In the wake of recent massive and highly publicized data breaches at major national retailers, and last year's disclosure of the NSA's widespread surveillance of the general population, people are thinking about the security of personal information they give out in their daily lives. Businesses of all sizes also need to think about the vulnerability of their "personal" information, that is, proprietary information that provides them a competitive edge: unique business or manufacturing processes, new product research and development (R&D), engineering drawings for products, strategic plans, financial and profit margin information, and the like. Developing and implementing cybersecurity plans must become a top business priority.
The Need for Cybersecurity
The last decade has seen a radical shift in how businesses gather, store, manipulate, and access company-critical informational assets. Technology has made it easier and faster to do more things and to bring more information with us when we travel. Smartphones alone enable employees to carry as many as 64 gigabytes of information in their pockets: that's enough to hold over 22,000 photos (depending on resolution) or over 128,000 books. Increasingly, employees demand remote, 24/7 access to their work applications so that they can carry less paper when on sales calls, work from home, or travel lighter when meeting with outsourcing vendors. High-speed wireless Internet connections facilitate the transfer of files to strategic partners quickly, cheaply, and easily.
But having such access and interconnectedness also carries a cost: cybercrime. The Commission on the Theft of American Intellectual Property has estimated that businesses lose up to $300 billion a year as a result of the theft of business trade secrets alone. Comm'n on the Theft of Am. Intellectual Prop., The IP Commission Report 2, 11 (2013). If a business loses its customers' personal information, the breach costs an average of $188 per stolen record—that adds up fast when one considers that the average data breach involves nearly 29,000 records. Ponemon Inst., 2013 Cost of Data Breach Study: Global Analysis 1–2 (2013). Because we generate so much data on small and portable electronic devices, gone are the days when a business could simply silo its information and shut others out. Nowadays, if someone wants to hack into a company's system or get copies of its top secret blueprints, he or she can do so in ways that were impossible 10 or 20 years ago.
All Businesses Are at Risk
The risks posed to different organizations or business functions are not uniform, in part because the technology and means used to gain unauthorized access to electronic data changes at breakneck speed. Some of the most successful schemes for accessing proprietary information use social engineering—leveraging off the human element—to gain access to passwords or harvest small packets of information that, once put together, provide a full copy of sensitive competitive information. Technology allows eavesdroppers to remotely scan or track keystrokes on smartphones and laptops when in Bluetooth or Wi-Fi mode and pilfer sensitive information. American travelers abroad carrying computers are targeted for computer theft or tampering to enable copying of sensitive files. In sum, the tools that virtually every business relies on to conduct its daily operations, and the way employees interact with those tools, introduce risks that threaten the company's ability to operate, and sometimes its very existence.
How can businesses respond? Cybersecurity. According to Merriam-Webster's Dictionary, the word "cybersecurity" was first coined in 1994 and refers to "measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack." The federal government, concerned about losses sustained by American businesses as a result of cybercrimes, particularly in critical infrastructure industries such as energy, health care, or agriculture/food distribution, has embarked on a program to raise awareness and encourage development of new cybersecurity solutions. That is why, last year, the National Institute of Standards and Technology (NIST) was charged with creating a cybersecurity framework, which it delivered in mid-February 2014. Nat'l Inst. of Standards & Tech., Framework for Improving Critical Infrastructure Cybersecurity (2014) [hereinafter Framework]. Though some may have feared a new wave of government regulation or imposition of impossible-to-achieve information security standards, the Framework does little to add to already existing technology standards when it comes to the nitty-gritty of securing electronically stored information. On the flip side, it also offers no safe harbors for companies who follow the Framework but experience a consumer data breach. Nevertheless, the Framework provides useful cybersecurity guidance.
NIST Cybersecurity Framework Guidance
The Framework Core provides guidance for businesses by identifying five activities: to identify, protect, detect, respond, and recover business-critical information that is susceptible to cyber-attacks and theft from people within or outside a business. Rather than using technical jargon, the Framework's plain English approach gives organizations an intuitive vocabulary and a planning tool intended to help them optimize their investments, assess and change business practices, and plan to minimize the impact of cyber-theft. When an organization performs the five core activities, it will gain a high-level view of how it currently manages cybersecurity risks.
Using the Framework's Tiers and Profiles, businesses can then identify their goal for managing cyber-risk in the future and create a roadmap to help them get there. By using the Framework's assessment process and gap-analysis tools, organizations also can better educate their employees and business partners on the importance of cybersecurity, and how to best achieve that within their particular culture and competitive marketplace. In certain regulated industries, such as the financial industry or those that collect personal information from consumers, following the Framework will help companies create effective written information security plans (WISPs) to comply with their regulatory obligations. See, e.g., 15 U.S.C. §§ 6801 et seq. (Gramm-Leach-Bliley Act § 504); 17 C.F.R. §§ 248.1 et seq. (SEC Reg. S-P); Mass. Gen. Laws ch. 93H; 201 Mass. Code Regs. § 17.00 (Protection of Personal Information of Residents of the Commonwealth).
Case Study in Cybersecurity Carelessness
To illustrate how you, as in-house counsel or outside corporate counsel, can advise on application of the Framework guidance, let's consider how it could be used by Lilting Loons LLC, an imaginary design and manufacturing firm that creates bird callers that sound authentic to humans and birds. Lilting Loons' customers love its bird callers because of the uncanny and realistic bird sounds they generate. Lilting Loons has never done a risk assessment before, but they have seen an increasing interest in their products, and heard that a startup company was recently at a hunting trade show with suspiciously similar "whistles." Lilting Loons wonders if they have a leak. They've asked you what they can do to protect their special know-how and to perform a risk assessment.
Investigate the facts. Using the NIST Framework, you set out to understand the key assets that the Lilting Loons' top leadership thinks are in play. First, you interview the owner and learn that Lilting Loons accomplishes the realistic bird sounds by performing extensive R&D, using specialty woods from very specific forests around the world, and inserting a special hidden component into the neck of its bird-calling whistles. Its critical assets are its R&D (including failed R&D), the specific vendor and type of wood used for each different type of bird-call whistle, and the drawings of the whistles. Next, you talk to the company's middle managers to understand how employees access and interact with the key data. Although you will interview all functions within the company, you will focus on R&D, procurement, manufacturing, human resources, and IT personnel. Then you will use the results to determine where Lilting Loons is on the cybersecurity scale (i.e., its Framework Tier) and discuss where the company leadership would like it to be.
After talking with Lilting Loons' managers, you learn that Lilting Loons' R&D department has purchased a few software packages for specialized computing and 3D modeling needs on specific projects—the IT department is unaware of these cloud-based software packages and knows nothing about the security measures employed by the vendors. You also learn that Lilting Loons' R&D and manufacturing employees sign confidentiality agreements, but the procurement and R&D administrative support personnel do not. Access to drawings and R&D project files is limited to those with a need to know; some of the administrative support staff do have a need to know and are given access. However, there is no system in place to remove employees from access lists when they change jobs or projects or finish a project.
Lilting Loons does not monitor who, what, when, or how employees access specific R&D project files, drawings, or wood supplier files. While employees recognize that R&D files are critical assets, they do not realize how important confidentiality is for the drawings and wood supplier information. The wood shavings from the manufacturing floor are set outside in dumpsters for pickup by the regular waste disposal company, as are copies of vendor, R&D, and drawing files that various personnel typically print out. Lilting Loons has invested virtually no resources in training employees on the importance of securing key files/data, and it has no employee policy on acceptable computer or portable device use. On a daily basis, Lilting Loons backs up its files remotely to a cloud-based server located in India. The IT department does have a firewall and antivirus and antimalware software in place, but it does not encrypt computers or have file encryption capabilities. In the past, employees on particular projects have been the target of phishing emails (containing bogus links that will download malware onto Lilting Loons' systems)—and, being naïve, they often click on the links because they think the emails are valid. Lilting Loons has no plan in place to deal with the fallout in the event that its key assets are compromised by an inside fraudster or an outside hacker.
Using the NIST Framework Core, you categorize each of these business practices/processes into the "identify, protect, detect, respond, or recover" buckets and check them against the methodologies and informative references contained in the NIST Framework. From there, you determine that Lilting Loons may be crazy good when it comes to bird calls, but they lack common sense when it comes to protecting their key assets.
Recommend plans for cybersecurity protection. Using the five core categories, you present your findings to Lilting Loons' CEO and top management team, explaining that the company is doing some things right but has some critical vulnerabilities. You explain Tiers I through IV of the Framework, and tell the senior management which tiers Lilting Loons is at for each of the critical processes (they are at the lowest tier) across the Framework Core areas. Using the tiers and core activities, you develop a profile with the help of senior management, showing which tier the company would like to be at for its critical business processes. Afterward you work with the managers and operations staff to form a roadmap, including a cost estimate, to close the identified gaps using technology, business processes and controls, and contractual agreements.
Armed with the roadmap and cost estimate, senior staff decide an appropriate budget and priority for implementation—they decide to revise/downgrade some of the recommendations to better suit the company's risk tolerance and balance risk against cost. Once the CEO has signed off on the budget, you work with managers and operational personnel to implement processes and specific industry standards that align with the direction set by the CEO and senior staff. Throughout the year, the operational personnel will report to the managers about their implementation progress, and the managers will in turn communicate with the senior staff on changes to Lilting Loons' current and future risk profile. As the market conditions change, the company may change its priorities, and ask the operations personnel to change the roadmap.
As the business evolves, its vulnerabilities and desired level of cyber-risk maturity will change; so you tell the CEO that the company should use the Framework to regularly evaluate Lilting Loons' cybersecurity state and goals. Thus, the Framework will become a continuous improvement mechanism or cycle for the organization: performing the core activities, assessing the organization's current tier and desired tier, and using the profile to revise the roadmap from the current state of cyber-risk management to the desired state.
To sum up what you, as in-house counsel or outside corporate counsel, can do for your company client utilizing the NIST Framework:
1. Raise awareness of cybersecurity issues by speaking with management and employees in key functional areas such as procurement, R&D, human resources, marketing, sales, etc.
2. Investigate the facts pertaining to the NIST cybersecurity core activities:
Identify. What are the cybersecurity risks to your client company's systems, assets, data, and capabilities? Which assets have the highest priority for protection? Identify critical/competitive-advantage information, as well as employee or consumer personally identifying information (PII), used in each functional area.
Protect. What safeguards are appropriate, as prioritized through your client company's risk management process, to ensure continued delivery of its products or services? Interview managers of key operational departments to understand how employees access and interact with the company's proprietary information and individuals' PII, and what restrictions are in place to prevent employees from accessing information they have no need of for their job responsibilities. Meet with your client's IT specialists to understand what technological safeguards are in place (including access restrictions, firewalls, etc.) for sensitive information and PII.
Detect. What activities will identify when a cybersecurity event (i.e., theft of data or injury to business assets and capabilities) has occurred? Surprisingly, within many organizations, cybersecurity thefts go undetected for long periods of time or are never detected. Find out how your client's IT department works with the functional areas to monitor the company's network for viruses, malware, unauthorized access, and unauthorized exporting of proprietary information and PII. Find out what procedures and policies are in place for each functional area to protect against and detect unauthorized access.
Respond. What plans are in place and what actions will the organization take when a cybersecurity event is detected, so that it can contain the impact of a potential cybersecurity event? Does the company have a plan in place in the event of a data breach or cyber-attack? Is it written down? Does the management team know "who is on first base" in the event of a breach or attack? Who will investigate breaches or attacks?
Recover. What activities does the company anticipate it will take to restore capabilities or services that are impaired by a cybersecurity event?
3. Use your Framework Core findings as a conversation piece with senior management for other functional areas (ensuring such conversations are attorney-client privileged). You will likely find a strong ally with the person responsible for IT and security. If you've done your homework well, and identified the information that each company functional area considers to be of critical competitive importance, you will also be able to persuade them that they have a vested interest in protecting their most valued information assets.
4. Use the Framework's Profiles to identify which Tier the organization is at currently, and work with senior management to determine which Tier it wants to be at in the future.
5. Work with senior management to identify security/detection/remediation gaps that they are concerned about and are willing to allocate money to close. In other words, create a roadmap to move from the current state of cyber-risk management to the desired state. This phase identifies gaps and assists senior-level executives in making decisions about and communicating the organization's priorities, available resources, and overall risk tolerance. Operational personnel can then take that direction and translate it into discrete operational steps they can take to close the identified gaps and communicate back up the chain of command regarding their progress on closing the gaps. Cybersecurity investments may include technology, operational procedures, company policies, contractual provisions with third parties, employee policies, employee training, etc.
6. Create a WISP that can be distributed and implemented within the company. This is the plan that some businesses are required to have for regulatory compliance.
7. Revisit your WISP, and perform the Framework Core activities regularly to reassess your client's cybersecurity state and desired future state.
A review of the past year's headlines illustrates that the threat of losing valuable corporate data and competitive-advantage information to hackers and inside fraud is too real to take an "it can't happen to me" approach. Executives at companies that have been compromised by theft of their competitive information or customer data surely wish they had been better prepared to prevent, detect, and respond to incidents of theft. Nevertheless, no company—big or small—can afford to protect everything from people who are bent on stealing corporate know-how and intellectual assets. One of the best ways to make your company client a "hard target" is to take a critical look at your client's business processes and assess what proactive, affordable steps you can advise your client to take to align the company's appetite for risk with protection of its mission-critical assets—whether they are product drawings, marketing plans, financial information, customer data or PII, or other proprietary know-how.
Keywords: confidentiality, confidential information, cybercrime, cyber-risk, cybersecurity, insider fraud, insider theft, IT, National Institute of Standards and Technology, NIST, trade secrets
Copyright © 2014, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).