Risk Mitigation and the Law

In the litigious society of the United States in the 21st century, it is a miracle we can say or do anything. Are there going to be legal and ethical considerations for your chosen project organization? Yes, of course. This activity will assist in your understanding of the creation of policy and strategy to manage risk within the legal and regulatory requirements for IT security. (Think about legislation and regulation such as FISMA, GLBA, SOX, HIPPA, FERPA, ECPA, CFAA, and PCI.)

Remember that laws are made by politicians, and politicians are driven by public and media reaction to specific incidents. Laws and legal judgments, therefore, are piecemeal in nature. When these laws reach a critical mass, lawmakers conclude that the emerging patchwork of related, but often inconsistent, laws and regulations require an omnibus law to create consistency and greater predictability, which is not in existence in the United States.

In the absence of such unifying federal law, particular industries or sectors are targeted for regulation as perceived problems in those industries become public. Laws and regulations covering targeted industries are gradually expanded through civil litigation and regulatory action that are limited only by the patience of judges and the imagination of plaintiffs' lawyers, prosecutors, and regulators.

For information security practitioners, this is a good news and bad news situation. Often, attempts at comprehensive regulation turn out to be a jumbled mess, particularly when multiple economic sectors with differing operational environments and needs are being regulated. Because the private sector often has time-tested best practices, such regulation can be particularly ineffective when circulated before the private sector implements a workable solution.

A patchwork of different federal, state, and international laws and regulations (as is the current state of information security law) can be confusing, so careful, case-specific legal analysis and advice from qualified and experienced counsel are at a premium. This means that certified and qualified INFOSEC professionals are extremely sought after for their experience and skill in navigating this mass of regulatory law and technobabble of lawyers and regulators.

There is a difference between regulatory compliance and legal requirements for doing business. INFOSEC professionals have to bridge the gap, balancing the law and ethics in an easy-to-understand dialogue when communicating with the target organization.

Discussion Question

What is the impact of computer legislation and case law on information security management?

In your post, consider the following factors:

  • How the various laws and regulations affect IT professionals, both individually and their profession as a whole.
  • Possible approaches to improving the protection of personal privacy and the advantages and disadvantages of such approaches.
  • Significance of digital signature legislation.