How the Language used in your Security Policies could land you in Legal Hot Water

Written By Paolo Carner

How a single word in your security policy could cost you thousands in legal fees

Introduction

We've all been there: you crafted what seems like a bulletproof security policy. Your legal team approved it, executives signed off, and employees were trained. Then one day, an employee violates your security protocols, and suddenly you're in court explaining why you fired Sarah from accounting but only gave Mike from marketing a written warning for what appears to be the same violation.

Welcome to the world where words have consequences—sometimes costly ones.

As one security expert put it, "A roar from a paper tiger does little to prompt action; appropriate disciplinary action is an essential part of enforcement." But here's the twist many organizations miss: the language you use to describe that disciplinary action can either be your legal shield or your legal sword—pointed directly at your own throat.

The Million-Dollar Word: "Will" vs "May"

Consider for a moment these two policy statements:

"The enterprise will terminate employees who violate our data protection protocols"
"The enterprise may terminate employees who violate our data protection protocols."

That single word change ('will’ vs 'may') represents the difference between a mandatory obligation that locks your organization into forced action and a discretionary framework that provides flexibility to consider circumstances, intent, and proportionality.

Mandatory Language Becomes Legal Liability

According to lawyers, when you use "will" in security policies, you're creating what legal experts call a "mandatory obligation." Every time an employee violates the specified policy, your organization must (i.e., is legally bound) take the promised action—regardless of circumstances, intent, or actual impact. That is, once you've committed to that language, you've removed any discretion you might choose to apply. If you said you "will" terminate employees for certain violations, then you must terminate all employees for those violations, creating several dangerous scenarios, like in these examples:

  • Terminate Sarah for accidentally emailing client data to the wrong address, but only warn Mike for downloading unauthorized software? Sarah's attorney may argue that there is gender discrimination, using your policy language as evidence.

  • A new employee accidentally clicking a phishing link presents a very different situation than a veteran deliberately circumventing security controls. Mandatory termination language eliminates your ability to consider these crucial differences.

Perhaps more importantly here, if employees see colleagues terminated for minor mistakes while serious violations by others are handled differently, it creates fear and inconsistency that undermines the effectiveness of your security posture.

The "May" Safety Net

In the previous example, using 'may' language transforms your policy from a rigid mandate into a flexible framework. According to Cornell Law School, 'may’ is "an expression of possibility, a permissive choice to act or not, and ordinarily implies some degree of discretion."

And this discretion provides critical advantages:

  • Proportional responses: Match punishment to the severity and intent of the violation

  • Protection against discrimination claims: Different consequences can be justified based on circumstances

  • Managerial flexibility: Supervisors can make thoughtful decisions without being locked into predetermined outcomes

  • Reduced legal exposure: Avoid wrongful termination lawsuits based on inconsistent policy enforcement

Other Common Language Traps

The "Shall" Confusion

"Shall" may sound official and legal, but it's often misused. The Michigan State Bar found that 56% of "shall" usage in contracts was legally problematic. Legal experts recommend avoiding the use of "shall" entirely in policy language, as it creates confusion about whether provisions are mandatory or descriptive.

Instead of:

"Employees shall report security incidents within 24 hours.” Consider: "Employees must report security incidents within 24 hours."

Absolute Statements Create Absolute Liability

Let's consider other examples: "zero tolerance," "all violations," and "never acceptable"—these absolute terms sound strong but can create legal nightmares when reality proves more complex than your policy anticipated. Why?

  • The Problem: "All security violations will result in immediate termination." Better: "Security violations may result in disciplinary action up to and including termination."

Additionally, phrases such as "appropriate action," "serious violations," or "reasonable security measures" offer no clear guidance and result in inconsistent enforcement. So, instead of: "Violations will result in appropriate disciplinary action”, consider instead: "Violations may result in verbal warning, written warning, suspension, or termination."

Real-World Consequences

A financial services company learned this lesson the hard way. Their policy stated: "Any employee who transmits confidential client information to unauthorized recipients will be immediately terminated."

When two similar incidents occurred—one involving a 45-year-old senior manager's accidental email error, and another involving a 28-year-old analyst deliberately forwarding client data to a personal email—management terminated the younger employee but issued a warning to the senior manager.

The result? A discrimination lawsuit costing $180,000 in legal fees plus a $95,000 settlement. The company's own "will be terminated" language became the centerpiece of the case against them.

Your Action Plan: Fix Your Policies Today

Review your security policies and look for examples of the above. Understanding policy language isn't just about protecting your organization—it's about advancing your career. Cybersecurity professionals who can bridge the gap between technical requirements and legal compliance are incredibly valuable.

Your security policies should protect your organization, not prosecute it. The difference between protection and prosecution often comes down to a single word choice.

Every word in your security policies carries weight. "Will" versus "may" isn't just semantics—it's the difference between flexibility and rigidity, between policies that serve your organization and policies that could destroy it.

The organizations that thrive will be those that recognize policy language as a strategic asset rather than a compliance burden. They'll invest in getting the language right, train managers to implement policies effectively, and create cultures where security and legal compliance work together.

Key Takeaways

  • Replace "will" with "may" in disciplinary language to preserve flexibility

  • Avoid absolute terms like "zero tolerance" that eliminate discretion

  • Use the present tense instead of confusing "shall" language

  • Define vague terms like "serious violations" with specific examples

  • Include flexibility clauses that allow consideration of circumstances

  • Conduct regular policy audits to identify problematic language

  • Train managers on proper policy implementation and documentation

  • Consider policy language a strategic business decision, not just legal compliance

You can find out more about how to use plain language in contracts in this podcast.

Paolo Carner
Previous

Ditch that Password! Why Your Business Needs to Embrace Passkeys
Next

Cybersecurity Career Progression: From Analyst to Leader