Don't Ask, Don't Tell

At a session on risk assessment at the ASIS International Seminar and Exhibits in September, a security professional spoke of his company’s reluctance to perform a top-to-bottom risk assessment out of fear of discovering and documenting a problem that might lead to liability if that problem were to lead to a serious accident, breach, or loss of life or limb, before it could be fixed. From the handful of grunts and “mmm-hmms” that followed the comment, it was clear the experience was not isolated.

It is a telling comment on our litigious society: Corporate management would rather not know about a potential security problem rather than face the legal consequences that might arise from it coming to light in the first place. It’s a form of risk assessment in its own way: Wagering that willful ignorance could prove less costly than pro-active security policies.

It’s not unreasonable, just to be devil’s advocate for a minute. Legally, knowing about a problem and failing to take action about it, constitutes negligence. And courts can be widely interpretive about what constitutes failure to take action. For example, if a company discovers a potential security hazard in 10 plants, and undertakes an expensive two-year program to systemically fix it, say through integration of physical security assets into an IP network, is it still liable, if 20 months into the project, a breach occurs at the one remaining facility not upgraded? Legal consul would tell you the outcome would be unpredictable.

Still, this is no reason for burying one’s head in the sand of “Don’t Ask, Don’t Tell.” Compliance ultimately requires companies to take a hard look at security policies. What we need, however, are realistic safeguards to protect enterprises that do the right thing.

First off, good faith efforts at legal compliance should not be allowed to become an e-discovery gold mine for tort attorneys seeking to bring large class action liability cases. Enterprises face a new breed of physical and IT security threats. They need the freedom to assess and address those threats without fear their audits will be used against them. Sarbanes-Oxley, FISMA and HIPAA rules are revised in each session. Congress should amend the rules to close loopholes that might allow legal exploitation of information gathered for the purposes of upgrading and improving corporate security.

That is, as long as the enterprise has a documented audit and assessment program in place for the expressed purpose of identifying and addressing security and other compliance gaps, it should be protected from civil suits that may stem from what it documents for the first time in the course of that process. At the very least, there should be a high bar for demonstrating negligence in these cases. If a case for negligence did not exist prior to an audit, facts discovered during an audit, absent of a pre-existing investigation, should not be sole grounds for legal action. Such rules may indeed skirt due process in that it could be seen as forcing company executives to testify against themselves.

In the dangerous times in which we live, risk assessment will be a vital element of any enterprise strategy going forward. Our companies need the freedom to do their due diligence without looking over their shoulder. Corporate policies and documents relating to video surveillance, perimeter defense and building access are in place to protect employees and customers, not provide a handy library for ambulance-chasers.

About the Author

Steven Titch is editor of Network-Centric Security magazine.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.