Your Legal Liability in a Data Processing DisasterTop Management Needs to Know About Data Security and the Law!
Partners In Disaster Prevention:
Disaster Recovery Journal
YOUR LEGAL LIABILITY IN A DATA PROCESSING DISASTER
Have you ever wondered how
a corporate disaster might affect you personally? If the corporation survived
despite major losses would you be affected in any way? And if the corporation
went bankrupt, what might happen to you?
Beyond the problem of whether you would have a job or not, there is the concern of being sued by stockholders or criminally prosecuted if your corporation experiences a disaster. This article explains who should worry and why and what steps you can take to minimize the personal risk of a corporate disaster.
Who is at risk?
Reasons for Liability
You should analyze conduct for adequacy of performance from the point of view of a jury. A court could easily say that a failure to insure corporate assets essential to corporate survival (such as a data center) would be conduct that falls short of the proper exercise of the minimal standard of care. And, where directors, officers and managers neglect their duty and the proximate result is a loss to the corporation, they are liable for it.
...An equally important objective of the law was management accountability. Section 102 requires managemnt to provide shareholders with reasonable assuances that accurate books and records are properly maintained and that the business is adequately controlled.
It is the requirement to maintain and safeguard corporate records that makes disaster recovery planning important to compliance, since most of the required corporate records are stored electronically. Violations of the Foreign Corrupt Practices Act can lead to both civil and criminal fines and to the possibilty of imprisonment.
... A person lives up to the duty of good faith by doing things that he knows to be right. Knowingly doing the wrong thing is an act of disloyalty and a violation of the duty of good faith. If you know there is a real and preventable risk to your corporation and you do nothign to prevent the risk, then your disregard for the proper course of conduct would probably be construed as acting in bad faith.
Consider the following scenario. Assume a data processing disaster forces a company into bankruptcy because no contingency planning had been done. Assume further that an angy shareholder files suit against everyone responsible including directors, officers, and the MIS director for allowing the corporation in which he invested to go bankrupt.
The following argument might well be persuasive to a jury:
What To Do?
TOP MANAGEMENT NEEDS TO KNOW ABOUT DATA SECURITY AND THE LAW!
Any organization which fails to institute appropriate data security can expose not only the organization but its board of directors individually and personally to substantial liability, which can be imposed by contract an/or by law. The board of directors of a company has a fiduciary responsibility to the stockholders to protect all of the assets of the company. Failure to establish and maintain a reasonable security program is a breach of that fiduciary duty; in case of substatial loss, the members of the board may be personally liable to stockholders whose stock has been devalued. The corporation may also be liable to others, either contractually or under the doctrines of tort law (a civil wrong for which the law imposes liability).
Liability for Bad Data
Complying with regulatory Agencies
Management's Responsibility
"Data should not be stored where they are subject to the same disasters that could destroy them where they were in the first place!"
MANAGERS ARE LIABLE FOR INFORMATION PROTECTION
Liability is one reason for concern behind the growing interest in off-site storage. In fact, managers and executives of all companies should take note that the Foreign Corrupt Practices Act makes management personally liable for the protection of company assets. Under the act, assets include all vital company information and computer data.
Individual penalties of $10,000 and five years imprisonment can be levied against both corporation directors and senior managers for failing to insure adequate protection.
Inaddition, the board of directors of banks and financial institutions are now responsible for taking measures to reduce or eliminate the possible loss of data processing support.
According to the Comptroller of the Currency, in Banking Circular 177, the board must review and approve on an annual basis management's assessment of how such a loss would impact operation of the facility and the methods implemented to eliminate the risk and/or the impact.
... It is likely that the vice president or manager of MIS can be held personally liable for the loss if there are actions he should have taken to avoid the loss, but did not.
... If these responsible persons breach the duty of trust, they may be liable to the shareholders of the corporation. The standards used to judge faithful performance were developed over a long time. Numerous court cases in which disgruntled shareholders sued officers, directors and agents for alleged wrongdoing developed into the standard called the "Prudent Man Rule." It requires officers, directors and agents to discharge their duties with the diligence and care that ordinary, prudent men would exercise under simiilar circumstances... How is this duty of care related to the issue of disaster recovery planning? Where the risk of loss of assets is significant and the impact of the risk of loss is large, it would seem axiomatic that prudent men would take steps to protect the corporation and its assets.
"Ladies and gentlemen of the jury, I submit that the reckless action of all of these people in failing to insure corporate assets and failing to develop a disaster recovery plan involves conscious disregard for a known but preventable risk. Thus, I submit that their approach to preservation of the corporate assets was an approach not taken in good faith, and thus their personal liablility would not be a liability subject to the limitations under the new corporate statutes nor should it be subject to indemnification under the traditional indemnity arguments. I ask personal judgements against all of them in the amount of the loss."
You can avoid the legal problems described above by acting like a reasonable and prudent man and by exercising due care for your corporation. In other words, develop a disaster recovery plan.
By: Robert P. Bigelow
The law of torts may also impose liability on an organization for failure to take appropriate security precautions. For example, if the company maintains a database of information on the finances of the company this data could be accessed by interioper and the information could be sabotaged by improper modifications. What could this do to a company if not found in time before reports were made or taxes prepared?
Particular industries often have specific requirements for data security imposed by regulation. For example, banks are subject to audit by federal and state authorities. In the spring of 1983, the Chief National Bank Examiner issued a circular requiring national banks to institute contingency plans for thier EDP systems, including provisions for off-site backup of critical data files, software, and hardware, alternate means of processing transactions, and periodic testing of the system. Additional regulatory requirements can be expected in the future.
Management, whether it realizes it or not, is responsible for the security of the organization's information system. Sometimes this responsibility is contractual, sometimes it is created by law, and sometimes it will be imposed by the courts. If top manaement does not act to establish and maintain adequate data security procedures, the organization could be liable for substantial damages... and those damages may be collectable from the managers personally!
Security World