Thursday, August 18, 2011

Security Standards and the Question of Liability

There has recently been much rhetoric over the issue of security standards. Organizations such as UL (Underwriters Laboratories), NFPA (National Fire Protection Association) and ASIS International have undertaken projects to develop standards. And the process and even advisability of developing standards have both supporters and detractors. But with all the discussion and debate that has taken place, little has been said – at least publicly – about the issue that will have significant impact on the implementation of security standards: liability.

The reason that liability will be such a significant factor is because liability in and of itself is a controversial topic. While in theory there could probably be almost universal consensus that liability exposure should be avoided at all cost, the reality is that since virtually nothing can be done to guarantee the elimination of all liability (at least not until we cease to be such a litigious society), there has to be a recognition of the difference between trying to eliminate all risk and liability, and accepting or at least managing reasonable risk and liability.

As a quick reminder of Liability 101, “getting sued” is not the same as “being liable.” In fact, “getting sued” is not even the same as “getting sued successfully.” But those concerned about total liability avoidance in the business world – the bean counters and corporate attorneys – frequently take the path of least resistance and make an error when they equate avoiding lawsuits with avoiding liability. And the addition of security standards will be another factor in muddying the liability waters.

Security is not an exact science, and thus is not readily adaptable to the “cookie-cutter” or “one-size-fits-all” mold. And that is why developing security standards will be a formidable task, especially as related to the issue of liability. Once the factor of liability is brought into the security standards equation, the forensic interpretation of adequacy and sufficiency of security as determined by the Courts must be considered. And it will be in this legal arena that the full impact and importance of security standards will ultimately be determined.

From a practical perspective, the implementation of any security standards that may be developed will have mixed results. While some may see such standards as a “no-brainer” way to implement a security program, others will be more cautious. And both will be correct in their own limited ways: If developed properly, a set of standards will be a guide for building a basic security program; but since adequacy and sufficiency of any given security program is related to reasonableness vis-à-vis the risks at a given place, standards may not be appropriate in certain situations.

Moving forward to Security Liability 101, Courts across the country have long and consistently held that security measures must be commensurate with reasonably foreseeable threats and risks at a given place – the operative words being “foreseeable” and “given place.” This means that security programs will necessarily be different at different places (perhaps even at different places within the same organization) because the threats and risks might be different. So trying to find a set of standards that will be applicable to the myriad of potential scenarios will be difficult (at best) if not impossible to achieve.

The main value that I see to security standards is a compilation of strategies and best practices from which any organization can choose those which best suit its particular needs. And again, since security is not an exact science and there are almost always multiple ways to solve any given problem, such a compilation will allow any organization to pick and choose from a variety of strategies from which a sound security plan can be developed. This will meet the needs of organizations looking to maximize their security posture while also providing a framework for liability avoidance.