Angela Bunting, Nuix and Alexander Major, Sheppard Mullin, Legaltech News
There is no mistaking it, cybersecurity and data breaches are now front and center of everyone’s mind. Just in the last month we have seen two governments—the Philippines and Turkey—get hacked, not to mention the massive amount of government-shaking data leaked as part of the Panama Papers. We have also seen governments creating more legislation around cybersecurity strategies, a good indication that they are trying to keep up with the times. For example, Australia just launched its new strategy in the later part of April.
There is no mistaking it, cybersecurity and data breaches are now front and center of everyone’s mind. Just in the last month we have seen two governments—the Philippines and Turkey—get hacked, not to mention the massive amount of government-shaking data leaked as part of the Panama Papers. We have also seen governments creating more legislation around cybersecurity strategies, a good indication that they are trying to keep up with the times. For example, Australia just launched its new strategy in the later part of April.
One thing is resoundingly clear through all
this. Nobody wants to be the one who didn’t do enough, let alone do nothing!
So, to start you on your journey of “not being
that guy,” we thought we would put together eight high level points of things
to consider before and after a breach occurs.
1. Hire in Experts
Unless you’ve been proactive, your IT team is
not likely filled with cybersecurity experts. Do not mistake a professional who
knows her way around a router or a firewall as someone who is equally adept at
protecting the information behind them. You need to hire “hands on keyboard”
experts who understand the connections between tools and security and who are
willing to acknowledge vulnerabilities when they are found, and act
appropriately to fix them.
To find those vulnerabilities, you need to bring
in professionals who can push your systems to their limits and find their
weaknesses, just like a hacker would. These exercises, called penetration
testing, should be performed as closely as possible to real-world
scenarios—testing during business hours against a restricted set of resources
will not do anything to show the vulnerability of your company.
You also need to assess whether such experts
should be “on staff” or hired in. This is a cost-benefit analysis determined by
how much risk your company is facing and whether that risk warrants a full time
employee. For many small and mid-size companies, this may not be realistic.
Fortunately, there are companies who specialize in these services—just be sure
to vet them appropriately and avoid hiring in “our big client’s buddy.” Bottom
line, even if you cannot afford a dedicated information security employee, you
can—and should—afford to secure your information.
Look beyond the IT department and at your
in-house counsel, as well. They are generally not specialists in cybersecurity
legislation and law, which is such a fast-changing landscape that it is
imperative to bring in specialist outside counsel. Not only can they advise you
on the latest trends and implications from both home and abroad, such as the
recent The Queen (on the application of Colin McKenzie) v
SFO ruling, but the work done ensuring you are secure can
have a variety of advantages. These include protecting attorney-client
privilege/legal professional privilege and creating work-product protection
allowing you to better assess and remedy any problems that may come to light.
Furthermore, if you are engaging outside vendors
to test or validate your current cybersecurity posture, it is imperative that
such testing be done under the direction of counsel. You just do not know what
you will find—make sure you protect that outcome. The decision above, in
particular, will be quite interesting going forward for breach investigations
around the world.
2. Understand the Expectation of Reasonableness
Checkboxes and compliance regimes are not enough
in this new landscape of data breaches. The FTC made it very clear in FTC v. Wyndham
Worldwide Corporation that they will rely on the best industry standards of the day through
not being prescriptive in relation to what defines their standard of
reasonableness. This is understandable since technology, especially
cybersecurity, is quickly evolving and anything prescriptive will likely be out
of date within days. Unfortunately, this makes cybersecurity “compliance” a
fast-moving target that is difficult to hit and even harder to justify
following a breach.
The solution? Skip compliance and focus on
security. In so doing, you are better able to defend your position of reasonableness.
Maintaining a current incident response plan that is regularly reviewed,
tested, and updated is a great start. Security is a journey, not a destination.
3. Know What You Have and Protect the Most Critical Data
While this might seem like an obvious statement,
it is surprising how many enterprises put up a potentially flawed perimeter
around everything they own without much consideration for understanding what
they have, effectively implying that everything is “critical.” The main flaw in
this practice is that you will never know where your real risks are for data
being stolen, let alone recognize if new data is added to your systems to
falsify or amend your records. This invites a host of new risks along with
regulatory or criminal investigations.
You can maximize your opportunity to notice
unusual behaviors with your data, regardless of if the threat resides outside
your perimeter or internally, by doing the following:
§ Map out your organization’s
information
§ Check the data for privacy compliance
issues
§ Secure and monitor data according
to its importance to your organization.
Don’t forget that even if you lock the door,
insiders can muck up data that is not internally protected. There’s a reason
banks have safe deposit boxes behind a vault door, behind the teller desks, on
the other side of the building, behind a locked, caged door. You get the idea.
Understanding your data also provides you with
an opportunity to ensure you are not hoarding unnecessary data. This data not
only costs you money now for storage, but it may also be subject to disclosure
in regulatory or legal requests just because it is there, even if you don’t
really need it around anymore.
4. Train Your Staff
Despite its ties to technology, cybersecurity is a people problem. If you are only looking at your systems, then
you are not addressing the core issue: your employees. Cybersecurity should be
part of your company DNA and recognized as everyone’s responsibility. It only
takes one click to launch a ransomware attack. It only takes one call for an
attacker to socially engineer their way into areas to which they should not
have access.
Train all your staff, regardless of their level
within the organization, to be vigilant and report anything they find as
suspicious. Be prepared to listen to what they may find. Positively reinforce
and reward those who demonstrate they “live” cybersecurity in all they do. The
ROI is clear. Reduced time to incident identification equals reduced cost and
potential reputational damage.
5. Is It Worth It?
Many CIOs and CEOs willfully keep their head in
the sand—if they acknowledged the cybersecurity problem, they would have an
expensive problem to fix. Sadly, some executives would rather hope for the best
and just pay the fines for a data breach.
This is high stakes gambling. How lucky does
your company feel? Are you willing to bet everything?
This attitude is exacerbated by the fact that
the house rarely wins. Recent breach victims have only had to pay what amounted
to a drop in the ocean compared to their annual revenue; in some cases, it can
be argued that being breached has benefited the breached company, letting them
vocalize how secure they now are.
While Remijas et al. v. The Neiman Marcus Group has started to change the landscape in
terms of being able to sue for potential future harm, the outcome of Spokeo v Robins at the U.S. Supreme Court may be an event
that opens the flood gates to a vastly higher value when looking at potential
future damages. And don’t forget the recent reminder that jury is still king
when it comes to awarding punitive damages, as described in Van Alstyne v Electronic Scriptorium.
Not all attacks are about profiting from your
data. Even if you are a charity or an affinity group, you can be targeted out
of “fun” as well as spite. Social conscious hacking can be far more damaging to
your business operations and reputation than data theft, as was the case in the
Ashley Madison hack.
There are hackers out there that believe they
have a social obligation to make what is wrong in the world right, and that could
very much mean bringing your company to its knees if they don’t share the same
values as you. We haven’t even touched on what happens when you are a soft
target for laundering money through your organization!
6. Engage With Outside Counsel Immediately After Identifying a Breach
Cyber breaches, like taxes, are inevitable, and
they have been happening for about the past 20 years now. Engaging with proper
outside counsel immediately after a breach is invaluable. Any outside counsel
worth their salt should be able to provide you with a list of their experiences
and credentials for the years they have been practicing in this area. They can
help you navigate the labyrinth of regulatory notification requirements and
help you with strategy to conduct your investigation and mitigate future
litigation risks.
Remember, a good outside counsel is one who
works with you to understand your business, your systems, and at being a
valuable member of your team.
7. Report the Breach?
This is a critical question that can have
far-ranging impacts and it is the primary reason behind the need for effective
outside counsel. Whether or not you report a breach is based on a number of
factors, including what kind of data was affected, how it was affected, and in
what region/state/area. It’s complicated. It’s exact. And, if done wrong, it
could cost you much more than the cost of the breach in terms of both money and
reputation. Chances are, you will have to report. How that is done, when, and
to whom, however, is fact-dependent.
8. Learn From Your Mistakes
Goethe reminds us that “By seeking and
blundering we learn.” The facts in Wyndham provide a prime
example of failing to heed Goethe’s advice when the chain was repeatedly
breached while failing to change its cybersecurity posture, making it
susceptible to even more attacks … by federal regulators.
Attacks are going to evolve. Learning from your experiences and implementing remedies demonstrates a defensible position of reasonableness and, if shared strategically, can provide reputational goodwill as well.
Remember, your security will only be as good as
the team implementing it. Do not limit that team. Take a holistic view of
cybersecurity and make sure you have the right people doing the right job for
you right now. Be honest with yourself. If your experts seem
to be getting the same mediocre results over and over, maybe it is time to
consider changing your approach.
Angela Bunting is vice president, e-discovery at Nuix. She is one of
Australia’s electronic discovery pioneers and has held technical and managerial
roles at global law firm King Wood Mallesons and Law in Order, the country’s
leading litigation support bureau. Alexander Major is an associate in the
Government Contracts, Investigations & International Trade Practice Group
of Sheppard Mullin Richter & Hampton’s Washington, D.C. office, where he
focuses his practice on litigation, cybersecurity, and federal procurement
compliance.
No comments:
Post a Comment