Legal defensibility deals with the process behind making security choices and justifying those choices in a legal context for reducing legal risk (and of course the costs associated with those risks). A legal risk arises in cases when a company suffers with a security breach or is unable to comply with the security legal requirements and it must shield itself in a legal or a regulatory action. It’s not really about whether a company is “secure” but whether it can successfully argue that the choices made by it and the security processes carried out in it are legally “reasonable” and comply with the applicable legal requirements like regulations, contracts and common law standards.

An organization must therefore proactively build a case that can withstand legal scrutiny, which shows that it has taken every reasonable step to protect itself and its assets in order to preserve and build a long term value. It should operate under the assumptions that some day a security incident will take place, and as a result of such incident, it will be subjected to legal proceedings that challenge whether or not it followed the legal measures in protecting itself. The principles inherent in networked system survivability, including defensibility and recoverability shout become the basis of this proactive approach in building such a case.

David Navetta of the Information Systems Security Association (ISSA) has written an excellent article on how to handle Legal Defensibility in this new era. He states “The focus of legal defensibility is understanding how a plaintiff ’s attorney, judge, jury, or regulator will view an organization’s security posture in light of applicable legal requirements. Under a legal defensibility analysis security choices become legal positions or arguments to be used to persuade legal decision-makers that an organization’s security was legally sound, and increase the likelihood that a judge, jury, or regulator will find a company legally compliant. Ultimately, there may not be a clear “right” or “wrong” answer, but rather a more or less persuasive legal argument/position on security.”

There are two fundamental principles on which Legal Defensibility is based on:

1. When a security breach occurs…

All organization should expect a security breach to occur. It’s very common these days that a company has experienced or is currently experiencing a security incident of some kind. This may range from malware infections to targeted attacks to an actual data breach. It is, therefore, essential that a company should be prepared with what steps have to be taken when a security incident occurs. There should exist certain policies with which the organization is defending itself and such policies should have a strong legal basis.

2. Protect what’s entrusted with your organization – the valuable data repository

With each passing day, a lot of personal data is given to organizations in the form of online transactions, social networking etc. This data is essentially valuable to the organizations to which this information is entrusted with. It’s very important that an organization knows itself very well, and what its strengths are or what’s most valuable to it. Then, it should act in a self preserving manner keeping in mind the long term value rather than concentrating on short term profits.

Legal Defensibility is a very new concept and is still in its developing phase. But of course, its importance is nevertheless gaining popularity with time. It actually makes sense. After all, prevention is better than cure!