Fri Apr 8 06:47:17 PDT 2016
Management: Legal issues: How do legal issues interact with protection management?
Option 1: Regulatory mandates are specified by Legal and integrated into the duties to protect.
Option 2: Civil litigation drivers are integrated into the duties to protect.
Option 3: Criminal statutes from all relevant jurisdictions are identified to all relevant workers.
Option 4: Timely notice is given to all individuals and organizations for all enterprise activities requiring such notice.
Option 5: Contract language is compatible with implementation and included in duties to protect.
Option 6: Liability limitations are appropriately managed in risk management related to information and related technologies.
Option 7: All jurisdictional requirements are met and considered in architecture, design, and implementation of protection functions.
Option 8: Investigative processes meet all regulatory requirements and are suitable for all intended and reasonably anticipated uses.
Option 9: Chain of custody issues are addressed in processes that could ultimately lead to the introduction of evidence in court.
Option 10: Transparency requirements are met for all legal mandates and contracts.
Option 11: Evidential issues are reasonably satisfied by enterprise record keeping and record retention and disposition processes.
Option 12: Forensics requirements are met for all information associated with information protection issues.
For each identified applicable law and/or regulations and/or
contract type, identify applicability and status with regard to the
relevant above elements.
Regulatory mandates are specified by Legal and integrated into the duties to protect.
Regulatory drivers impact all corporations. Whether your
enterprise has EU privacy requirements, US financial reporting
requirements, US, Canadian, or Australian health and benefits
information requirements, Chinese and French encryption requirements,
or other similar requirements, regulatory drivers are increasingly
forcing changes in information protection programs.
Civil litigation drivers are integrated into the duties to protect.
Civil litigation drives many enterprises in legal areas. A good
example of a protection policy that resulted in a lost civil suit
comes from a recent case in which a published Web site policy
guaranteed privacy of personal information. The policy was not
followed and a million dollar law suit was lost as a result. If there
were no such policy there would have been no such loss.
Criminal statutes from all relevant jurisdictions are identified to all relevant workers.
Criminal litigation is pending against many executives who failed
to report to shareholders on potentially serious negative consequences
associated with information technology failures, inadequate assurance
associated with financial records, and other similar violations of
law. Failures of due diligence are increasingly being treated severely
because of prior executive misdeeds.
Timely notice is given to all individuals and organizations for all enterprise activities requiring such notice.
Notice is required for legal protections to be effective. Good
examples are trade secret, telecommunications recording, and worker
monitoring notice requirements. Timely notice is also required for
breach notification laws, to meet management mandates, for contractual
obligations, for insurance coverage, and other similar reasons.
Contract language is compatible with implementation and included in duties to protect.
Contracts with inadequate language related to information
protection are widespread and result in a wide range of problems,
particularly associated with access into enterprise networks used for
trading partners. Customer contracts relating to records are similarly
problematic. Peering agreements associated with financial and
health-related information require a level of due diligence in their
perfection. Safe harbor agreements and other similar contracts require
that protections be in place and effective. Many existing contracts
should be updated to reflect the need to include encryption, access
controls, and other protective measures in storage, movement, and use
of exchanged information.
Liability limitations are appropriately managed in risk management related to information and related technologies.
Liability issues associated with holding information of certain
types, operating systems that interact with third parties, actions of
employees with respect to intellectual property, and similar
information protection issues are widespread. Even an infection with a
computer virus may lead to liability issues associated with the lack
of due diligence in protecting peering partners from the
infection. Break-ins to unpatched or unnecessarily vulnerable systems
at perimeters may lead to liabilities associated with consequential
damages to downstream providers and others attacked from your site.
All jurisdictional requirements are met and considered in architecture, design, and implementation of protection functions.
Jurisdiction is a critical issue for large multinationals,
however, because of the global reach of the Internet, most businesses
are now international. Attacks, scams, and legal processes associated
with individuals around the world are commonplace in today's
information environment. A business with a Web site has presence
everywhere in the world, and sales to foreign nations may result in
violations of laws that the seller or buyer are not familiar
with. Jurisdictions affect legal issues across the board and mandate a
dramatically more complex information protection program than would
otherwise be needed.
Investigative processes meet all regulatory requirements and are suitable for all intended and reasonably anticipated uses.
Investigative processes are linked to legal proceedings including
but not limited to legal issues associated with employee sanctions,
employee rights in investigative processes, prosecutions associated
with criminal acts, civil proceedings related to employee misdeeds,
and many other similar types of issues.
Chain of custody issues are addressed in processes that could ultimately lead to the introduction of evidence in court.
Chain of custody issues must be addressed in processes that could
ultimately lead to the introduction of evidence in court. While the
business record exception in the United States generally provides for
these records, other jurisdictions have varying requirements for chain
of custody. Records retention processes increasingly require chain of
custody to be maintained in order to assure integrity of records and
prevent loss of critical information that must be retained in case
requested by authorities.
Transparency requirements are met for all legal
mandates and contracts.
Transparency requirements for all
relevant jurisdictions relative to the type of enterprise and content
and processes involved must be met. Contractual requirements for
transparency must also be met. State laws, like California SB-1386,
privacy laws related to records of a wide variety of sorts, and
mandates for transparency associated with public records are all
examples of drivers for transparency. Contractual drivers will also
mandate elements of transparency such as providing status relative to
identified standards, requirements for supply chain verification,
contracts associated with disclosed policies, and a wide range of
other transparency requirements.
Evidential issues are reasonably satisfied by enterprise record keeping and record retention and disposition processes.
Evidential issues come up whenever information protection issues
end up in legal venues. The data presented has to have adequate
integrity and accuracy to assure that it can be accepted by the courts
and it has to be presented by an expert who is responsible for those
records and can attest to how they came to be and what they are
supposed to represent. They have to be normal business records to be
admissible under the hearsay exception, and as a result, they must be
collected in the normal course of business. Preservation orders may
require that records be retained beyond their normal life cycles for
evidential purposes and these orders must be followed in order to
avoid criminal legal sanctions associated with obstruction of justice
and disobeying judicial orders.
Forensics requirements are met for all information associated with information protection issues.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
Forensics efforts associated with identification, collection,
preservation, analysis, and presentation of evidence in court require
special training and expertise and are involved in almost all
investigations associated with information protection issues.