Mon Sep 29 18:51:30 PDT 2014

Management: Legal issues: How should legal issues interact with protection management?


Options:

Option 1: Regulatory mandates are specified by Legal and integrated into the duties to protect.
Option 2: Civil litigation drivers are integrated into the duties to protect.
Option 3: Criminal statutes from all relevant jurisdictions are identified to all relevant workers.
Option 4: Timely notice is given to all individuals and organizations for all enterprise activities requiring such notice.
Option 5: Contract language is compatible with implementation and included in duties to protect.
Option 6: Liability limitations are appropriately managed in risk management related to information and related technologies.
Option 7: All jurisdictional requirements are met and considered in architecture, design, and implementation of protection functions.
Option 8: Investigative processes meet all regulatory requirements and are suitable for all intended and reasonably anticipated uses.
Option 9: Chain of custody issues are addressed in processes that could ultimately lead to the introduction of evidence in court.
Option 10: Transparency requirements are met for all legal mandates and contracts.
Option 11: Evidential issues are reasonably satisfied by enterprise record keeping and record retention and disposition processes.
Option 12: Forensics requirements are met for all information associated with information protection issues.

For each identified applicable law and/or regulations and/or contract type, identify applicability and status with regard to the relevant above elements.


Decision:

Each should be applied in ALL cases to all applicable situations.

Approach Status
Regulatory mandates are specified by Legal and integrated into the duties to protect.
Civil litigation drivers are integrated into the duties to protect.
Criminal statutes from all relevant jurisdictions are identified to all relevant workers.
Timely notice is given to all individuals and organizations for all enterprise activities requiring such notice.
Contract language is compatible with implementation and included in duties to protect.
Liability limitations are appropriately managed in risk management related to information and related technologies.
All jurisdictional requirements are met and considered in architecture, design, and implementation of protection functions.
Investigative processes meet all regulatory requirements and are suitable for all intended and reasonably anticipated uses.
Chain of custody issues are addressed in processes that could ultimately lead to the introduction of evidence in court.
Transparency requirements are met for all legal mandates and contracts..
Evidential issues are reasonably satisfied by enterprise record keeping and record retention and disposition processes.
Forensics requirements are met for all information associated with information protection issues.
The interaction of legal issues with protection management.

Identify contractual requirements associated with legal mandates:

Select (non-comprehensive) applicable laws / regulations:

Also as appropriate,


Basis:

Regulatory mandates are specified by Legal and integrated into the duties to protect.
Regulatory drivers impact all corporations. Whether your enterprise has EU privacy requirements, US financial reporting requirements, US, Canadian, or Australian health and benefits information requirements, Chinese and French encryption requirements, or other similar requirements, regulatory drivers are increasingly forcing changes in information protection programs.

Civil litigation drivers are integrated into the duties to protect.
Civil litigation drives many enterprises in legal areas. A good example of a protection policy that resulted in a lost civil suit comes from a recent case in which a published Web site policy guaranteed privacy of personal information. The policy was not followed and a million dollar law suit was lost as a result. If there were no such policy there would have been no such loss.

Criminal statutes from all relevant jurisdictions are identified to all relevant workers.
Criminal litigation is pending against many executives who failed to report to shareholders on potentially serious negative consequences associated with information technology failures, inadequate assurance associated with financial records, and other similar violations of law. Failures of due diligence are increasingly being treated severely because of prior executive misdeeds.

Timely notice is given to all individuals and organizations for all enterprise activities requiring such notice.
Notice is required for legal protections to be effective. Good examples are trade secret, telecommunications recording, and worker monitoring notice requirements. Timely notice is also required for breach notification laws, to meet management mandates, for contractual obligations, for insurance coverage, and other similar reasons.

Contract language is compatible with implementation and included in duties to protect.
Contracts with inadequate language related to information protection are widespread and result in a wide range of problems, particularly associated with access into enterprise networks used for trading partners. Customer contracts relating to records are similarly problematic. Peering agreements associated with financial and health-related information require a level of due diligence in their perfection. Safe harbor agreements and other similar contracts require that protections be in place and effective. Many existing contracts should be updated to reflect the need to include encryption, access controls, and other protective measures in storage, movement, and use of exchanged information.

Liability limitations are appropriately managed in risk management related to information and related technologies.
Liability issues associated with holding information of certain types, operating systems that interact with third parties, actions of employees with respect to intellectual property, and similar information protection issues are widespread. Even an infection with a computer virus may lead to liability issues associated with the lack of due diligence in protecting peering partners from the infection. Break-ins to unpatched or unnecessarily vulnerable systems at perimeters may lead to liabilities associated with consequential damages to downstream providers and others attacked from your site.

All jurisdictional requirements are met and considered in architecture, design, and implementation of protection functions.
Jurisdiction is a critical issue for large multinationals, however, because of the global reach of the Internet, most businesses are now international. Attacks, scams, and legal processes associated with individuals around the world are commonplace in today's information environment. A business with a Web site has presence everywhere in the world, and sales to foreign nations may result in violations of laws that the seller or buyer are not familiar with. Jurisdictions affect legal issues across the board and mandate a dramatically more complex information protection program than would otherwise be needed.

Investigative processes meet all regulatory requirements and are suitable for all intended and reasonably anticipated uses.
Investigative processes are linked to legal proceedings including but not limited to legal issues associated with employee sanctions, employee rights in investigative processes, prosecutions associated with criminal acts, civil proceedings related to employee misdeeds, and many other similar types of issues.

Chain of custody issues are addressed in processes that could ultimately lead to the introduction of evidence in court.
Chain of custody issues must be addressed in processes that could ultimately lead to the introduction of evidence in court. While the business record exception in the United States generally provides for these records, other jurisdictions have varying requirements for chain of custody. Records retention processes increasingly require chain of custody to be maintained in order to assure integrity of records and prevent loss of critical information that must be retained in case requested by authorities.

Transparency requirements are met for all legal mandates and contracts.
Transparency requirements for all relevant jurisdictions relative to the type of enterprise and content and processes involved must be met. Contractual requirements for transparency must also be met. State laws, like California SB-1386, privacy laws related to records of a wide variety of sorts, and mandates for transparency associated with public records are all examples of drivers for transparency. Contractual drivers will also mandate elements of transparency such as providing status relative to identified standards, requirements for supply chain verification, contracts associated with disclosed policies, and a wide range of other transparency requirements.

Evidential issues are reasonably satisfied by enterprise record keeping and record retention and disposition processes.
Evidential issues come up whenever information protection issues end up in legal venues. The data presented has to have adequate integrity and accuracy to assure that it can be accepted by the courts and it has to be presented by an expert who is responsible for those records and can attest to how they came to be and what they are supposed to represent. They have to be normal business records to be admissible under the hearsay exception, and as a result, they must be collected in the normal course of business. Preservation orders may require that records be retained beyond their normal life cycles for evidential purposes and these orders must be followed in order to avoid criminal legal sanctions associated with obstruction of justice and disobeying judicial orders.

Forensics requirements are met for all information associated with information protection issues.
Forensics efforts associated with identification, collection, preservation, analysis, and presentation of evidence in court require special training and expertise and are involved in almost all investigations associated with information protection issues.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved