Answer the following Questions:

In context of businesses operating within the United States and it's territories: What are the rights of the "Bad Guys" (E.g.; Organized Crime, Nation State Threat Actors, Hacktivists, etc.)? What authority has been given (citizens have rights, not government. Government has authority given by citizens) to local/state/federal Law Enforcement? How about rights of manufactures or technology service providers? Of Individuals; perpetrators and victims alike? Of private organizations/businesses? Where is the line between what should and should not be private? Why? In context of the aforementioned questions, what potential impacts are there for Information Security professionals? What are their personal and professional liabilities? What does 'going dark' mean in context of technology and data privacy? If laws and/or precedent pertaining to organizational 'compliance' change, who is liable? Where is the line where your personal perspectives give way to, are superseded by, your organizational responsibilities? Is there one? How about in reverse: Is there a point where your organizational perspectives and responsibilities give way to, are superseded by, personal ones? When establishing frameworks, controls, policies, codes of conduct, in support of organizational risk mitigation, does 'it depends' or 'situation dictates' approaches assist or detract from organizational success? Are variations within an organization advisable? Why or why not? Is situational flexibility/interpretation scalable from SMB (Small and mid sized business) through Enterprise? Why or why not?

Personalize discussion submission to your (future) business organizations:

Why might context below be difficult for CISO's to navigate? Why might InfoSec be viewed negatively by peer business functions/teams as well as other employees? Why might InfoSec become over extended/perceived as ineffective? How might a CISO reduce risk of extending the InfoSec organization beyond effectiveness?

Context:

"When it helps me I am for it, when it hurts me I am against it."

We have researched, studied, and discussed best practices for organizations and people to protect themselves against Security Threats. This is a step into the void: CISO's are often asked to provide executive advice, and create organizational policy. To balance between individual rights, public perception/branding impact, governmental authority, and litigation risk with a directive to employ technological solutions under presumption technology will meet the aforementioned business demands.

There is tension between Law Enforcement, businesses, and individuals as it pertains to data rights and individual rights related to privacy. Think FBI Vs. Apple and access to iPhone belonging to terrorist who killed multiple people in San Bernardino, California. Think Edward Snowden and case of your emails, texts, phone calls, your contacts, essentially anything digital. Think Ancestry sites and law enforcement scanning for DNA links. Think small business and customer contact/address spreadsheets.

Present data piracy (as in theft of) and privacy situation between entities predates the United States and appears ever ongoing. Multiple technology producers/providers implement 'back doors' for government to acquire data on individuals and organizations without specific individuals' consent (CIA AAA +P). Multiple technology producers/providers reject requests for 'back door access' from some governments yet support same request from others. Policies, procedures, and laws make it difficult for these same organizations and individuals to review what data and/or information has been collected and maintained by governmental agencies if purchased or acquired through 'back doors'. Such data collection and monitoring preceded 'The Patriot Act.' Additionally, collection, analysis, and selling of private and protected data is an established business model. Think Palantir (PLTR).