Security Managers Could Face Court Penalties
Routine efforts to improve network security could be used against IT managers in court, warned cybercrime attorney Mark Rasch.
Security managers who fail to secure their company's information could be making it harder to prosecute computer crime, said Rasch, who delivered a keynote at the NetSec 2004 conference here this week.
"For trade secrets to be entitled to legal protection, the person holding the trade secret has to demonstrate that they used reasonable efforts to ensure its secrecy," Rasch said.
And sometimes a security manager's efforts to secure information can be used against him by a plaintiff's attorney. For example, imagine that a security manager writes a memo listing 10 measures that must be taken to secure corporate information, and the company only implements two of them. "That memo is a plaintiff's lawyer's dream," Rasch said.
Likewise, security managers are routinely cautious in deploying patches to Microsoft software and other products. The patches are tested, and rolled out over a period of time. That caution be used by a plaintiff's lawyer to prove negligence. "They'd ask how much it would cost to install the patch? They'd say it doesn't cost much. You'd say it isn't just one patch, there are thousands of patches. But the jury just hears about the one patch," Rasch said.
Likewise, companies that generate security logs but don't look at them are letting themselves in for legal trouble, Rasch said. The corporation is presumed to be aware of the information contained in those logs.
