When building a disaster recovery program,
The first three legal issues to address in your business disaster recovery plan are: advising your legal staff of your DR activity; inviting them to be part of your planning team; and encouraging their views and inputs on the legal issues that must be addressed.
For example, during a business impact analysis, ask your legal staff to identify legal situations, e.g., potential lawsuits, regulatory violations, that might occur in the aftermath of a disaster. Consider technology outages that could cause a failure to submit reports on time to federal agencies such as the Occupational Safety and Health Administration (OSHA), Department of Health and Human Services (DHHS) and Department of Homeland Security (DHS), as well as various state and local agencies. This could result in penalties, fines, and possibly other sanctions. In a disaster situation, your organization may be suddenly put into a position in which it may be unable to adhere to various statutes simply because it is unable to function normally.
Another issue to address during a BIA would be to identify the legal implications to the organization of an alleged failure to adequately protect employees following a disaster. Your legal staff should be able to identify potential litigation situations which could compromise your organization’s ability to function. You should also have your legal staff also review your DR plan to ensure that it addresses your organization’s legal obligations, where applicable.
If your existing legal department does not have expertise in risk management and disaster recovery issues, you should consider retaining counsel with this particular expertise. And if you don’t have your own legal department, contact your external law firm to see if it has expertise in the legal implications of disasters or can recommend a firm that does. It is your organization’s responsibility to comply with the law and, as a DR professional, you can help ensure that your organization maintains its legal position following a disaster. You can identify attorneys with this special expertise through lawyer referral services, the American Bar Association, as well as state and local bar associations.
Company officers and directors may be liable in lawsuits that arise from a disaster. Directors and officers have a responsibility to exercise due diligence in overseeing the activities of the organization they serve. They are required to act in good faith and in the best interest of the organization. For example, in a disaster, the company may be unable to file a report or maintain certain records, as directed by laws or statutes. Directors or officers of the firm may be held liable for an offense under those statutes. Additional examples of director/officer liability include allegations of mismanagement, financial losses, failure to provide employee safety, or failure to repair environmental damage following a disaster.
Legal issues to address in DR planning
Legal issues that should be addressed in your business disaster recovery plan include contracts, negligence, employment, security, and compliance with workplace health and safety regulations, such as those monitored by OSHA. Let’s briefly examine each.
In contracts, a good example is the issue of supply chain management. If your supplier contracts do not have provisions for addressing failure to deliver goods and services, your organization may be liable for lawsuits from your customers if your company fails to deliver products on time.
In the aftermath of a disaster, your organization could be cited for negligence in not being prepared to deal with a disaster. The concept of duty of care applies in this situation. It describes situations in which an individual or organization may be required to perform specific activities in such a way as to minimize the potential for any harm to come to the intended recipients. For example, failure to provide a suitable duty of care to employees – in the form of emergency procedures and evacuation plans to ensure their safety and protection in a disaster – could be grounds for an accusation of negligence.
Another area of concern is dealing with employees following a disaster incident. Those issues include ensuring their safety in a disaster, preventing them from selling critical information to a competitor, and possibly even how they would continue working following a disaster.
Loss of security in a disaster is not limited to physical security, e.g., protecting buildings from unauthorized access or protecting inventory from theft. Breaches involving information security could trigger lawsuits, especially if negligence can be proven.
Finally, OSHA has numerous regulations governing workplace conditions, employee safety, privacy, and even intellectual property. Be sure your DR planning addresses ways to maintain compliance with these regulations.
Protection of information – whether physical or electronic – is a critical issue, and one that can create legal nightmares if critical information is not properly secured. For example, if you work for a healthcare organization, the confidentiality, integrity, and availability of your patient data will be governed by regulations under the Health Insurance Portability and Accountability Act (HIPAA).
On the chance that company records and other information are subpoenaed, your main concern will be that the data is complete and hasn’t been damaged. Guidelines for record retention (e.g., hard and electronic copies of information should be stored for 30 years) have been articulated by ARMA International and should be addressed by DR plans. Be sure to coordinate the records protection aspect of your DR plans with your records management department.
About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter and can be reached at email@example.com.
This was first published in January 2012