Developed in partnership with attorney Gilberto Martins de Almeida, professor of Information Technology Law at the Rio de Janeiro Catholic University and partner of Martins de Almeida Law Company, the legal checklists seek to help organizations and managers comply with the currently applicable Laws and Regulations in Brazil, which are aligned with requirements from the main Information Security norms. The checklists, "Managers' Civil Liability", "Electronic Monitoring & Privacy", and "Contracts with Service Providers and Third Parties", because of their content, are directed towards the needs of Information Security professionals, but their benefits can be extended to administrators and lawyers.
Managers' liabilities and the checklists
According to the new Brazilian Civil Code, in the event of any security incident in which negligence, recklessness or malpractice by corporate managers (Directors, Information Security Managers, and managers of other areas) is proved, the managers can be individually liable, and so can the company.
The new Management's Civil Liability checklist will help protect managers and administrators, reducing risks related to Security management within organizations. This checklist instructs managers on what must be done to guarantee security maintenance, suggesting the controls and care that must be taken in any specific environment of the organization.
"Risk Manager draws an honest picture of an organization's Information Security. This type of complete and previous picture is accepted by courts as evidence that the company has taken the necessary precautions. The acquisition and proper use of Risk Manager proves that managers are taking action, within their possibilities, to prevent problems", states attorney Gilberto Martins, who helped develop the checklist.
The Electronic Monitoring and Privacy checklist assists in the implementation of controls complying with laws on electronic monitoring of the company's employees, supporting executives by protecting the company from potential labor, civil and criminal lawsuits.
"Companies often monitor employee e-mail in order to avoid information leakage and fraud, to deal with the competition, and to comply with requirements from regulating agencies. Invasion of privacy is a crime, but it's possible to establish system usage rules that make it clear that e-mails and messages will be recorded. The company needs to protect itself by establishing clear and specific policies on the matter and informing users that the information is being recorded", says Fernando Nery, a founding partner of Modulo Security. The Supreme Labor Court ruling in favor of a company that had dismissed an employee for improper use of the e-mail system shows the care that has to be taken by institutions concerning invasion of privacy or maintenance of the company's assets".
Using the Contracts with Service Providers and Third Parties checklist, you can identify and avoid clauses that may compromise Information Security in the contracting company. Thus, the company can protect itself against criminal, labor, or civil compensation lawsuits, including those concerning outsourced services. This checklist protects the organization from legal risks regarding negligence, recklessness, and malpractice in hiring service providers and third parties in any sector of the company.
By helping the company comply with the controls suggested by these Risk Manager checklists (www.modulo.com), the Information Security professional will be contributing to the prevention of legal risks that may affect him/herself, the companies' higher management, and the company itself, reducing exposure to fines and other legal penalties, and conforming to the main Information Security standards requiring this type of prevention.