I came across an interesting read the other day when researching future data security laws and regulations. The article I came across, titled "The Legal Defensibility Era," discussed the legal defensibility doctrine and its application in the information security arena. The whole premise of legal defensibility is to look beyond the check-the-box compliance mentality and build an information security program based on a reasonable standard of care for a particular organization. One of the intended benefits of building a security program based on reasonability is to lower one's liability risk.
It is apparent in today's compliance atmosphere that most organizations will do only the minimum necessary as required by law or regulation to secure themselves. Worse yet, other organizations will fail to implement any information security program either because most laws and regulations don't apply to them or they decided to accept all risk and push their luck.
What exacerbates this already complex problem is the myriad of different laws and regulations facing each organization. With so many laws and regulations out in the wild, it's not surprising for information security departments to feel overwhelmed and create unplanned and improvised programs protecting only the proverbial "low hanging fruit." Furthermore, risk management, when conducted improperly, could share some of the blame for poor security practices. If a proper risk rating cannot be ascertained during the risk assessment, improper decision making such as risk acceptance that greatly raises risk appetite or mitigating a risk that should have been accepted can occur.
Now, I'm not saying risk management and the patchwork of laws and regulations have no place in legal defensibility, because they do. Risk management is a very important spoke in the legal defensibility wheel as it demonstrates one is acting reasonably when it comes to securing their information. Also, a law is a law; if you have to follow it, then you have to follow it. However, only following the minimum requirements of any law or regulation won't necessarily make your organization more secure. In fact, in may even give you a false sense of assurance.
What legal defensibility will provide in the above situations is a reasonable standard to maintain a defense to potential lawsuits or fines if there is a breach in their information security. For instance, an organization that follows only the "minimum necessary" mentality may realize after a proper legal defensibility assessment that their current state of security was not adequate and would not meet a "reasonable" standard. In this situation their entire information security program may be worthless if it cannot provide a shield for them in a legal or regulatory action.
For example, a certain regulation may have stipulated the implementation of only some type of access controls, but let's assume it would have been more reasonable to also implement some sort of encryption feature. Consequently, the legal system may carry an unfavorable opinion of your security program for not implementing an encryption solution should a breach occur and may even view your organization as being incompetent. This could result in higher liability expenses, fees, and fines. This is especially true if the law or regulation does not provide a safe harbor for meeting the minimum requirements.