 |
 |
 |
|
05.06.08 Will Lawsuits Define The Future Of Information Security?  By Dan MorrillDark Reading and Anton Chuvakin are talking about how the threat of litigation for what a company did not do to prevent a security breach might be more compelling to companies to improve their information security standards and posture. The conversation centers around a class action lawsuit in Montana against the Davidson Company in that it was negligent in allowing a hacker to penetrate their systems, resulting in the compromise of some 226,000 customer records. This latest class-action lawsuit alleges "the Davidson Companies failed to comply with the industry standards designed to protect such confidential personal and financial information from theft" and that the company did not provide "adequate safeguards in its storage and handling of its clients' confidential personal and financial information." The lawsuit, which doesn't specify a monetary demand, was filed even though the plaintiffs aren't aware of any identity theft resulting from the breach. Attorneys for Davidson Companies said they haven't seen the paperwork and declined comment. Source: Dark Reading This raises some interesting proposals in the longer run for the future of information security, the actual cost to detect, repair, and close off a way to hack a computer is much less than the cost of a lawsuit that can easily reach 10's of millions of dollars. The other interesting question is all about closed and open source commercial software and zero day attacks, if a patch is not available for the program and an attack already exists (much like the issues over the last three weeks with IIS and separately with WordPress) there are additional questions about liability, who really is to blame for a breach under these circumstances?
If the enterprise can be found liable for poor security, this bodes well as long as there are enough very good security people who are into life long learning. The real influence of the Class Action will not be seen for quite a while, but in a board room, or executive management suit, the cost to fix an issue is usually going to come in as much less as the monster amount of costs to cover liability for failure to protect, or meet standards (choose a standard, there are plenty of them) that would have prevented a security breach. The more interesting side note on this one, is what if the standard followed showed that it was fundamentally flawed, or if the 3rd party certification authority for the standard, like any one of the bigger top 4 accounting firms, or the little consultant down the road who does your certification does a very poor job. There are many interesting things that can go wrong here, and without a set standard of skills, practices, and processes much like Doctors, Lawyers, and Nurses have to go through the future of information security, standards, and best practices being determined by a lawsuit could in the longer run be both good and bad. Good in that the process of information security will start to be defined, meaning that there will be changes in how companies perceive and implement good information security. Bad in that we those of us in information security, will not be defining our own industry, rather lawyers, the executive board, and the executive suit will be the ones defining what our job is, and how we do it. Comments About the Author: Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community. |
||||||||
|
| ||
|
-- ITProNews is an iEntry,
Inc. publication -- iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509 ©2008 iEntry, Inc. All Rights Reserved Privacy Policy Legal archives | advertising info | news headlines | free newsletters | comments/feedback | submit article |
