What every general counsel and transactional lawyer needs to know about information security

Information security is a business discipline that combines "policies, processes and technology," said Peter McLaughlin of Cardinal Health, Inc., during a recent ABA continuing legal education teleconference on "Contracting for Information Security & Privacy Risks: what every general counsel and transactional attorney needs to know about information security."

The panel presentation outlined common information security terms, offered explanations as to why information security is so important, compared what large and small organizations are currently doing in the area, and answered the question, "What is the legal and business impact of breached information security?"

One of the reasons information security is coming to the forefront, said Andrew Shea, NetSPI, Inc., is that there is much more monitoring by the Federal Trade Commission and increased federal regulations in the way of Sarbanes-Oxley, Gramm-Leach-Bliley and other laws. Because of Sarbanes-Oxley, noted McLaughlin, the boards of large companies are getting involved in overseeing security, due diligence in the area is becoming more the norm, and executives are becoming more proactive in their approach by acting before a security incident occurs. Mid-sized companies, according to Shea, are formalizing responsibilities and risk management roles, making an effort to understand the requirements they face, and looking into cyber security insurance. There's "not a lot of activity yet" in small companies, but some discussions and additional technology controls are beginning to occur.

David Navetta, InfoSecCompliance, LLC, said that breaches of information security – with both legal and business implications – affect all types of companies, and all aspects of companies. Business interruption may occur, reputations can be lost, and contractual violations may occur. McLaughlin noted that a company's ability to prevent such breaches is only as strong as the weakest link. It is not enough to have a strong policy and implementation within one's organization; strong guidelines for vendors, outsourcers and partners are also a must.

Navetta also discussed information security contract methodology, noting that it includes risk assessment, risk management and contract term development. Risk assessment includes helping a client identify information and the type of system access that is going to be available to outside parties in a contracting arrangement. Risk management includes measuring what controls the vendor does and should have in place to address the possible risks and what types of contract terms and language should be used in light of risk. To identify the types of information a company has and is contemplating sharing with a vendor, a lawyer may need to consult with an information security expert.

Panel moderator Eleanor Kellett, SCANA Services, Inc., said that the confidentiality, integrity and availability of information assets is critical. To ensure that these criteria are met, it is important to "trust and verify."

Portions of the printed materials from the panel are available
here [PDF] for at least the next two weeks. Audio of the program, and additional materials, are available through the ABA Web Store, here.

Back to top