May 9, 2005
(Computerworld)
CIOs have a new name to know: Zubulake. And if they don't, they could be heading for trouble.
Zubulake is shorthand for the case of Zubulake v. UBS Warburg LLC, which was heard recently in a federal court in New York. The court's decisions in that case established new standards for retaining electronic data.
"The courts are increasingly depending on companies and their lawyers to produce electronic evidence and to make sure it's not destroyed," says Adam Rosman, a lawyer at Zuckerman Spader LLP in Washington. "It was an obligation that didn't previously exist."
CIOs have had to contend with hackers, worms and viruses for years. And they're getting a handle on new federal regulations that set additional security requirements. But even veteran IT executives may be ignorant of some crucial aspects of security law, like the requirements coming out of the Zubulake case, lawyers say.
These security measures, while important legally, fail to attract adequate attention because they're evolving standards, they're mixed in with responsibilities traditionally handled by other executives, or they're simply downplayed by the executive suite.
But CIOs need to make these new obligations a priority or live with increased risk of legal action. "There is some important work to be done to bring the CIO and the security officers up to speed," says J. Beckwith Burr, a partner at Wilmer Cutler Pickering Hale and Dorr LLP, which has headquarters in Boston and Washington.
Here are five security concerns that might have eluded some CIOs:
1 A threat of legal or regulatory action against your company should spur you to adopt more-conservative data-retention procedures. This is just as important as abiding by the rules for data storage that have emerged from the Zubulake case and better-known mandates, such as the Sarbanes-Oxley Act. "When you get wind that someone might be thinking of suing you, you have to immediately change your document destruction procedures so you don't destroy anything that might be evidence," says Stuart Meyer, a partner at Fenwick & West LLP in Mountain View, Calif. "You can be sanctioned to the tune of millions of dollars -- and many companies have -- because they didn't suspend their normal procedures."
2 Security threats from employees represent another often-overlooked risk that could land CIOs and companies in legal trouble. Some employees act maliciously, but others are duped. For example, a federal report released earlier this year found that 35 out of 100 managers and employees of the Internal Revenue Service provided their network log-on names and temporarily changed their passwords when asked to do so by U.S. Department of the Treasury inspectors posing as computer technicians.
Companies have an obligation to secure their information, even from their own employees, says Robert M. Weiss, a partner at Neal, Gerber & Eisenberg LLP in Chicago. For example, if an unauthorized employee accessed another employee's personnel file, officers and the company itself could be sued.
3 Corporate relationships with third-party service providers also present potential legal problems, lawyers say. For example, most contracts today limit the liability of outsourced providers to the cost of the contract. "So if there is a security meltdown, contractually the vendor isn't responsible," Burr says. That means that regulators, shareholders or corporate clients could go after the company -- not the provider -- if there were a breach.
"The question is how you meld your legal and procurement function with your IT function with your privacy operations and your security operations," Burr says. "There's a lot of communication that needs to go on to make sure all the bases are being covered."
4 Changes in best practices have come quickly with new laws, regulatory requirements and court decisions, and the implications could go well beyond initial expectations. Take, for example, federal laws such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act and Sarbanes-Oxley. They have security mandates for specific segments of the economy: financial services, the health care industry and public companies.
But these and other laws set "standards of care" that courts everywhere might rule apply to all companies -- even those not specifically covered by the laws, Meyer says.
"The general notion is if you act as a reasonable person would act, you shouldn't be held liable," says Greg Lippetz, a partner at Boston-based Bingham McCutchen LLP. "But 'reasonable' today is different than three years ago. The bar is rising."
5 Double-edged audits also pose a challenge. Most CIOs know that security standards are changing, and many use audits to find holes in their companies' policies and procedures. But audits themselves can cause legal trouble if companies don't follow up quickly on the results.
"If you have knowledge of a security gap and you don't correct it and something happens, it's hard to escape liability," says David MacDonald, a New York-based partner at Kirkland & Ellis LLP.
On the other hand, companies that fail to make reasonable efforts to find security gaps may also be liable.
That's why CIOs need to get cracking, lawyers say. They must educate other executives about the legal need to meet these new standards so they can get the money, time and staff they need to do the job.
"The most effective way to address security within a company is to take a very practical approach where you get executive buy-in and the resources you need to educate folks, deploy the technology, monitor it and reconstruct what happened if you have breaches," says Karen L. Casser, a partner at Symbus Law Group LLC in Washington. "That way, you put your company in a position to argue that you did your due diligence."
Pratt is a Computerworld contributing writer in Waltham, Mass. Contact her at marykpratt@verizon.net.