Jeff Jinnett: Value of an IT Security Due Diligence Document/Risk Mitigation Plan

If a company were ever asked to describe its IT security program, the company likely would have to bring in numerous staffers from the IT department and refer to reams of documents to present a full picture of the company’s IT security approach.  The need to be able to describe the company’s IT security program in layperson’s terms, without having to resort to a series of technical interviews of IT team members, could arise if the company is sued as a result of a data security breach and has to describe its IT security program to a jury.  It also could be necessary if regulators, board directors, bank lenders, outside accountants, insurance underwriters, or other critical third parties meet with the company and seek information about its IT security program. 

A due diligence document summarizing the company’s IT program could be very helpful in this situation, since it could be prepared based on interviews with key IT department members and a review of relevant documents.  The due diligence document would be designed to make the company’s IT security approach as clear and understandable as possible.  Rather than being prepared to be an attorney-client privileged document, the summary due diligence report would be designed to be disclosed.  In addition, in the course of finalizing the summary due diligence record, the company would in effect be creating a “risk mitigation plan” for the program, since the process of interviewing project team members and reviewing documents would force the company to step back and look at its overall program from the view of a third party.

In addition to providing a “30,000-foot view” of the company’s IT security approach, the risk mitigation plan (RMP) could include references to industry standards, private sector white papers, public sector directives, and other third-party “best practice” guidelines the company believes match portions of its IT security approach.  For example, the company could obtain a HIPAA[1] Security Accreditation from URAC[2] and cite this as an “external validator” of the company’s IT Security approach. The URAC HIPAA Security Accreditation[3] can be applied for by any company having to deal with “protected health information”, such as a HIPAA “Business Associate”, not just by healthcare companies.  Since HIPAA is arguably the most stringent U.S. Federal IT standard for the private sector, evidence of compliance with the HIPAA Security Rule[4] could be helpful in validating the strength of a company’s IT security program.

Alternatively, the company might have an outside consultant review the IT security methodology used by the company and have the consultant write a report stating that the company’s methodology is substantially similar to the consultant’s own methodology, which the consultant has used for comparable companies.  By creating the RMP and attempting to find “external validators” for each of the key IT security program documents, the company is forced to think in terms of how best to defend its IT security decisions as meeting best practices to the extent known at the time. 

The drafting of an IT Security RMP also enables the company to see where its IT security program may be subject to attack in litigation as not matching industry standard practices. This gives the company time to locate a potential expert witness who could support the company’s deviation from the industry norm as reasonable in light of the company’s circumstances.  Since the preparation of the document requires interviewing the key IT department members to debrief them on their understanding of the IT security program, it also will give the company and its in-house and outside counsel the opportunity to determine which IT department members would make the best witnesses to testify on behalf of the company should it become involved in litigation.  The company also could seek to introduce the RMP into evidence as the outset of the company’s defense as a pre-existing business record kept in the normal course of business[5]. The RMP could help to persuade the jury that the defendant company was not guilty of gross negligence or willful misconduct, so as to avoid the imposition of punitive damages.

Athough readers of this blog may think that the effort required to create the IT security RMP only makes sense for a Fortune 500 company with a large IT security program, it could also be helpful for small and medium-sized companies.  This is because business partners may begin to worry about the IT security-readiness of their smaller business partners.  If a small or medium-sized company cannot convince its business partners that it has a good IT security program in place, it might lose its business partners to a larger competitor due to the business partner’s “flight to quality.”  If the smaller company had created an IT Security RMP, it could disclose that document (subject to appropriate confidentiality agreements) to the business partners in order to reassure them and preserve the relationship.



[1] Health Insurance Portability and Accountability Act (HIPAA): see
[2] URAC is a healthcare accreditation organization: see
[3] See
[4] See
[5] This is relevant for admitting evidence under the business records exception to the hearsay rule under U.S. Federal Rules of Evidence, Rule 803(6): see


Jeff Jinnett is Governance, Risk Management & Compliance Industry Market Development Manager, US Financial Services Group, for Microsoft Corporation.  Mr. Jinnett is a former partner of the international law firm of LeBoeuf, Lamb, Greene & MacRae, LLP (now Dewey & LeBoeuf) and has experience in advising Fortune 500 companieis in the financial services industry on the use of technology to support corporate governance, risk management and compliance programs.  Mr. Jinnett has testified as an expert before committees of the US Senate on issues relating to the intersectiion of law and technology.  He is a member of ARMA (a records and information management professional association) and the Society of Corporate Compliance & Ethics (SSCE).