As defense counsel to a corporation or as the chief security officer, hearing such words should send immeasurable fear through the hearts of each participant at any time you are sworn in.
To date, most corporations have never had their business judgment, policies and procedures, and practices regarding information assurance brought into question and publicly exposed. Litigation is a well-defined process, has a predictable path, and when litigation-fraught practices are recognized early on, can indeed be managed. However, the management of any business process which includes a fiduciary responsibility to others must be planned for and repeatedly measured well prior to any threat of litigation or the actual filing of a lawsuit. Failure to do so is a serious flaw in any risk management process.
Assume, for purposes of this exercise, that your company was the victim of a major event that exposed the personal identifying information of thousands of your customers. It's now six to eight months after the event, and your company has been named in a class action lawsuit alleging, among other things, gross negligence, willful and knowing violation of its fiduciary responsibility and violation of a series of statutory duties. By the time you, the CSO, become aware of the lawsuit, the company's general counsel (and most likely its outside litigation counsel) have had extensive discussions with the CEO, the CFO and other senior officers regarding the merits of the pending lawsuit and its impact on all aspects of operations.
Addressing the Tough Questions
While the tone of such high-level meetings may differ depending on the specific corporate culture, some or all of the following questions will certainly be asked. Who is the person responsible for information assurance? What does our IA policy say? Do we have e-commerce insurance? What are the damages claimed? How much is this litigation going to cost? How are we going to address the adverse publicity? What do you mean the board of directors has statutorily dictated fiduciary requirements regarding information assurance? Does our directors and officers policy cover such statutory duties? Who is handling the shareholder relations? Why was the possibility of such a lawsuit never discussed before?
As you can readily see, corporate governance, when brought into question, initiates a relatively unfamiliar series of events. One of the first thoughts to come to your counsel's mind is, what are we going to do about discovery. Clearly, in today's electronic world, discovery is even more complex, especially with those ubiquitous emails and their regrettable not-so-subtle jabs at other corporate departments. Certainly, you remember the email that criticized the CFO for her failure to recognize the ever increasing liability associated with information assurance, and instead criticized IA expense for its failure to measure up to some ROI metrics? Also, what about the email to the risk manager criticizing his response-driven, reactive, insurance-based policy toward IA?
Regrettably, electronic discovery, a fast emerging force in litigation, combined with the plaintiff's counsel's assistance from an expert forensic engineer, makes it much easier to know where your corporation's critical information resides. Armed with the appropriate identification protocols and the fact that it's nearly impossible to erase evidence that is magnetically encoded on a computer hard disk, this forensic expert is no script kiddie, hacker or cracker but a court-recognized expert with a mandate to know your system, even better than you do.
Now the Fun Begins
Your friend, the general counsel, calls and says, "Hey Mr. CSO. Why don't you drop by my office? I have a few things I want to discuss with you." You say to yourself, "Where are the firewalls when I need them?" The general counsel informs you that the corporation has been sued and that anything you now say to her will hopefully have the benefit and protection of the attorney-client privilege. Therefore, you have to tell her everything that you can possibly think of that related to the regrettable event in question. You are wondering whether the general counsel will then use the information you so openly and freely provide as a basis to fire you.
What happens next? Number one, is discovery of every document (paper and electronic), in your corporation's possession which may be relevant to the event. This includes, among other things, all corporate policies and procedures and the practices of your department. Number two, your friend, the general counsel, is going to ask you what kind of credentials you have. How were you selected for this job? Are there standard credentials associated with being a CSO? Who do you report to in the company? Who made the decision that this reporting relationship is consistent with appropriate information assurance requirements in the world of e-commerce? You are thinking to yourself, "I certainly didn't make the reporting decision. As a matter of fact, many companies deal with IA much differently."
Then the general counsel drops a bomb! Who would you recommend, based on your experience as a CSO, as a nationally recognized expert in the field of information assurance practices? The company needs to have an expert, you are told, in order to offset one of the many plaintiff's experts, who will claim that your company's policies, procedures and practices fail to properly address the fiduciary responsibilities associated with proper information assurance. Such a big company, but such a small IA budget. The counsel asks, what are the "best practices" you have referred to? From whom did they come? Who are these people? Are they the experts? Are there industry standards that apply to information assurance and are they judicially recognized? Do your best practices comply with those standards? What the hell is ISO?
You're thinking to yourself, "If this is my friend, what is it going to be like when I have to raise my right hand to be sworn in?" Don't worry. You will get a chance to prepare during your day-long deposition. You will get a chance to help the general counsel respond to never-ending discovery, contention interrogatories, and a whole series of other time-consuming expert, deposition and trial prep mandates. In the meantime, everyone in the company is looking to blame someone else for responsibility with regard to this legal and public relations bombshell.
When It Rains, It Pours
The chief risk officer (if your organization has such a person) comes to see you and wants to talk about insurance requirements. Surely the company had e-commerce insurance. Surely the representations and subjectivities addressed in the application for the insurance policy included the policies and procedures your company faithfully follows with regard to mitigating information assurance risk. Surely your company continues to supplement those procedures with state-of-the-art practices. As you can begin to see, the deposition and court testimony will focus more on your corporation's practices and less on the products you purchased believing they would help you avoid such a nightmare.
There's Simply No Excuse
A company with substantial resources, including subject-specific expertise, will find no sympathetic ear with the jurors of today. The American public, at least, in poll after poll and in the hundreds of hours of mock jury and other jury-related exercises I have observed, have repeatedly confirmed that the personal loss of control (i.e., big government, multinational corporations and unresponsive healthcare providers) and personal privacy are the most important issues to our citizens.
When an event occurs in which personal identifying information is exposed, and the possibility of identity theft exists, the jurors are not going to want to hear about why your corporation chose not to follow recognized standards and adopted home-grown policies without regular audits for compliance. Jurors are going to want to know why credentialed people are not holding the position of CSO. Your judge, in his search-for-evidence gatekeeper role, is going to want to know why the person your corporation chose as your expert on information assurance is qualified to testify as an expert in IA. Just what statistical proof is your expert providing? Is IA a science, technical or other specialized knowledge? Which peer-reviewed journals has your expert published in?
Information assurance, and the duties and responsibilities associated therewith, is an emerging area of the law. However, practices in other types of litigation, such as environmental and healthcare litigation, have established precedents that require strict adherence to recognized standards, and constant monitoring of the relevant corporation's compliance with such adopted standards. In the U.S., there is even a very sound practice in environmental law favoring self-critical analysis, which promotes constant internal investigation without the fear of regulatory investigation and its findings being used against the corporation that seeks to achieve the underlying public policy objective.
With credentialed personnel, and strict adherence to your corporate policy and procedures which are premised on recognized standards, much of the pain of litigation will be addressed long before your friend, the general counsel, calls for a visit. Why not try a mock lawsuit exercise in your corporation that attempts to find out where you would truly stand today, as opposed to where you are standing the day after the lawsuit? Crisis management is not always exclusively associated with a physical catastrophe. Proactive self-critical analysis with the active participation of all relevant corporate departments, especially legal, is a discipline well worth the time and financial investment.
Don't even think about outsourcing such liability. You can't! You cannot avoid litigation, but you can minimize financial, operational and reputational damage by being as prepared as the proverbial prudent CSO will be required to testify in court.
Mike Flaherty is executive vice president, general counsel and chief administrative officer of Xacta Corp. (www.xacta.com).