Skip to content

Page019

Administrative Law

Administrative law or regulatory law is law enacted by government agencies. The executive branch (deriving from the Office of the President) enacts administrative law in the United States. Government-mandated compliance measures are administrative laws.

The executive branch can create administrative law without requiring input from the legislative branch, but the law must still operate within the confines of the civil and criminal code, and can still come under scrutiny by the judicial branch. Some examples of administrative law are FCC regulations, HIPAA security mandates, FDA regulations, and FAA regulations.

Liability

Legal liability is another important legal concept for information security professionals and their employers. Society has grown quite litigious over the years, and the question of whether an organization is legally liable for specific actions or inactions can prove costly. Questions of liability often turn into questions regarding potential negligence. When attempting to determine whether certain actions or inactions constitute negligence, the Prudent Man Rule is often applied.

Two important terms to understand are due care and due diligence, which have become common standards that are used in determining corporate liability in courts of law.

Due Care

The standard of due care, or a duty of care, provides a framework that helps to define a minimum standard of protection that business stakeholders must attempt to achieve. Due care discussions often reference the Prudent Man Rule, and require that the organization engage in business practices that a prudent, right-thinking person would consider to be appropriate. Businesses that are found to have not been applying this minimum duty of care can be deemed as having been negligent in carrying out their duties.

The term “best practices” is used to discuss which information security technologies to adopt in organizations. Best practices are similar to due care in that they are both abstract concepts that must be inferred and are not explicit. Best practices mean organizations align themselves with the practices of the best in their industry; due care requires that organizations meet the minimum standard of care that prudent organizations would apply. As time passes, those practices which might today be considered best will tomorrow be thought of as the minimum necessary, which are those required by the standard of due care.

Due Diligence

A concept closely related to due care is due diligence. While due care intends to set a minimum necessary standard of care to be employed by an organization, due diligence requires that an organization continually scrutinize their own practices to ensure that they are always meeting or exceeding the requirements for protection of assets and stakeholders. Due diligence is the management of due care: it follows a formal process.

Prior to its application in information security, due diligence was already used in legal realms. Persons are said to have exercised due diligence, and therefore cannot be considered negligent, if they were prudent in their investigation of potential risks and threats. In information security, there will always be unknown or unexpected threats just as there will always be unknown vulnerabilities. If an organization were compromised in such a way that caused significant financial harm to their consumers, stockholders, or the public, one of the ways in which the organization would defend its actions or inactions is by showing that they exercised due diligence in investigating the risk to the organization and acted sensibly and prudently in protecting against the risks being manifested.