Real Life Lessons: Legal System
- At February 07, 2008
- By Josh More
- In Business Security
1
[flickr]photo:497353227(small)[/flickr]The fifth lesson was of the legal system. As you recall, I chose to not involve the police. If I had, I likely could have filed charges against the boy. (Not sure if it would have been breaking and entering, since he didn’t seem to break anything.) I chose to not do this. There were several reasons:
- No harm, no foul.
- It would have taken a lot of time to deal with the paperwork… and I had a full schedule.
- I do not know how the law would have handled it, but to my own mind, I was just as negligent as he was.
In effect, I made a business decision that to involve the law would likely cost more (in time) than it was worth. Many people are faced with decisions like this, and most people have a different invisible line that must be crossed. I have known businesses that would call the police at the drop of a hat. I have also known business that would ignore successful network intrusions, considering them a “cost of business“.
In the event of a breach, most businesses consider it as follows:
- dollar amount stolen + dollar amount of lost time in repair
- dollar amount of successful prosecution times likelihood of successful prosecution – cost of successful prosecution – loss of trust in the market
It is often easier for a business to simply accept the loss than to risk greater losses by involving the legal system… but sometimes there is no choice. An increasing number of states have disclosure laws. If the breach involved any personal information (names, addresses, credit card numbers, social security numbers, etc), you may well be required to disclose the incident and accept any negative consequences that arise.
So, what is a business to do? First of all, you should have a lawyer that can help guide you through such a decision. Secondly, you should have a lawyer before a problem occurs – so that they are already familiar with your business. Third, you should know your data and know what possible ramifications might exist from storing it. Fourth, and optionally, you should have a security office or consultant who can look at your system and offer ways to limit risk and/or detect potential breaches. See, you’ll want to be the one telling your clients about the guy that broke in… not the newspapers.
Once you have these, your primary question should always be “Do I need to keep this data?“. If you are keeping information on users “just because“, and if that information would cost you if it got out… DELETE IT! It’s OK, if your users want you to have it, they’ll give it to you again.
My questions to you:
- What data do you store on your employees, customers, clients, and partners?
- If that information were stolen, how much could it damage you? (fines, lost clients, stolen clients, blackmail)
- How many years would it take you to recover?
Brett Trout
Josh,
Great series of posts. One metric that businesses often overlook is the “Fonzie” factor. If you have been in a fight before, people are much less likely to do anything to provoke a fight in the future. In nearly any fight, legal or otherwise, you are more than likely going to come out a “loser”, even if you win. But if you can fight one time to avoid the next fifty, the right fight, at the right time, can be a long term price performer.
There are so many Ritchie Cunninghams out there to pick on, why pick on a Fonzie. If you ever do get into a fight, you have a lot more leverage toward settlement. If you explain why a short term loss on this case is a long term gain prophylactic gain, it is much easier to reach a settlement.
Take the situation with the kid in your house. You handled it the right way. Beating that kid or suing him is likely not going to stop him from doing it again. He apparently would have chosen another option anyway, had he the choice. Taking action would have little deterrent effect. Now had the individual been a thief, a scene out of Kill Bill would probably put the word on the street that a threat to your life in your own home is not a price performer for the average baddie.
The same rules apply in business, but to an even greater degree. Information travels faster and more accurately online. You do not want to go looking for a fight, or taunt a hacker, but after viewing the carnage of the last guy to hack your system, your profit maximizing hacker might just decide a looksie next door beats a fight with the Fonz.
Brett