Don't Ask, Don't Tell

At a session on risk assessment at the ASIS International Seminar and Exhibits in September, a security professional spoke of his company’s reluctance to perform a top-to-bottom risk assessment out of fear of discovering and documenting a problem that might lead to liability if that problem were to lead to a serious accident, breach, or loss of life or limb, before it could be fixed. From the handful of grunts and “mmm-hmms” that followed the comment, it was clear the experience was not isolated.

It is a telling comment on our litigious society: Corporate management would rather not know about a potential security problem rather than face the legal consequences that might arise from it coming to light in the first place. It’s a form of risk assessment in its own way: Wagering that willful ignorance could prove less costly than pro-active security policies.

It’s not unreasonable, just to be devil’s advocate for a minute. Legally, knowing about a problem and failing to take action about it, constitutes negligence. And courts can be widely interpretive about what constitutes failure to take action. For example, if a company discovers a potential security hazard in 10 plants, and undertakes an expensive two-year program to systemically fix it, say through integration of physical security assets into an IP network, is it still liable, if 20 months into the project, a breach occurs at the one remaining facility not upgraded? Legal consul would tell you the outcome would be unpredictable.

Still, this is no reason for burying one’s head in the sand of “Don’t Ask, Don’t Tell.” Compliance ultimately requires companies to take a hard look at security policies. What we need, however, are realistic safeguards to protect enterprises that do the right thing.

First off, good faith efforts at legal compliance should not be allowed to become an e-discovery gold mine for tort attorneys seeking to bring large class action liability cases. Enterprises face a new breed of physical and IT security threats. They need the freedom to assess and address those threats without fear their audits will be used against them. Sarbanes-Oxley, FISMA and HIPAA rules are revised in each session. Congress should amend the rules to close loopholes that might allow legal exploitation of information gathered for the purposes of upgrading and improving corporate security.

That is, as long as the enterprise has a documented audit and assessment program in place for the expressed purpose of identifying and addressing security and other compliance gaps, it should be protected from civil suits that may stem from what it documents for the first time in the course of that process. At the very least, there should be a high bar for demonstrating negligence in these cases. If a case for negligence did not exist prior to an audit, facts discovered during an audit, absent of a pre-existing investigation, should not be sole grounds for legal action. Such rules may indeed skirt due process in that it could be seen as forcing company executives to testify against themselves.

In the dangerous times in which we live, risk assessment will be a vital element of any enterprise strategy going forward. Our companies need the freedom to do their due diligence without looking over their shoulder. Corporate policies and documents relating to video surveillance, perimeter defense and building access are in place to protect employees and customers, not provide a handy library for ambulance-chasers.

About the Author

Steven Titch is editor of Network-Centric Security magazine.

Featured

New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.