To begin, I am not a lawyer by any means, but I have worked in the industry for almost two decades; the last ten years being heavily involved in the world of information security. I have seen and learned how many legal issues can come from security incidents, leading to a company ending up in court. I am writing this blog to let you know what can be done to take measures against potential legal tangles.

In today's high-tech information based society, there are cyber crimes taking place every day somewhere in the world. Hacking attacks are on the rise and increasing exponentially! If you are a security professional, there is a chance that you may legally get involved with an information related computer fraud, no matter which industry you are working in.

In order to get a quick understanding of current cyber crimes, just browse through http://www.cybercrime.gov/. You can see that just few days ago, an alleged international hacking ring was caught in a $9 Million Fraud: Major Credit Card Processor Victimized in Elaborate Theft of Account Numbers (November 10, 2009). Imagine that you are the security professional at the company where this theft occurred! You are in hot water as these crimes need to be reported under the law. Not only could your institution get sued by credit card victims, but you may end up in court.

In a legal case such as this, what would you present in the courts? Most security professionals are worried about day-to-day technical issues and hardly have any time for them to learn and understand the legal side of computer crimes and their legal responsibilities.

There are a couple of important things that courts are going to look at when a company gets sued related to information breach and fraud cases. Companies should come up with not only security controls related to confidentiality, integrity and availability on critical data, but also the strategies related to liability and responsibilities. If you are storing credit card numbers in a database, you are supposed to encrypt them, and the related server should be hardened. Strict access controls should also be in placed along with other security controls in the network path in a layered manner so a hacker has to break many security barriers to get into the treasure. If these security controls are not in place, and the credit card numbers are compromised, then in this case you are legally liable to the victims, stock holders and whoever else is affected by this. These victims can most likely sue the company for financial loss. In order for a company to protect itself from these legal liabilities, they need to practice due diligence, meaning that the company must investigate all of its potential security gaps and vulnerabilities.

In addition to practicing due diligence, a company needs to practice due care as well, meaning that the company should investigate the due diligence process findings and make the best attempt as a prudent person would do to place administrative, preventive, detective and corrective security controls to ensure that if a security breach did happen, then the security controls are in place to mitigate the damages. A jury would look at this case and see that the company has done everything in their power to protect the data with security controls, and their legal liability may be at a minimum or the company may not be held liable at all.
Happy Reading!

Ref Sources:
http://www.giac.org
http://www.nist.org
All In One CISSP Exam Guide - Shon Harris