If spam, viruses, spyware, tiny budgets and huge expectations aren’t already keeping you awake at night, maybe lawyers will.
Speaking in Ottawa recently, at the First Public-Private Sector Summit on National Security, Jacques Shore of the law firm Gowling Henderson Lafleur described a grim world for government managers – a world awash in lawsuits.
“Public sector entities that fail to gather, evaluate and-or disseminate critical information in regards to the protection of critical infrastructure and national security may face actions in damages,” Shore warned.
In effect, Shore was advising that the old saw which holds that “you can’t fight City Hall” is no longer true, if indeed it ever was. Citizens can and will pursue legal remedies in the courts when government has demonstrably failed to protect their persons and property.
Governments have no higher duty than protecting their citizens. In 2004 the National Security Policy explicitly referred to and emphasized the government’s duty to keep its citizens safe from harm. Now, governments in Canada, through legislation and judicial decisions, are becoming more exposed to lawsuits from citizens who feel wronged.
In today’s increasingly litigious society, it takes no leap of imagination to create a scenario in which angry taxpayers haul public sector IT security executives into court to explain why software critical to road safety, food inspection or a hundred other functions fell victim to vulnerabilities, even while patches were available or updated versions sat uninstalled.
In Ontario, the Superior Court of Justice is looking at a North York General Hospital nurse’s claim that she got SARS when some anti-infection protocols were removed. Did public officials fail in their duty to protect her as a member of the public?
In February, Radio-Canada television crews created a controversy when they drove right into Hydro-Quebec dams and passed unchallenged through unlocked doors until they reached control panels. As Shore said, “… if a government or government agency, much like Health Canada or Hydro-Quebec in the earlier example, fails to take action to aid in the security of citizens in preventing cascading damages from a terrorist attack or protecting CI, and preventing harm upon citizens or industry, claims may be sustained by a finding of a neglected duty of care.”
Shore was speaking in the context of security-related public-private partnerships. “Critical infrastructure owners and operators who fail to implement security measures in tandem with government,” he said, “may be held liable for ignoring a recognizable danger, based upon knowledge of the existing facts, and some reasonable belief that harm may possibly follow.”
Much of our critical infrastructure, especially in telecommunications and information technology, is privately owned. In many public sector agencies, even if not explicitly stated, the relationships with IM/IT and telecommunications vendors are so close that they may constitute a de facto partnership.
Shore believes it is in the best interests of governments and critical infrastructure owners, and the public they serve, to recognize their mutual obligations. He makes it clear that infrastructure owners may be legally obliged to advise governments about potential vulnerabilities they have identified and to seek government assistance where they could not be expected to adequately secure the facilities themselves.
In March 2004, speaking as Chair of the International Joint Commission, former Deputy Prime Minister Herb Gray told a Senate Committee of his security concerns about dams and power generation plants that cross the waterways between Canada and the United States. Said Shore: “This warning call from Mr. Gray is significant enough that it must be noted and addressed. Without that, governments risk being accused at a later date of not taking reasonable steps – following generally accepted standards necessary to meet duty of care considerations.”
(Interestingly enough, the policy-making arms of government remain clear of these legal entanglements. In Canada, Shore said, government actors are liable in negligence in tort claims for operational decisions, not policy decisions, because policy is the prerogative of the elected legislature.)
Information technology is inextricably bound up with critical infrastructure. Canadians and their courts will expect governments to work in close collaboration with their private sector partners to ensure their safety. It is not enough to get it right internally, because there is an obligation to ensure that partners are getting it right as well. It is not enough to say the skills and assets are not available internally when partnerships could make them available. It is not enough only to identify and correct problems internally, when timely notification can prevent loss and damage elsewhere.
As Shore points out, failure to implement the best security solutions possible, whether public, private or partnered, may mean not only tort claims against the government, but “… an unforgiving public with its resulting significant political fallout.”
Richard Bray ([email protected]) is an Ottawa-based freelance journalist specializing in high technology issues.