Don't Ask, Don't Tell

At a session on risk assessment at the ASIS International Seminar and Exhibits in September, a security professional spoke of his company’s reluctance to perform a top-to-bottom risk assessment out of fear of discovering and documenting a problem that might lead to liability if that problem were to lead to a serious accident, breach, or loss of life or limb, before it could be fixed. From the handful of grunts and “mmm-hmms” that followed the comment, it was clear the experience was not isolated.

It is a telling comment on our litigious society: Corporate management would rather not know about a potential security problem rather than face the legal consequences that might arise from it coming to light in the first place. It’s a form of risk assessment in its own way: Wagering that willful ignorance could prove less costly than pro-active security policies.

It’s not unreasonable, just to be devil’s advocate for a minute. Legally, knowing about a problem and failing to take action about it, constitutes negligence. And courts can be widely interpretive about what constitutes failure to take action. For example, if a company discovers a potential security hazard in 10 plants, and undertakes an expensive two-year program to systemically fix it, say through integration of physical security assets into an IP network, is it still liable, if 20 months into the project, a breach occurs at the one remaining facility not upgraded? Legal consul would tell you the outcome would be unpredictable.

Still, this is no reason for burying one’s head in the sand of “Don’t Ask, Don’t Tell.” Compliance ultimately requires companies to take a hard look at security policies. What we need, however, are realistic safeguards to protect enterprises that do the right thing.

First off, good faith efforts at legal compliance should not be allowed to become an e-discovery gold mine for tort attorneys seeking to bring large class action liability cases. Enterprises face a new breed of physical and IT security threats. They need the freedom to assess and address those threats without fear their audits will be used against them. Sarbanes-Oxley, FISMA and HIPAA rules are revised in each session. Congress should amend the rules to close loopholes that might allow legal exploitation of information gathered for the purposes of upgrading and improving corporate security.

That is, as long as the enterprise has a documented audit and assessment program in place for the expressed purpose of identifying and addressing security and other compliance gaps, it should be protected from civil suits that may stem from what it documents for the first time in the course of that process. At the very least, there should be a high bar for demonstrating negligence in these cases. If a case for negligence did not exist prior to an audit, facts discovered during an audit, absent of a pre-existing investigation, should not be sole grounds for legal action. Such rules may indeed skirt due process in that it could be seen as forcing company executives to testify against themselves.

In the dangerous times in which we live, risk assessment will be a vital element of any enterprise strategy going forward. Our companies need the freedom to do their due diligence without looking over their shoulder. Corporate policies and documents relating to video surveillance, perimeter defense and building access are in place to protect employees and customers, not provide a handy library for ambulance-chasers.

About the Author

Steven Titch is editor of Network-Centric Security magazine.

Featured

New Products

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.