In the case of NotPetya, it is not simply a matter of many individual enterprises being hit but rather entire supply chains being hit as well. Reckitt Benckiser Group just announced they will likely have issues hitting their quarterly numbers because they could not invoice for millions of dollars because production lines were impacted. While you may have heard about FedEx being hit, Moller-Maersk (the world’s largest sea logistics operations) will also have their top and bottom lines take a sizeable toll as thousands of shipping containers could not be off loaded due to system failures/compromises of sea ports. Understanding cyber risk is a core element of understanding today’s business risk.
(Carter Schoenberg, Buying Cyber Insurance: Buyer Beware).
In May, a piece of ransomware known as “WannaCry” paralyzed businesses, government entities and Great Britain’s National Health Service in one of the largest global cyberattacks to date. The following month, it was “Petya,” another massive cyberattack that crisscrossed the globe, bringing Russian oil companies, Ukrainian banks and a mass of multi-national corporations to their collective knees. As the frequency of cyberattacks reach epidemic proportion . . . many businesses still lack adequate protection. By taking the time to understand the threats, how to prepare, and what to look for in a cyber liability policy, you can ensure that your business has the coverage it needs to survive a breach.
(Evan Taylor, The Changing World of Cyber Liability Insurance).
Companies are exposed to an endless assault on their information technology (IT) infrastructure from a variety of anonymous hackers, ranging from mischievous (much less likely) to felonious (much more likely). Breaking into servers, computers, and Cloud providers in an attempt to steal valuable information has become mainstream in the last decade. It is clear today that lawyers must play an increasingly significant role in addressing information security (InfoSec) issues. Of course, managing this issue is of paramount importance because InfoSec has evolved from an IT issue to a C-Suite strategic problem, given that a company’s reputation, valuation, business vitality, and customer confidence can hinge on how it protects its information assets. This article explores how lawyers can and should play a greater role in dealing with InfoSec.
Introduction
In March 2014, the largest exploitation of government personnel data occurred when InfoSec personnel of the U.S. government’s Office of Personnel Management (OPM) detected a hacker (widely reported to be the Chinese government) trying to gain access to the OPM servers. OPM watched the hackers maneuver around the government’s IT environment for months—or longer—looking for the perfect treasure trove of information. Upon finding it, the hackers exfiltrated 22 million past and current U.S. governmental employees’ personnel files. A catastrophic event no doubt, but just one of the thousands of massive security breaches regularly impacting entities across the globe.
A common adage among technology professionals is that regardless of how much money or effort is expended to secure an IT environment, if someone wants to get in bad enough, they will. There is no perfect security. A hacker need only find one way in; whereas, the company must protect against an ever-increasing number of more sophisticated threats able to exploit the smallest technical chink in the IT armor.
As cyber defenses have become more robust over time, hackers likewise have become much more sophisticated. Whether moving undetected within a storage environment, hacking a military facility, stealing product design drawings, or holding information hostage through various Ransomware scams, we are entering the new era of information terrorism.
Vigilance in combating information terrorism is essential. Every facet of modern life is connected, and that connectedness can lead to more harm, done more quickly, with fewer ways to combat the problem. The assault on InfoSec and the fight against information terrorism will require multidisciplinary teams that enlist lawyers and legal departments to play a more active role in making InfoSec a reality for their organization. But what can lawyers do practically?
Contracting
Typically, most lawyers fail to view InfoSec as their problem. Anything related to technology is perceived as the exclusive province of the technology department. Historically, lawyers likely had only some contracting responsibility related to technology acquisition or a software license. That mindset has contributed to the InfoSec crisis and must change.
In recent years, lawyers have been negotiating (with IT help) security level agreements (SLAs) which dictate, among other things, the security requirements mandated by contract or limitations of liability for InfoSec failures. SLAs set up parameters the service provider will follow, minimum level of service requirements, and remedies if the provider fails. Given that each provider has its own SLA, lawyers should work to develop standardized requirements and language to be used on behalf of their client.
In response to a shift to the Cloud as a cost-effective, scalable, storage solution, lawyers must also proactively address information ownership, access, discovery, security, privacy, and other compliance requirements in contract when negotiating with each new Cloud vendor. Further, as there are many ways to implement a Cloud technology solution, lawyers must become more conversant in the differences between “public” and “private” Clouds to be able to negotiate adequate Cloud agreements.
Evolving Nature of Legal Advice
Traditionally, lawyers guide their business “partners” on myriad legal and regulatory issues. Helping IT and business personnel understand the legal issues and implications of security matters is standard and seemingly straightforward. In the context of InfoSec, however, satisfying the letter of the law can be different than satisfying the spirit of the law. With InfoSec, advising requires a deeper technical knowledge.
For example, the broker-dealer regulations mandate built-in, InfoSec-driven data redundancy by requiring that an organization subject to the regulations “store separately from the original, a duplicate copy of the record stored on any medium acceptable under § 240.17a-4 for the time required.” There are firms that stored two copies of their important records on different floors of the World Trade Center and satisfied the “letter” of the law; however, IT and InfoSec best practices require that the copies be at least 30 miles apart. Needless to say, when the 9/11 disaster hit, all the records were destroyed.
Similarly, Regulation S-P (an SEC privacy rule) requires “clear and conspicuous” notices regarding any privacy policy. Translating legal language into a technical reality is complex, differs from technology to technology, and again demands that lawyers, privacy, and IT professionals cooperate to better translate the law into a technical reality.
In both examples, the lawyer’s advice on InfoSec or IT issues will require not only a greater familiarity with technology, but also a means of working with technology professionals to provide a holistic solution in a way that may otherwise be foreign.
InfoSec Disclosure Responsibility
In the last two decades, an entirely new type of law has emerged to deal with InfoSec failures when personal identifiable information (PII) is exposed. Deriving from California Senate Bill 1386, most states have disclosure rules about what a “controller” of certain classes of information must do if that information is breached or exposed. Some of the laws contain disclosure provisions that provide an “out” if the information is encrypted, whereas other state disclosure laws allow victims legal and financial redress. (See The National Conference of State Legislatures state security breach notification laws database). With the passage of the General Data Privacy Regulations (GDPR) in the EU and the varying nuances of U.S. state law, lawyers must stay on top of this evolving body of law.
Litigation and Insurance
In states that allow for legal and financial redress, lawyers may have to defend the organization’s IT practices because they could be on the hook for certain harm caused by their failure to secure information. Similarly, companies may have to seek redress from others concerning the “care, custody and control” of their information. This will likely become a greater battleground as more information is moving to the Cloud.
A proposed settlement has been reached in the landmark Anthem data breach case, which saw the personal information of nearly 79 million people stolen and is being referred to as the biggest data breach in history, lawyers involved with the case announced. The $115 million settlement, if approved by a judge as scheduled next month, is the end result of the massive class action lawsuit filed after a 2015 cyberattack on insurance giant Anthem and is said to be the largest data breach settlement in history, law firm Girard Gibbs said in a statement. (See Anthem Landmark Settlement in Anthem Data Breach Suit).
Litigation regarding InfoSec failures ultimately still faces challenges when it comes to the standards for damages:
Article III standing requires that a plaintiff show an injury in fact, a causal connection between the injury and the conduct complained of, and that the injury will likely be redressed by a favorable decision. An “injury in fact” may include the invasion of a legally protected interest that is concrete and particularized, and actual or imminent (i.e., not conjectural or hypothetical). In actions for loss of personal data, a frequent issue has been whether the possibility of future injury in the absence of actual harm is enough to satisfy the Article III “injury in fact” requirement.” (See Developments in Data Security Breach Liability).
However, one apparent trend of certain courts is to be more accommodating on the issues of “proving” damages and future harm as fallout from a breach. Even with that being said, most courts and even “[p]laintiffs’ attorneys have also increasingly sought to avoid the injury restrictions of Article III by pleading the violation of federal statutes that do not have an injury requirement.” (See Corporate Legal Compliance Handbook).
One avenue organizations should consider to mitigate liability and litigation costs is identity-theft management services. Following the massive OPM breach, all those affected were given “LifeLock” for three years.
Organizations may also address InfoSec risk through cyber insurance. “According to a May 2017 survey from the Council of Insurance Agents and Brokers, 32 percent of respondents purchased some form of cyber liability and/or data breach coverage in the past six months, compared to 29 percent in October 2016.” (See Cyber Insurance: Overcoming Resistance.) Despite growth in coverage, not enough companies are ready for the worst; regardless of The Changing World of Cyber Liability Insurance, “It is not just a means of protecting against financial loss, but it is a conduit to services to restore companies.”
Lawyers in concert with risk-management and IT professionals can work together to better assess risks and insure against them.
Make InfoSec a Team Sport
InfoSec is now center stage in most board rooms because a hack can exact significant harm to the company’s systems, its ability to function, its bottom line, and its reputation. Properly managing the complex InfoSec challenges requires professionals from several parts of the organization that can address the issue comprehensively. Lawyers must be part of the team to proactively address InfoSec in conjunction with the CISO, CIO, CTO, Chief Privacy Officer, and Head of Compliance and Audit, among others.
Economic Espionage
InfoSec has become a greater concern with the exponential rise in cyber theft of company trade secrets. (See Economic Espionage). In recent years, the problem of countries, companies, and individuals misappropriating the trade secrets of U.S. companies has grown more insidious and more expensive to address. Lawyers and business executives have no choice but to deal with this increasingly complex problem. According to the U.S. Department of Commerce, intellectual property (IP) accounted for $6.6 trillion in value added, or 38.2 percent of U.S. GDP in 2014. IP alone accounts for over 45 million U.S. jobs and over 50 percent of all U.S. exports.
Getting Lawyers (More) Involved
Think Big C Compliance and Little C Compliance, Too
Lawyers must ensure that their organizations are not only complying with laws and regulations, but also helping create an environment where InfoSec is “institutionalized.” Compliance methodology (including policies, executive responsibility, delegation, communication and training, auditing and monitoring, consistent enforcement, continuous improvement—see Information Nation: Seven Keys To Information Management Compliance) based on the Federal Sentencing Guidelines can be helpful in this regard. Compliance methodology is especially important when dealing with InfoSec because failure will happen at some point. Following a compliance process may mitigate the impact to reputational harm or how a court “penalizes” the organization for the failure. Put another way, following compliance methodology helps manifest what a good corporate citizen does, demonstrates “reasonableness,” and may be the difference between winning and losing.
Help Make the Pile Smaller
Businesses are producing mass amounts of data and information. In 2017, there is a new exabyte of data created every few hours. That is the data equivalent of 50,000 years of DVD movies created several times each day. Most company’s “information footprint” doubles every year or two. Unfortunately, much of this new data has limited long-term value.
Lawyers can be instrumental in helping their organization defensibly dispose of unneeded information. By evaluating information stores and doing the requisite diligence, information can be disposed without fear of spoliation. Properly disposing of outdated and unnecessary information promotes business efficiency, reduces storage costs, mitigates privacy and InfoSec risks, and reduces costs of discovery.
Applying Simplified Records Retention Rules
Making the pile smaller demands that content is destroyed when law and policy allow. Any information that is needed for an audit, litigation, or investigation must be preserved during the pendency of the matter. Records retention schedules (RRS) have been used as a way for companies to legally dispose of information when it is no longer needed. Some have described the RRS as “a license to clean house and not fear going to jail.”
Lawyers can help dust off their company’s old-school retention rules and work towards modernization and simplification. Revamped retention rules can be more readily applied to information, which will augment disposition at the end of information’s useful life. In this way, InfoSec, IT, and privacy needs are met by applying the RRS: smaller piles make for more efficient business and better risk mitigation.
Limit Places Information Is Parked
In addition to the volume of information, organizations also have to deal with an expanding variety of locations where information may be stored. Increasingly those locations may not be within the “care, custody, or control” of the company. When the marketing department publicizes a product on Facebook, or HR advertises job openings on LinkedIn, information will be created that may or may not have ongoing business value calling for retention to satisfy legal requirements. The problem arises when managing that information pile is now in the hands of a third party. How can information stored under such circumstances be protected? Can contracts adequately address the issues of InfoSec?
More directly, lawyers must develop policies around what information is appropriate for the Cloud, the contract terms regulating the relationship with any third party in possession of the company’s information, and guidelines that map the technical requirements for any storage environment against the regulatory and legal needs of the company.
Classification
Another way to address InfoSec risk is by developing and applying InfoSec classification rules (for example, which information is “highly confidential,” “confidential,” “trade secret,” or “public”) that delineate important information requiring protection, less protection, or none at all. Good InfoSec classification rules afford more attention and protection to information that is more valuable and worthy of greater precautions. It is reminiscent of the 80/20 rule. Eighty percent of the information (maybe more) is relatively worthless, possibly requiring little protection. Applying developed classification rules, the important 20 percent of information gets the needed InfoSec attention. The smaller the pile to protect, the greater likelihood it will be protected. Making sure clear classification rules are in place and followed is essential to help address InfoSec risk.
Encryption
Another way lawyers can help address InfoSec is through reviewing existing policies regarding the handling, management, and transmission of protected information. Usually those rules, if they exist, require encryption to scramble the content to preempt its exposure. The policies often exist but are ignored. Encryption policies should make clear when “confidential” information must be encrypted, and the lawyers, compliance, and audit professionals must ensure that employees are following policy. Technology can be harnessed to automatically encrypt at the system level to remove the burden from employees.
Training and Gamification
It is clear in the InfoSec space that breaches are increasingly commonplace, not because InfoSec technology is inadequate (such technology is constantly improving), but because the employees are a weak link in the InfoSec chain. Employees are routinely and unscrupulously used to obtain, steal, and exploit company information.
Training must become part of the culture. It is not a one-off project, but rather an ongoing process requiring resources and commitment. Training can become much more effective through gamification—a unique training methodology that reinforces material to be learned through game theory and reward.
Big Data and Anonymization
Conflicts within an organization regarding how information should be managed is normal, with countless business, privacy, and legal needs that may be diametrically opposed. For example, for “Big Data” to be most effective when using analytics tools, there must be more information stored for longer periods of time. InfoSec and privacy seeks to retain less information for shorter periods of time. Anonymizing data as much as possible tends to mitigate InfoSec and privacy risk. Unfortunately, analytics tools are less efficient when working within encrypted databases—another conflict to navigate. Lawyers can help navigate the many competing interests for information in organizations.
Conclusion
Information is the corporate life blood, and it is freely flowing in the streets far too often. Technology can only do so much in terms of protecting information and the systems that create, store, and transmit it. Employees are a big part of why InfoSec fails so frequently, leading to massive information breaches. Foolproof security does not and will never exist, but things can improve dramatically. Although InfoSec failure and risk will never vanish completely, lawyers can and should aid in fighting the InfoSec and information terrorism war.