Employing a legal defensibility strategy goes beyond superficial “checklist-oriented” compliance and recognizes that ambiguities exist in the law, that if not properly addressed could adversely impact a company. It recognizes the need for a close working relationship between legal and security that allows both roles to understand how the other operates. It requires changing the security team’s frame of reference slightly so enable them to understand how their decisions will be scrutinized in a legal realm. Under a legal defensibility model, security decisions become legal positions to address issues like “reasonable security,” risk and compliance with specific regulatory mandates.
Even the communication mode is altered — best practice is to establish attorney-client privilege to attempt to shield the “sausage making” (and related paper trail) that sometimes goes into developing a security program. Documentation of decisions and rationales for decisions become important to create a historical artifact to be unearthed in the event of legal action. This documentation will allow the organization to justify its processes and put itself in the best light in front of a legal decision maker.
For legally defensible security a key consideration is the process for making security decisions. An established decision-making process that takes into account accepted and relevant security standards, risk management and legal requirements is better than an ad hoc approach. It provides for consistency across an organization and over time, provides a basis for courts to analyze the adequacy of a company’s security program, and is easier to defend if reasonable and followed. Coupled with documentation, having a well-conceived and consistent process can assist an organization’s position in a legal context and reduce risk.