Due care and due diligence
Due care – Doing what a reasonable person would do. ie expecting your staff to keep systems patched
Due diligence – Management of due care. ie verifying that your staff has patched their system
Gross negligence – Opposite of due care. If you cannot demonstrate due care, you are grossly negligent
Compliance with laws and regulation
Complying with laws and regulation is a top information security management priority.
Major legal systems
Civil Law (Legal System) – The system of civil law leverages codified laws or statutes to determine what is considered with the bounds of law. Judicial rulings cary less weight under common law.
Common Law – Legal system used in US, Canada, UK and most former British Colonies. Common law places significant emphasis on particular cases and judicial precedents as determinants of laws. Judicial rulings can sometimes supersede statutes and laws created by the legislative body.
Religious Law – Religious doctrine or interpretations serves as a source of legal understanding and statutes. Islam serves as the most common source for religious legal systems. Sharia is the term used for Islamic law and it uses the Qur’an and Hadith as its foundation.
Customary Law – Customary law refers to those customs or practices that are so commonly accepted by a group that the custom is treated as law. In Information security, the concept of best practices is closely associated with customary law.
Example: An organization that maintains sensitive data but has no specific legal requirements regarding how the data must be protected. The data is later compromised. If it were discovered that the company did not employ firewalls, AV, and used outdated systems to house the data, many would believe the organization violated perhaps not a legal requirement but accepted practices by not employing customary practices associated with safeguarding sensitive data.
Criminal, Civil, and Administrative Law
Within Common law there are various branches of law including criminal, civil and administrative law.
Society is the victim. The goal of criminal law is to promote and maintain and orderly and law abiding citizenry. In order to convict someone accused of criminal act, the crime must be proved beyond any any reasonable doubt. Once proven the punishment will potentially include incarceration, financial penalties or in some jurisdiction, death.
Aka Tort law deals with injury, resulting from someone violating their responsibility to provide duty of care. An individual, group, organization is the victim and concerns most commonly private parties where punishment is focused on compensating the victim.
Common types of Financial damages
- Statutory – Prescribed by law, awarded to victim even if the victim incurred no actual loss or injury
- Compensatory – Provide victim with financial reward in effort to compensate for loss of injury incurred
- Punitive – Awarded to attempt to discourage a particular violation where compensatory or statutory damages alone would not act as a deterrent
Aka regulatory law enacted by government agencies. Government mandated compliance measures are administrative laws. Examples are FCC regulations, HIPAA security mandates, FDA regulations, FAA Regulations.
Questions of liability often turn into questions regarding potential negligence. The Prudent Man Rule is applied to determine actions or inactions constitute negligence.
Minimum standard of protection that business stakeholders must attempt to achieve. The Prudent Man Rule requires that an organization engage in business practices that a prudent, right thinking, person would consider appropriate. Businesses should align themselves with best practices appropriate to their industry as best practices today may become minimum necessary required by standard of due care.
Due diligence is a formal process that requires and ensures an organization continue to scrutinize their own practices in order to meet or exceed requirements for protection of assets and stakeholders.
If an organization is compromised in such a way that caused significant financial harm to their customers, shareholders or public, one way to defend is to show they exercised due diligence.