Comments on Christiansen's IT Law: Information Law Theory and Practice: The Role of Legal Counsel in Information Security ...

A very solid post on security risk assessment from...

2008-04-24T14:29:00.000-07:00

A very solid post on security risk assessment from a legal perspective. I would also agree on the responsibilities between the legal counsel and the technology and security practitioners. A very good analogy that I face in my field is the roles of network and security technologists. Network engineers often have a har d time collaborating with network security engineers - network engineers don't like to be told that the network architecture must be redesigned in order to better integrate with security infrastructure and security engineers get frustrated that they are not engaged in initial architecture developments in order to build a more secured network. The fact is that both functions, network and security, must work together. In fact, other groups, like application and business groups should really get engaged in strategy and technology developments to address security challenges. In your post, the emphasis of technical knowledge integrating with the legal knowledge is great. However, we should also emphasize that these two functions are key inputs to the core - business. Both technical and legal must collaborate in delivering assessment results and recommendations, but let's not forget that the number one priority is to first understand the business prior to assessment and making recommendations. Yes, during the risk assessment, the business impact analysis is factored in, but even before this, the assessment initiative must engage roles directly from the business side, resulting in the three-headed monster type of attack - the business, the legal, and the technology knowledge.

Your post is really very good and you have really ...

2007-07-20T22:10:00.000-07:00

Your post is really very good and you have really introduced and explained “risk assessment” in very good fashion. As I am also aware about risk assessment so I would like to add some words on risk assessment from my side. The objective of Risk Assessment is to identify current risks and threats to the business and implement measures to eliminate or reduce those potential risks. The Risk Assessment is only part one of an overall Business Assessment. A Business Assessment is separated into two constituents, Risk Assessment and Business Impact Analysis (BIA). The Risk Assessment is intended to measure present vulnerabilities to the business’s environment, while the Business Impact Analysis evaluates probable loss that could result during a disaster. To maximize the Risk Assessment, a Business Impact Analysis should also be completed.

Thanks! Especially to anonymous, as this is the ki...

2007-02-16T10:55:00.000-08:00

Thanks! Especially to anonymous, as this is the kind of discussion I was hoping to generate.

I agree that "risk assessors can opine," and I think they should - within their range of expertise. Non-lawyer risk assessors should not opine about legal issues, however, and they all too often do.

I've done risk assessments as both a lawyer and a non-lawyer consultant, and reviewed others' assessments in both roles. I have frequently received reports in which non-lawyer auditors or assessors made legal conclusions - e.g. "this is HIPAA-compliant" or "this is prohibited by Gramm-Leach-Bliley." Whenever I receive this kind of report, I reject it - and am very unhappy to have received it, if it includes conclusions that my client is "not in compliance" - i.e., breaking the law. In my role as a consultant I have also done trouble-shooting for consultant colleagues whose reports have been rejected by legal counsel under the same conditions - and whose fees are being held for that reason.

The problem is that this kind of report is now evidence that my client is breaking the law, even if the person who has that opinion has no legal education or experience, and even if I disagree as to the legal implications of the facts in the report. Actually advising a client on whether or not complex IT-related facts prove a violation of an ambiguous law and long, inconsistent regulations isn't necessarily easy if you're an experienced lawyer, but try explaining that to a judge, jury or inexperienced regulator who has just been handed a copy of a consultant's report stating bluntly "because role-based access was not implemented this database violated HIPAA." (This actually happened in litigation I was involved with.)

Giving legal opinions is also sort-of the core definition of legal practice, and the unauthorized practice of law is a crime in at least a lot of states. I'd be rather less concerned about that - lots of professionals poach in this area, not just IT assessors, and there aren't a lot of prosecutions - than I would be about the consultants' potential liability. (I sometimes advise consultants in this area.) If you are found to have been "practicing law" you can probably be sued by your client, and your insurance carrier will probably decline to defend or cover you.

I don't think lawyers should opine on technical issues, unless and only to the extent that they in fact have appropriate technical knowledge, and I think a major part of the value a good assessor brings to the table is to give opinions about how things might be done better. But any consultant who purports to give a legal opinion is in dangerous waters - and if you give it to one of my clients, we'll have to have a long talk . . .

Great post....very useful.Bill Dillon

2007-02-16T08:47:00.000-08:00

Great post....very useful.

Bill Dillon

Good review of risk management in technology space...

2007-02-16T07:43:00.000-08:00

Good review of risk management in technology space. However, we'd reverse the logic. Legal assistance on implications is subordinate to the security assessment. The risk assessors can opine, legal can't or at least shouldn't. As well, good assessors go beyond, simply 'fact finding.'

Good piece.