Do It Right or Bet the Company: Tools to Mitigate Legal Liability

In recent years, numerous articles have been written on how to protect your network from a technical perspective,^[56] but, at least throughout mid-2005, the headlines swelled with examples of companies that have lost critical information due to inadequate security. Choice Point, DSW Shoes, several universities, financial institutions including Bank of America and Wachovia, MasterCard and other credit providers, and even the FBI have been named in recent news articles for having lost critical information. As one example, ChoicePoint was sued in 2005 in actions brought in states ranging from California to New York and in its home state of Georgia. Allegations in the lawsuits included that ChoicePoint failed to “secure and maintain confidential the personal, financial and other information entrusted to ChoicePoint by consumers”^[57]; failed to maintain adequate procedures to avoid disclosing some private credit and financial information to unauthorized third parties; and acted “willfully, recklessly, and/or in conscious disregard” of its customers rights to privacy.^[58] Legal theories used in future information security-related lawsuits will be limited only by the imagination of the attorneys filing the suits.

It is hardly a distant possibility that every major player in information security will be sued sooner or later, whether a particular suit is frivolous or not. It is a fact of business life. So, how can information security consultants help their customers reduce their litigation “target profile?”