It is important that an employer act quickly when a known violation occurs. The employer may not be responsible for an employee’s action, but the employer’s failure to act will create the impression that, despite written policy, the employer condones the employee’s action. This could create legal liability for the employer. It’s not enough just to have a written policy. The policy must be enforced. Employees must be held accountable and, as needed, disciplined for noncompliance. This protects the customer and the employer.

Policies make clear to an employee what acceptable behavior is. Policies also provide a degree of separation from employees who fail to follow rules. A business can point to its policies as a statement of what should have occurred. The ability to defend the organization’s position to the public and regulators is an important byproduct of security policies.

However, just having security policies will not create this separation. The business is obligated to take steps to implement and enforce the policy. Some of these reasonable steps include:

• Policy—Have clear security policies on the handling of customer information.
• Enforce—Express strong disapproval when policy is not followed.
• Respond—Quickly respond to incidents to minimize the impact to customers.
• Analyze—Understand what happened.
• Educate—Improve employee training.

These steps will minimize losses and show a commitment to customers. When challenged by the public or regulators, this will also help separate the employer’s actions from a rogue employee.

Acceptable use policies (AUPs) are formal written policies describing employee behavior when using company computer and network systems. Most AUPs outline what is acceptable and unacceptable behavior. They also need to outline the disciplinary process when an employee violates policy. Because the disciplinary process could lead to termination, the policy must be clear and concise. Many companies require the employee to sign the AUP to acknowledge receipt of the rules. Both the legal and HR departments always approve final draft policies. It is important that an AUP keep up with technology changes. It must be clear when personal devices are allowed during business hours. In particular, many company policies today cover mobile phone use. Often, these policies also include an overview of the use of cameras. However, few policies today cover the use of the wearable devices that are becoming available. Google Glass, for example, can take a picture with a blink of an eye.

The AUP is an important tool to create a legal separation between the employer and employee. Little tolerance exists for employees who create unnecessary liability for the organization. For example, using company computers to harass or threaten others, or view obscene materials, could result in termination.

A confidentiality agreement (CA), also known as a nondisclosure agreement (NDA), is a binding legal contract between two parties. It is a promise not to disclose any information covered by the agreement to a third party. The agreement needs to clearly define the information covered. This reduces problems that may arise between the two parties or any other party asked to resolve legal disputes.

These types of employment agreements are often made at the time of hire. They outline what information should not be disclosed outside the company. These agreements could bind the employee from disclosing company information after employment terminates. If the organization did not have an NDA as part of the hiring process, this can be an issue later. It is important to begin implementing NDAs.

NDAs are not used only with employees. They are often used with business partners. The CA or NDA is often used to explore business opportunities before buying a product or service. Let’s say a company wants to hire a consultant to redesign a major computer application. Both parties would sign a CA. The company could then disclose its problems and the consultant would have more precise information on which to base an estimate. The CA would bind both parties even if the company decided not to hire the consultant.

Security policies typically include guidance regarding when a CA or an NDA should be required. Most security policies require such agreements to be in place before any data can be exchanged. This includes requiring such agreements to cover employees and nonemployees, such as temporary or contract workers. This is especially important for nonemployees who may not go through the company’s normal security awareness training.

Business liability insurance lowers the financial loss to the business in the event of an incident. Even when a business has well-defined security policies, problems can still occur. Business liability insurance will pay for losses within the limits of the policy.

Business liability insurance can be issued to both organizations and individuals. For example, a computer engineer performing consulting services could obtain professional liability insurance. Such a policy would cover any successful claims that the engineer was negligent or made errors. The same type of coverage would apply to large companies facing claims that their product or services were negligent or in error. The provisions of the coverage need to be examined closely. For instance, coverage may be dependent on the company complying with industry norms. What does that mean? Let’s say you are maintaining a company website. Standards in your particular industry may dictate that you must perform annual penetration testing. Failure to perform the test or to comply with your own policies could lead to your insurance claim being denied.

An important benefit of this insurance coverage is the payment of legal fees. Even when a company is found innocent, the legal costs can be substantial. These policies do have limits, conditions, and requirements that the policyholder must meet. These policies also have exclusions. They do not protect a company that has committed illegal acts. Overall, these policies are another tool to further reduce risk.