Saturday, April 08, 2006

Subcommittee on Privacy, Security and Data Management

Michael Power and Peter McLaughlin co-chaired this morning's meeting of the cyberspace subcommittee on Privacy, Security and Data Management. More than 35 people attended (and more than half of them were new to the subcommittee). There was discussion about possible new projects -- e.g., collection of examples of negotiated clauses/exceptions to standard software vendors' exclusion of liability for security breaches (and/or a collection of examples of how large buyers have used their buying power to move vendors away from their historical hard line). There also was discussion about CAIT's ongoing project to develop (and keep up to date) a set of checklists/tools to help counsel effectively work through the barrage of decisions that have to be made while in the midst of a security incident (e.g., a network security breach).

Andy Serwin made a presentation (using powerpoint in an unexpected way, with non-volatile storage/display tools -- paper) trying to read the tea-leaves about the FTC's emerging security policies. While recent enforcement actions are reported as "privacy-protection" activities, a closer look suggests: (a) the FTC is more focused on lacking underlying security, at (b) companies that are holding financial-related information. Relying on Gramm-Leach-Bliley, FTC has seized on the lack of a written contingency plan (for managing security incidents). (While many companies have at least decent security processes, many of these aren't formally enough institutionalized in a fashion that facilitates knowledge continuity -- hence, the need for a written plan.) FTC actions also illustrate the need for formalized, risk-assessment and risk-management processes, being systematically applied to the area of information security. (An ecopy of Andy's presentation resides here.)

The number of people in the room, the kinds of questions raised, and the level of passion exhibited during this meeting all suggest that the "perfect storm" of security/privacy is closer than a distant speck on the horizon. The lawyers who prepare earliest may actually benefit from the coming storm, by being able to out-sail their less-well-prepared colleagues. As with Health-Safety-Environment, companies also may find an emerging competitive advantage flowing from their earlier planning. (Argue this, when justifying your participation in our work.)

No comments: