. So where is the nexus? Why is it so critical to enabling the enterprise business resilience of a global institution?

The answers lie in the fundamental understanding that the Board of Directors and the "C" Suite are both working towards the same focal point. Their motive is almost identical. To be able to provide the evidence and the testimony that keeps their integrity and reputation intact. To understand this nexus, first we must provide the definitions:

What is ISO/IEC 27001:2005?

ISO/IEC 27001:2005 is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and minimize the range of threats to which information is regularly subjected.

ISO/IEC 27001:2005 covers the following topics:

  • Security policy - This provides management direction and support for information security
  • Organization of assets and resources - To help you manage information security within the organization
  • Asset classification and control - To help you identify your assets and appropriately protect them
  • Personnel security - To reduce the risks of human error, theft, fraud or misuse of facilities
  • Physical and environmental security - To prevent unauthorized access, damage and interference to business premises and information
  • Communications and operations management - To ensure the correct and secure operation of information processing facilities
  • Access control - To control access to information
  • Systems development and maintenance - To ensure that security is built into information systems
  • Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
  • Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement

ISO/IEC 27001:2005 is the updated version of the world renowned British Standard for Information Security Management Systems, BS 7799-2:2002.

This Information Security Management System (ISMS) is simply that, a published set of guidelines and controls. Useless without the support of the correct tools, methodologies and people to make it come alive and incorporated into the culture of the organization. This requires an adaptive and resilient framework for managing change.

A "Defensible Standard of Care" comes alive within this ISO 27001 standard:

Clause A.15.1 Compliance with legal requirements

Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.

Clause A.15.1.3 Protection of organizational records

Important records shall be protected from loss, destruction and falsification, in accordance with statutory, regulatory, contractual, and business requirements.

In the United States, as well as many other countries, a party involved in civil litigation is responsible for preserving any potentially relevant evidence, including materials that may lead to the discovery and production of other relevant evidence, beginning when the party knew a lawsuit had been filed, or had a reasonable basis to believe that litigation would occur.

Effective December 1, 2006, the United States Federal courts adopted revised Rules of Civil Procedure that confirm the importance and admissibility of Electronically Stored Information (ESI) as evidence in civil litigation. As lawyers and the courts begin to operate under the new Rules, company officers responsible for demonstrating the reliability of their corporate electronic records are rapidly moving into the “firing zone”.

The reason is entirely adversarial: if a hostile lawyer can discover uncontrolled risks that compromise the reliability or integrity of a company’s electronic records, then the value of those records as evidence declines and the potential for how the case will be resolved, whether in the courtroom or through settlement, is altered. In response, a company must be prepared to demonstrate their ESI has been managed pursuant to a defensible standard of care.

As a result, adherence to Clause A.15.1.3 includes protecting records that become important to litigation and assuring their continued integrity and availability. For these purposes, information security practices are indispensable, and the failure to apply and extend those practices to relevant evidential materials can create a material risk for many companies.

And this risk extends well beyond the inner sanctum of the legal department, internal audit and information technology. This risk reaches into the outside counsel the company has retained for defense litigation. How many law firms are under retainer at your institution? Do they have an effective set of standards, methodologies and programs to handle your next ESI request? In the game of litigation only the most agile and preemptive strategies will prevail.

So how do you understand and determine how adept your outside counsel is when it comes to ESI and eDiscovery? Now it's time for your own investigation, audit and request for information. You have to develop the same kind of process for evaluation of outside legal counsel as you do for the next set of financial auditors or outsourced disaster recovery vendor. It's imperative that you look at enterprise content management and the records administration controls within your Information Security and Operational Risk Management framework to see how it supports a Defensible Standard of Care. The Nexus of Information Security and The Law. Here are 8 Survival Strategies courtesy of Jeffrey Ritter at Waters Edge Consulting:

  • Start a Dialogue.
  • Be Prepared to Bear Witness.
  • Be Prepared to Preserve.
  • Define "Not Reasonably Accessible".
  • Demonstrate "Routine Good Faith Operation".
  • Prepare to Deal with eDiscovery vendors.
  • Prepare your lawyers "In and Out".
  • Protect your records at the Law Firms.
Institutions wishing to achieve a defensible standard of care for protecting business sensitive data such as intellectual property, financial records, customer data and business records will find the Waters Edge Protocol a welcome advantage in streamlining the effort required to tailor requirements, policy, processes, and implementation plans to meet their business needs.

No comments:

Post a Comment