Part I
Wherever there is an operational requirement for security, there tends to be a legal obligation. Wherever there is a legal obligation for security, there is always an operational requirement. Security law and operational security practices are essentially twinned and indivisible.
There are many situations where the law will impose requirements for security, with examples being for the protection of critical national infrastructure and for the protection of personal data. Many readers will be able to identify the broad thrust of these obligations, for example that there is a need to take reasonable care to protect computers and communications systems from cyberattacks and confidential data from misuse.
The taking of reasonable care might be described as taking steps and measures for security, or applying security controls. Utilising some of the legal language in this area, there are many situations where we talk about implementing appropriate technical and organisational measures for security, or words to that effect.
However, the full parameters of the legal duties for security are not always clear, especially when we consider the legislation in this area. Legislative requirements for security are always drafted at a high level, mainly to ensure that the law is “future-proof”, but this leaves those under a duty with a puzzle: where do they find the full detail within the law?
The gap is partially filled by case law, that is the decisions of judges and tribunals within legal proceedings, and by the guidance provided by regulators, but even in the most active legal system many gaps will remain. The legal system itself can only take things so far. In fact, the law as we currently understand it has barely scratched at the surface of what needs to be done to satisfy the duties that it has set. We need to resolve this puzzle.
Take the GDPR as an example. The idea of “appropriate technical and organisational measures” is found in a number of places in the legislation, including in Article 32, which is concerned with the security of processing of personal data.
Article 32 requires controllers and processors of personal data to consider a number of factors, including the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
Comment
These requirements clearly cover a lot of ground and it does not take much imagination to recognise that they will impact upon many more aspects of business than simply the technology and data that need to be secured. After we ponder upon Article 32 for a little while, we recognise the puzzle for what it is, which is that A.32 sets out a series of requirements, the details of which it fails to fully explain.
So we have to look at security law in a different way, if we are going to understand the full detail of its requirements.
The solution is straightforward and easy to grasp: the details of security are found in the requirements of operational security itself. In other words, wherever a legal duty for security exists, the duty defers to the requirements of operational security to set the details of the duty. Operational security experts own the legal details.
Part II
In part 1 above, Stewart made the point that security law and security operations are twinned and that if you want to find the detail of the legal requirements, you need to look in the direction of operational security itself.
A good way to look at this would be to consider a professional negligence case. Such a case might concern the actions of a medical professional, or an engineer, or an accountant, or a lawyer, for example. Where professionals provide services to third parties, a duty of care will arise governing their work. Often legal cases concerning the performance of these services are described as “professional negligence” cases.
The law of negligence forms part of the law of tort. There are many situations where a duty of care in negligence will be imposed, such as on the roads, which is why there is so much car crash litigation. Broadly speaking, the law of negligence will apply where the parties are are reasonably proximate to one another (i.e., in a close enough relationship), it is foreseeable that their acts and omissions could cause the other person harm, and it is fair, just and reasonable for a duty of care to apply. Therefore, the professional will carry a legal duty to perform their services with reasonable care and skill and they will be liable for any damage that results from a failure to do so, to the extent that such damage is reasonably foreseeable.
For example, if a surgeon performs an operation that causes unintended harm to the patient, they will be liable if that harm resulted from a failure to perform the operation with reasonable care and skill. This amounts to a fairly good statement of the law, but the problem with it is obvious when you think about it: what will amount to the exercise of reasonable care and skill during an operation? What standards apply to the performance of surgery? How do we determine the detail of the legal duty?
Comment
We can start to answer these questions when we think about how a trial is conducted. At trial, the surgeon and the patient will both rely upon expert evidence, to explain the details and standards that apply to the medical procedure that is being litigated. The expert evidence will be provided by witnesses who are expert in the field of surgery that is being examined in the case. They will probably be surgeons too, or distinguished academics, or researchers in the field, or perhaps all three. With the assistance of the experts, the court will try to understand the consensus of professional opinion on how the procedure should be best performed and the surgeon’s actions will be measured against that benchmark.
Hopefully it will be clear that what happens in a clinical negligence case is that the detail of the law’s requirements will be found in surgical practice itself. In other words, we see the twinning of the law and the operational requirements described earlier. To all intents and purposes, security law resides in the same zone as the other professional and technical disciplines and any disputes about the law’s requirements will defer to expert opinion on operational security matters.
So, if we are to stand any chance of understanding the detail of security law, we have to begin our journey with an examination of operational security. There is no other or better starting place.
Please note this was originally published in a two-part blog series with Security.Law.
If you need any advise in relation to the above, please contact our author Stewart Room.
