Don't Ask, Don't Tell

• By Steven Titch
• Dec 05, 2007

At a session on risk assessment at the ASIS International Seminar and Exhibits in September, a security professional spoke of his company’s reluctance to perform a top-to-bottom risk assessment out of fear of discovering and documenting a problem that might lead to liability if that problem were to lead to a serious accident, breach, or loss of life or limb, before it could be fixed. From the handful of grunts and “mmm-hmms” that followed the comment, it was clear the experience was not isolated.

It is a telling comment on our litigious society: Corporate management would rather not know about a potential security problem rather than face the legal consequences that might arise from it coming to light in the first place. It’s a form of risk assessment in its own way: Wagering that willful ignorance could prove less costly than pro-active security policies.

It’s not unreasonable, just to be devil’s advocate for a minute. Legally, knowing about a problem and failing to take action about it, constitutes negligence. And courts can be widely interpretive about what constitutes failure to take action. For example, if a company discovers a potential security hazard in 10 plants, and undertakes an expensive two-year program to systemically fix it, say through integration of physical security assets into an IP network, is it still liable, if 20 months into the project, a breach occurs at the one remaining facility not upgraded? Legal consul would tell you the outcome would be unpredictable.

Still, this is no reason for burying one’s head in the sand of “Don’t Ask, Don’t Tell.” Compliance ultimately requires companies to take a hard look at security policies. What we need, however, are realistic safeguards to protect enterprises that do the right thing.

First off, good faith efforts at legal compliance should not be allowed to become an e-discovery gold mine for tort attorneys seeking to bring large class action liability cases. Enterprises face a new breed of physical and IT security threats. They need the freedom to assess and address those threats without fear their audits will be used against them. Sarbanes-Oxley, FISMA and HIPAA rules are revised in each session. Congress should amend the rules to close loopholes that might allow legal exploitation of information gathered for the purposes of upgrading and improving corporate security.

That is, as long as the enterprise has a documented audit and assessment program in place for the expressed purpose of identifying and addressing security and other compliance gaps, it should be protected from civil suits that may stem from what it documents for the first time in the course of that process. At the very least, there should be a high bar for demonstrating negligence in these cases. If a case for negligence did not exist prior to an audit, facts discovered during an audit, absent of a pre-existing investigation, should not be sole grounds for legal action. Such rules may indeed skirt due process in that it could be seen as forcing company executives to testify against themselves.

In the dangerous times in which we live, risk assessment will be a vital element of any enterprise strategy going forward. Our companies need the freedom to do their due diligence without looking over their shoulder. Corporate policies and documents relating to video surveillance, perimeter defense and building access are in place to protect employees and customers, not provide a handy library for ambulance-chasers.