By Kelce S. Wilson, PhD, MBA, JD and Jeff Hughes
Mr. Hughes may be reached at: email@example.com
It may be inevitable that your firm or one of your clients suffers a serious data breach - despite efforts to remain current with the latest protection systems. When that happens, will you have a convincing argument, based on objective and technically sound criteria, that you or your client had expended reasonable efforts to maintain data security? Or, will accusations of negligence be more convincing and set the tone for post-incident sanctions and penalties?
You canít provide a convincing defense if you had no basis for defining what a reasonable level of effort should have been prior to the incident. So ask your clients and inquire around your firm, have your panic attack when you find a dearth of objective criteria, and then read on to find a solution.
Law firms, just as public and other private sector organizations, struggle to determine what cyber security investments are appropriate and beneficial in protecting the critical parts of their business operations. Managers of large information technology (IT) systems make policy and technology choices on a regular basis that impact both their usersí experience and their systemís confidentiality, integrity, and availability. Lacking empirical data, these choices are often made using mere (allegedly) expert opinion. Dependencies and competing interests from proc...