C. Lee Jones, chairman and CEO of AmericasDoctor in Gurnee, Ill., and former vice president of IT of global pharmaceutical business at Abbott Laboratories, is one of many CIO-types watching with concerned skepticism. Jones says he would be shocked if the Eli Lilly incident didn’t result in legal action. "The lawyers follow the blood trail," he says. "They’re like sharks out there. When you have ill-defined laws, you’re going to have attorneys try to set precedent."

Security Safeguards

CIOs looking for a sure way to avoid the coming deluge of legal action aren’t going to find one. "Anybody can sue anybody for any reason at any time," says Bruce L. Dean of Karger, Key, Barnes & Springer in Dallas, one of the defense attorneys in the C.I. Host case. "All it takes is money and convincing a lawyer to file the case."

Dean got the June 2002 trial date scratched from the court’s calendar by arguing that his client, the Santa Clara, Calif.-based Web-hosting company Wintelcom, didn’t have any business ties in Texas. Future cases may require more than that. Attorneys agree that CIOs should follow the "prudent man rule"?a legal term that Attorney Langin explains as, "the duty to do what a prudent person would do to protect information assets."

To keep lawsuits from sticking, Langin and others offer these tips.

• Establish and implement an in-house security policy. This number-one security best practice involves setting and communicating rules for how your company protects and handles data. Milwaukee-based FBI Agent Mark Bowling points out that if a company has a security policy, "then you can demonstrate that you have standards you adhere to. We’ve certainly found instances where you have [victims damaged by an attack on someone else], where the primary victim’s security was not as sophisticated or as well-documented as it otherwise could be."

• Have a security audit done. Once a company has a policy, officers should make sure it’s being followed. Security firms, corporate auditing companies and even insurers can conduct independent tests of a company’s security measures?from physical weaknesses to the configuration of firewalls to how vigilant employees are about protecting information assets. "If you have a third party come in and review [your information security], then it helps prove your case," explains Theodore Claypoole, an attorney for Womble, Carlyle, Sandridge and Rice’s technology transaction group in Winston-Salem, N.C., and former in-house legal counsel for Bank of America and CompuServe. "You can say, ’Look, we spent money to have a reputable company review our procedures; we took those suggestions, and we made those changes.’"

• Remember security in contracts. Legal counsel and information security specialists should work together on putting security parameters into contracts with business partners and outsourced service providers. Then they should do their homework. "Clearly you have much less control over an outside party than you do over your own employees, and it’s vitally important for a company entering into an outsourcing operation to actually check the security of the contractor’s computers rather than just leaving it as a matter of agreement," Claypoole says.

• Don’t make promises you can’t keep. Companies shouldn’t set themselves up for a breach-of-contract lawsuit with overzealous marketing or sloppy promises. "I think if you look at privacy policies [on websites], you’ll see that," says Fred H. Cate, professor of law at Indiana University and senior policy adviser to the Center for Information Policy Leadership. He points out that wise companies say they use "appropriate security measures" rather than promising perfect information security.

• Pay attention to regulations affecting your industry. The Gramm-Leach-Bliley Act for the financial services industry and the Health Insurance Portability and Accountability Act for health-care companies dictate how customer information should be protected. Companies that do business overseas may have to follow rules established in other countries, such as the European Union’s strict guidelines. Companies that don’t meet those requirements will face penalties or lawsuits.

• Consider purchasing e-commerce insurance. Basic business insurance policies typically do not cover the risks associated with doing business online. Cyberinsurance, which is offered by established insurance groups such as AIG and newer, e-centric groups like Insuretrust, fill the gap by covering liability and direct damages from information security breaches. The cost of cyberinsurance varies, based on the size and scope of an organization’s computer systems and how thoroughly the company has addressed security. Many security experts predict that in the future, these policies and the standards they impose will shape how companies protect their systems.

• Pay attention to what similar companies are doing. Because so many companies are bungling security, it may be simple to prove you’re doing as much as anyone else. "Everybody has bad security today," says Steve Hunt, a Chicago-based analyst with Giga Information Group. "There’s simply not an awareness or an understanding of what is good security." The best you can do is prove you’re trying?that you’re doing as much as the company next door.