Professional Monitor: In association with (ISC)2
Professional Monitor: In association with (ISC)2

With recession threatening more litigation and savvy judges hot on the trail of electronic data, security professionals and lawyers need to share their expertise.

While regulatory compliance drives much of what information security professionals do, they have not generally had to develop legal expertise. However, as IS management becomes data- rather than network-centric, this could be changing.

Mark Surguy, senior associate with lawyers Pinsent Masons, specialises in corporate cases, often with a fraud element. He has seen a growing overlap in required expertise between IS and his own professional domain. He believes organisations would benefit from collaborative professional development.

“In the past five years, it would have been impossible to do my job without some understanding of technology. I have had to develop an appreciation for the professional security perspective,” he explains. “If IS professionals and their legal teams were to talk more, they both would benefit. And they would drive needed data governance in a world where information crosses varied geographical regions and legal jurisdictions.”

He highlights two major differences between litigation today and during the last recession of the 1990s. Then, little evidence was held electronically, while today almost all evidence will be electronically stored; and judges are going to insist on access to the evidence quickly and at a proportionate cost.

When information is not produced, while there is no UK system of punitive fines, cases can be thrown out and organisations made to pay costs. Surguy says: “It is not sufficient to delegate these matters to the IT department, which knows nothing about litigation, or expect the legal department (which knows little about technology) to cope alone. A team approach is required.”

(ISC)2 European advisory board member Alessandro Moretti concurs: “The legal professional is in increasing demand, helping clarify what information needs to be controlled and what expectations the data owner and regulator may have. Legal guidance is needed to set adequate IS controls.

“The great advantage of having so much electronically stored information is that it makes it easy to reconstruct the history of any case,” Surguy says. “But disorganised data storage, an absence of document-management policies and a high turnover of IT staff mean that many companies are sitting on a ticking bomb.”