Annual ABA ISC+EDDE Meeting After-Report

| 1 TrackBack

The Saturday and Sunday preceding RSA has historically been set aside for the annual meetings of the American Bar Association (ABA) Information Security Committee (ISC), and now it's sister eDiscovery and Digital Evidence Committee (EDDE). This year we had very good discussions, particularly on the ISC side of the house (admittedly I spent more time there than with EDDE). There seemed to be some very interesting themes that were either new or escalated from previous years.

By the way of a little background... the ABA allows non-lawyer Associate members to join and participate in certain committees. The ISC is a perfect example where non-lawyer SMEs work directly with tech-savvy or tech-industry attorneys in partnership to help benefit the entire industry. EDDE is aligned along the same principles, but with a narrower focus.

Breach Notification
As per usual, there is a growing need and demand for, and burden from, breach notification laws. We need better data in order to help structure improved practices, push forward better risk management (and legal compliance) frameworks, and so on.

Protecting ePHI
HIPAA and HITECH are the big sticks motivating the healthcare industry these days. The bad news is that the industry is in no way ready to deal with these problems. Fortunately, legal departments are providing a lot of leadership in helping these organizations institute change. Unfortunately, legal professionals in generally are still far behind the curve on understanding the technical requirements in a meaningful way. Toward that end, the ABA is working to produce a ton of guidance (albeit in their regretfully long publishing pipeline) on the topic, and the ISC is directly engaged in producing these works, as well as working to proactively educate lawyers and the judiciary.

Imperative for Change
An ongoing theme from the ISC committee is a desire to assist with, if not shape, the legislative process. There are increasingly dire needs in areas like breach notification and reporting, supply change integrity, and so on, where the business world as a whole could benefit from a few sane, well-thought, well-written laws (rather than what we normally get;). To that end, many members have a keen interest in finding ways to help instigate change in a variety of arenas using various methods. This continues to be a strong theme.

Ongoing eDiscovery Challenges
The best quote from the entire weekend was from K. Krasnow Waterman based on her academic research/analysis on eDiscovery tools. She said that they are still finding that a good analyst with a poor tool still performs far better than a poor analyst with a very good tool. This observation of course applies well beyond just eDiscovery (SIEM, for example). Nonetheless, there remain challenges in this vertical despite the emergence and evolution of reasonable tools. One of the key areas mentioned was a lack of good sample data that can be used to develop and test tools against. It will be interesting to see how this area progresses in the future. The good news is that there are now tools that can handle billions of records, meaning real progress is being made.

Legal Defensibility in InfoSec

Thanks in large part to my friend Dave Navetta (co-chair of ISC), the phrase "legal defensibility" is starting to make it's rounds. And, even more encouraging is that lawyers actually grok the concept and are using (perhaps already) the term "defensibility" in their regular language. The next step will be expanding on the interest and use to get lawyers to start driving the term into their businesses and IT departments. Forget about compliance, it's time to think as an attorney: when you get sued, how will you protect yourself?

---
Overall, I thought this was an excellent round of meetings. ISC is working on several projects that have the potential for producing meaningful results. Now we just have to follow-through and get stuff done.

1 TrackBack

Not to be outdone by Anton, I thought now was probably as good a time as any to finally sit down and knock out some of my quick reflective thoughts on the week+ of RSA 2010. For those who don't... Read More

About this Entry

This page contains a single entry by Ben Tomhave published on March 1, 2010 4:54 PM.

The Need for Consumer-Oriented Intervention was the previous entry in this blog.

RSA 2010 - Innovation Sandbox: Not Really Innovative is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives

Pages

  • about
Powered by Movable Type 6.3.7