Liability

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Liability is one of those terms that as
00:00
a senior executive strikes fear in our heart.
00:00
We don't want to be held liable for loss.
00:00
In this section we're going to talk about
00:00
some ideas about what being
00:00
found liable is and discuss
00:00
the idea of culpable negligence.
00:00
Then we're going to cover some other terms
00:00
like due diligence,
00:00
due care, and also the prudent person rule.
00:00
Now I don't know that any of
00:00
these are necessarily what I'm going to give you.
00:00
These aren't necessarily definitions I
00:00
would run back to law school with,
00:00
but we're going to frame it in context of the exam.
00:00
I'm going to give you a little scenario.
00:00
Let's say I have a company and we own 100 computers,
00:00
and these computers are all connected to the Internet.
00:00
Now they're my computers.
00:00
These systems are compromised and used to launch
00:00
a downstream attack on
00:00
another network and they
00:00
cost thousands of dollars worth of damage.
00:00
They're my computers,
00:00
I had no ill will but
00:00
my computers were compromised and they wound
00:00
up launching an attack downstream
00:00
costing thousands of dollars worth of damage.
00:00
The question is, am I liable?
00:00
Am I culpably negligent?
00:00
Now the best answer whenever
00:00
I ask you a question is probably going to be maybe.
00:00
Maybe is one of those safe answers,
00:00
maybe, and that's the perfect answer here.
00:00
The question is, can I be held liable?
00:00
I can. Am I necessarily going to be? Who knows?
00:00
Because my question to you to follow up with this is,
00:00
can I secure system in such a way we can
00:00
guarantee there is
00:00
no possible opportunity for compromise?
00:00
Can I build a rock hard system that can't be compromised,
00:00
breached, that can't be manipulated? The answer is no.
00:00
As a matter of fact,
00:00
as soon as you think you've built
00:00
that system I can tell you
00:00
someone's going to come along and crack it.
00:00
What can I do? I don't want to be found liable.
00:00
I don't want to be responsible
00:00
for thousands of dollars or even more worth of loss.
00:00
What can I do? I can do what's right.
00:00
I can do research.
00:00
I can implement best practices.
00:00
I can have good security policies
00:00
and procedures in place.
00:00
In short, I can use some terms
00:00
like due diligence and due care.
00:00
Like I said, don't take these to
00:00
law school, but the quick,
00:00
easy definition, due diligence is my research.
00:00
I have to do my research.
00:00
I have to know what
00:00
other organizations in the same industry are doing.
00:00
I have to make myself
00:00
knowledgeable in relation to threats and vulnerabilities.
00:00
I have to do my research and that's due diligence,
00:00
but the most important piece
00:00
is to act upon that knowledge.
00:00
It doesn't matter so much what I know,
00:00
it matters what I do,
00:00
and that's due care.
00:00
You can remember it by thinking,
00:00
if I care I will act.
00:00
I have to do the research,
00:00
that's due diligence,
00:00
but then once I find out what
00:00
industry standard best practices
00:00
are or what laws and regulations I
00:00
have to adhere to I need to create and
00:00
develop a security program
00:00
that will ensure I'm in compliance,
00:00
that will show I've acted responsibly and
00:00
cautiously as a prudent person would do.
00:00
This is the prudent gender nonspecific individual rule.
00:00
In all seriousness at one point in time
00:00
this used to be called the prudent man rule.
00:00
If you look at some of your older readings
00:00
you'll still hear it referenced that way.
00:00
But of course, now we're politically correct.
00:00
It is the gender nonspecific individual rule.
00:00
What this simply means is based on
00:00
a judge's discretion I have acted
00:00
responsibly and cautiously as a prudent person would do.
00:00
In short, I can do the right thing.
00:00
I can prove that I've used due diligence and due care.
00:00
Like I said, due diligence being the research,
00:00
doing things like attending conferences,
00:00
hiring subject matter experts
00:00
and having them provide input,
00:00
conducting vulnerability assessments so
00:00
I know what the weaknesses are in my organization,
00:00
those fall under the category of due diligence.
00:00
Now due care is where I act.
00:00
This is the development of my security policies.
00:00
This is the enforcement of my security policies because
00:00
really a policy is only as good as its enforcement.
00:00
This is the auditing to make
00:00
sure policies and procedures are being followed.
00:00
It's that due care piece that's super important.
00:00
As a matter of fact, if they were to ask you which is
00:00
the most important element of avoiding
00:00
liability or culpable negligence
00:00
it really is due care above all else.
00:00
Due diligence is great,
00:00
but if you only
00:00
research and you don't act that doesn't matter.
00:00
Now long story short,
00:00
do the right thing and be
00:00
able to prove you've done the right thing,
00:00
leave that paper trail of how you can
00:00
demonstrate or how you have
00:00
demonstrated due diligence and due care.
00:00
One other issue with liability.
00:00
The last bullet point the question is,
00:00
who is ultimately responsible
00:00
for the security of the organization?
00:00
Anytime you see that word ultimately
00:00
I want your mind to go directly to senior management
00:00
because at the end of the day no
00:00
matter what it's senior management that
00:00
is accountable and they
00:00
might also use the phrase ultimately responsible.
00:00
That's a little tricky because accountable and
00:00
responsible are different words
00:00
with different definitions.
00:00
But accountable, they'll use
00:00
interchangeably with ultimately responsible,
00:00
comes down to senior management.
00:00
Who's going to get sued?
00:00
You can think about it in that way.
00:00
With your liabilities we talked
00:00
about the need to avoid liabilities.
00:00
We don't want to be found culpably negligent.
00:00
The key to doing that is to exercise due diligence,
00:00
due care and ideally demonstrate that we've
00:00
acted responsibly and cautiously
00:00
in alignment with the prudent person rule.
Up Next