Imagine the scenario: Your network has been penetrated and sensitive data has been exposed. From a public relations mess, to an expensive forensics analysis, to improper handling of breach notifications, to those affected — everything that could have possibly gone wrong has taken place in the aftermath of the breach.

Soon thereafter, your clients and business partners discover what was going on and you end up getting sued. The expert witness for the plaintiff’s attorneys has provided guidance as to what could have been done to prevent this data breach — the systems and controls that should have been in place — as well as how things should have been handled once the breach was detected.

The plaintiff’s legal team sends over document requests asking you to produce the following:

• your security policies;
• your security standards for passwords, secure software development practices, data encryption and security vulnerability testing;
• security procedures including your security incident response plan;
• network diagrams, information flow diagrams, and information classification documentation; and
• security awareness plans including attendee lists and/or electronic training/testing records from the past year’s education sessions; and the latest information security assessment report or audit.

Are you prepared to produce such documents? This is likely the least painful part of the process. If the legal proceedings get to the point of tough questions being asked in interrogatories, depositions and possibly even a court appearance, a seemingly simplistic lack of security can weigh heavily on you and your business if you are not prepared.

Do not take this the wrong way — I am not trying to sensationalize this risk, but I also don’t want to trivialize it. I am seeing these very scenarios in my work, and the reality is, you likely have security flaws on your own network — in your Web applications and databases and on your mobile devices — at this very moment. Furthermore, lawyers are becoming more savvy regarding IT and information security issues, so the likelihood of such an issue continues to grow. The question becomes not if, but when are the security flaws in your environment going to be uncovered? Will the exposure be an inside job? Will the flaws be uncovered by random or targeted attacks from the outside?