By Daniel E. Frank and Don Borelli

Transcription

1 30-SECOND SUMMARY As intelligent, interconnected devices become more widely available and increasingly host high-value information like a hospital patient s medical records the intrusion points for cyber attackers also expand. This article looks closely at the scope and potential legal risks of cyber attacks. If your company or organization become a target, it is the responsibility of more than just technical (IT) staff to contain the threat. This is neither a technical article nor a doomsday scenario cyberscare tactic. Rather, this article aims to provide in-house counsel with some of the basic tools they need to deal with the inevitable cyber intrusions that they will confront.

2 By Daniel E. Frank and Don Borelli The Internet of Things is the talk of the day among tech experts. It refers to a complex world of intelligent, interconnected devices used by both government and business for convenience, as well as daily operations. These connected devices can speed a guest reservation at a luxury hotel or link a hospital heart monitor to a patient s history. But these systems are also intrusion points for cyber attackers. ACC DOCKET MARCH

3 CYBERSECURITY: HOW TO PREPARE FOR AND RESPOND TO CYBER ATTACKS For some industries, like electric utilities and the defense industry, cyber attacks are a daily occurrence. Cyber attacks are also increasing against hospitals, major hotels and universities. Each of these targets provides access to potentially high-value information, often with less advanced security barriers than previous targets, such as financial companies. In 2012, for example, the healthcare industry accounted for 36 percent of all data breaches the most reported data breaches by any industry. Hospitals store large amounts of personal information. In the last two years, there have been nearly 200 attacks directed at internet-connected medical devices alone an alarming example of how the healthcare industry is attracting cyber attacks. Like hospitals, hotels have become an attractive target. Hotels may be unable to monitor and secure facilities that are globally distributed and linked to a variety of electronic service providers. A board of directors meeting at a luxury hotel might rely on unsecured Wi-Fi for internet access. An embarrassing data breach of sensitive guest data or a cyber attack by a hacktivist group against a senior executive at a Daniel E. Frank counsels electric industry clients in cybersecurity matters, as well as regulatory, compliance and enforcement matters before FERC, NERC and state public service commissions. daniel.frank@sutherland.com Don Borelli is chief operating officer of the Soufan Group. don.borelli@soufangroup.com The authors gratefully acknowledge the substantial contributions of a third co-author (former in-house counsel specializing in cybersecurity) who wishes to remain anonymous. hotel could be a devastating blow to a hotel operator s reputation. The education industry is equally vulnerable. In 2012, the education industry reported the second most data breaches of any industry sector, right behind the healthcare industry. Foreign governments target universities for access to restricted data or technology that may save years of expensive research and development. Aside from a direct hacking attack on an educator s system, simple negligence in security practices may result in loss of sensitive data. For example, the Chinese government allegedly intercepted classified data on plasma research when a University of Tennessee professor visited China and allowed a sensitive document to be ed to him on unsecured networks. Almost a quarter of all data breaches in 2012 occurred as a result of accidental data disclosures. With professors working on multiple sensitive projects, and increasingly using online tools for collaboration, the risk of accidental disclosure has increased significantly. These examples are not intended to cause alarm. Rather, they are offered to emphasize the scope and potential legal risks of cyber attacks, and the importance of remaining prepared in case one should occur. In-house counsel no less than technical (IT) staff should play a vital role in preparing for and responding to cyber attack. The basics: What in-house counsel can do today Create a culture of security Every person in your company needs to understand that security is a fundamental pillar of the business. Staff should be instructed that security facilitates all other operations and that, without security, the business is subject to risks that could cause it to fail. This is not to create a culture of fear. Rather, a culture of security ensures that every staff member understands and follows security procedures and helps prevent many of the damaging cyber attacks likely to cause harm. In-house lawyers can take the lead in developing and promoting a culture of security. Lawyers can help translate the technical requirements of security procedures into everyday language that employees can understand and implement. For example, intrusions via social engineering (which exploits your vulnerabilities by targeting your personal information, such as s and passwords) and mixed physical and cyber intrusions (which can occur when a vendor or contractor is on-site) can cause substantial harm and are very difficult to prevent with technical solutions. Lawyers can bridge the gap between technical solutions and behavioral changes required to combat these intrusions, thereby raising awareness and creating a culture of security. Be proactive According to a major security research study released in 2013, the three most important ways to minimize data breach costs are to: (1) create and maintain a data breach response plan; (2) have a strong security posture; and (3) hire a chief information security officer (CISO). 1 A company needs all three. Secure the data within the company s control, be persistent in verifying security practices, and invest in a qualified expert to manage the program. In-house counsel should play a key role in developing the plan and security posture. In-house counsel can bridge the gap between the requirements identified by the IT or technical staff and the implementation of those requirements by operations personnel, management and others within the organization. The lawyer can also help IT and technical staff understand the legal and regulatory requirements applicable to the organization, while also serving as a gateway to communicating cyber-related concerns across internal departments. The lawyer s role begins at the outset of the development of the organization s 38 ASSOCIATION OF CORPORATE COUNSEL

4 CYBERSECURITY: HOW TO PREPARE FOR AND RESPOND TO CYBER ATTACKS security policy. Do not wait until the security policy is developed to review it. If you wait until then, you run the risk of having no meaningful input. More important, you will have missed the opportunity to understand the reasoning behind the policy and the security procedures adopted in the policy. Be on the Security Policy Planning Committee Talk to your CISO regularly. Identify the other critical managers involved in security planning. Ask whether anyone else should be involved. Bring these people together as the Security Policy Planning Committee and be on that committee from the start. Too many lawyers avoid the IT team because they think the subject matter is too technical. Of course, the mechanics involved in securing data and critical infrastructure can be technical. However, much of the material is highly accessible to non-technical people, including lawyers. You can teach yourself a lot of technical concepts, but your role should focus on the big picture policy issues concerning the company s security, including the costs and benefits involved, and the statutes and regulations governing the company s security. If you cannot understand the security policy, or do not understand how it was developed or may be modified, then you have a major problem. If you are in this situation, go back to step one: Talk to your CISO. What are the controls on your data? Almost 10 percent of all cyber attacks against companies last year were committed by insiders employees within the organization intent on engaging in crime, sabotage and other malicious activities. 2 It is not enough to keep the intruders out; you need to address the threat within. Establishing controls on data is key in this regard. For example, data should be compartmentalized, and multiple approvals should be required to access highly sensitive data. The critical issues to address in your data control policy include: What is the data? Where is the data? Who controls the data? How is the data accessed? Are you protecting the right data? How digital materials are secured may be within the scope of work for the security team (i.e., the technical IT staff), but it is important for in-house counsel to also understand and monitor the data controls. An audit can help you determine the data available and the access rights provided to employees. Be sure your internal personnel and security policies specifically provide that the legal and IT departments may audit employee access to data, including during an internal audit or investigation as well as in response to a cyber attack. Your policies also should clearly specify who owns the data within the organization s control. The audit will also provide your legal team with valuable insights on the type of data your company maintains, where it is stored (including in the cloud off-site servers typically owned and operated by third parties), where and how it is transferred, and what is considered most important. You likely will discover that the legal department was unaware of some data or projects. Use this newfound discovery as an opportunity to assess your intellectual property portfolio and confirm that you are properly protecting the legal rights to the information in addition to the security of the data. Include a review of your contracts that govern the storage and transfer of data, and be mindful of the differences in legal requirements across various jurisdictions (including outside the United States). The security community has many different models for back-up systems, ranging from full redundancy to restoring only critical systems. Know which type of system your company has chosen and why. How will the security plan limit disruption to operations? In-house counsel must know what operations are critical for the company to remain functional and how long they can be disrupted without longterm ramifications. For example, if a hacktivist group launches a Distributed Denial of Service (DDOS) attack that floods your systems with disruptive requests, you need to understand how this will affect operations. The security community has many different models for back-up systems, ranging from full redundancy to restoring only critical systems. Know which type of system your company has chosen and why. This awareness will help your legal department provide support to the most critical services and understand the impact of a disruption to operations. Use the security plan as an opportunity to also develop your procedures for communicating with law enforcement. Determine who in law enforcement is most likely to be of assistance. Local police seldom have the advanced skills to respond to a data breach. Federal law enforcement also varies in capabilities. Start by contacting your local FBI office before you face the pressure of a cyber attack, and update your contact information on a regular basis. Discuss the plan for how you will notify the local FBI office, how and when law enforcement will be included in your investigations, how information will be preserved and disclosed, and other details on the process. This 40 ASSOCIATION OF CORPORATE COUNSEL

5 CYBERSECURITY: HOW TO PREPARE FOR AND RESPOND TO CYBER ATTACKS ACC EXTRAS ON Cybersecurity Quick Reference Data Breaches and Cyber Risk Update: This Can Mean You, Too! (Jan. 2012). www. acc.com/quickref/databreach_jan12 Top Tens Top Ten Things You Should Know About NIST s Preliminary Cybersecurity Framework (Jan. 2014). www. acc.com/topten/nistframework_jan14 Top Ten Tips for Companies Buying Cybersecurity Insurance Coverage (Dec. 2012). cybersecurity-insurance_ dec12 Presentation Global Cyber Risks: Why Your Entire In-house Legal Department Should Pay Attention (Oct. 2013). ACC HAS MORE MATERIAL ON THIS SUBJECT ON OUR WEBSITE. VISIT WHERE YOU CAN BROWSE OUR RESOURCES BY PRACTICE AREA OR SEARCH BY KEYWORD. will save you large amounts of time and confusion during the stress of a cyber attack. Be smart with your money The National Security Agency (NSA) invested billions in advanced security, but apparently failed to compartmentalize data and implement dual access controls. These are basic, inexpensive steps that could likely have denied Edward Snowden easy access to large amounts of data that he should not have been able to obtain and publicly disseminate. Implement easy, low-cost solutions first. Deploying low-cost encryption technology can eliminate data loss by ensuring that any lost data is not readable. Ask your security team to verify that easy solutions like encryption are being considered. Other low-cost solutions include disabling the ability to download data, copying data, and closing unused ports that can allow unauthorized access to your system (including through removable media such as thumb-drives). Additionally, commercial services can monitor open source materials and provide a list of likely threats. These types of services reduce overall costs and improve security by helping company staff focus on fewer threats. These are typically the same services that monitor for trademark abuse online. Sharing costs for these services with the security team may be an opportunity to improve security and protect your company s brand at the same time. Good security needs good intelligence Many industry groups now promote data sharing of threat intelligence to identify potential attacks before they occur. In past years, these were informal groups that loosely shared data without adequate security. These insecure information sharing efforts should no longer be a problem. Many platforms now exist that provide secure effective data sharing among industry members or law enforcement. These groups help your company focus on likely threats and cooperate with law enforcement. Too often, lawyers are wary of data sharing proposals. This is an out-dated way of thinking. If your CISO proposes data sharing, you should welcome the idea. Take the time to understand the different platforms available and suggest the best internal safeguards to make data sharing an effective tool. As in-house counsel, you also can help identify any potential legal pitfalls with the proposed platforms, and what those pitfalls might mean for the company and its business. Should you transfer the risk? Do you have insurance coverage for a cyber attack? Few CISOs consider the risk management element of cybersecurity beyond the technical safeguards. Most standard liability insurance policies do not cover data breaches, cyber attacks or the responses to them. But an increasing number of insurance products addressing cyber attacks and responses are available on the market. Conduct a risk assessment comparing the loss expectancy of a cyber attack multiplied by the expected rate of occurrence to determine whether you should purchase additional liability coverage. Your CISO should be able to help you analyze the risk exposure, but the legal department should review the liability coverage available to confirm that it is adequate. You ve been hacked. Now what? Whom are you going to call? In a cyber attack, do you first call the technical investigators or the law firm? It should probably be a law firm. A law firm can help protect the entire investigation process under the attorneyclient privilege. Some boutique law firms have created a hybrid-consulting model with forensic investigation capabilities. This provides the best protection for limiting the scope of discovery in future litigation. The CISO almost never considers calling lawyers first. However, doing so, and having the right law firm ready, may not only quickly advance your investigation, but also protect your company from liability exposure. Use the attorneyclient privilege to protect your sensitive investigation from the start. Be aware that the attorney-client privilege, as applied to in-house counsel, has been narrowly interpreted by some states. The privilege is unlikely to apply to communications based on on-going business activities. To avoid risking loss of this important protection privilege, in-house counsel 42 ASSOCIATION OF CORPORATE COUNSEL

6 HAVE A COMMENT ON THIS ARTICLE? VISIT ACC S BLOG AT should avoid personally directing any investigation and should instead appoint outside counsel to take on this leadership role. A significant related concern arises when the general counsel manages the CISO or has been heavily involved in oversight of the security team. This reporting structure is likely to be interpreted as an on-going business relationship outside the scope of the attorney-client privilege. The privilege is most clearly protected when the CISO role is removed from the legal department s direct management chain and when outside counsel are managing the investigation. Preserve evidence Evidence preservation creates two issues: a technical concern and a legal concern. In-house counsel can help with both. One of the most common technical problems that investigators face is incident responders who do not understand digital evidence preservation. For example, an IT person might isolate a computer or server that has been infected by a hacker and is being used to penetrate the company networks, and then copy the hard drive and remove it from the network. Sounds good, right? Wrong! Isolation might stop the problem in the shortterm, but once the machine is removed from the network, it will be difficult for investigators to track the hacker s behavior that caused the attack in the first place. The opportunity to observe and record prefatory activity has been destroyed and with it, your opportunity to understand how the hacker gained access to your system and, more important, how you could prevent a similar attack in the future. From a legal perspective, the physical evidence on the isolated machine is now unlikely to be helpful for use in later court proceedings. Forensic investigators are subject to a higher standard for handling digital evidence than incident responders. A copy of a drive must be verified using a forensic algorithm to make sure it is accurate. Your IT person may have also ruined any chance for a later forensic examiner to verify the evidence in court. In-house counsel can and should make sure that the security team understands how to secure and preserve digital evidence in a manner that preserves it for later use in legal proceedings. Balance disclosure with accuracy Almost all US states now have data breach notification laws. These laws generally require issuing timely data breach notifications. However, rushing to disclose data leaks before finishing an investigation may cause your company more problems. For example, overestimating the scope of the breach and over-reporting the size of data lost will increase costs. At an average cost of $159 USD per compromised record, this excessive disclosure can be a costly mistake. Before jumping the proverbial gun, verify that the data lost is legally defined as personal information that requires disclosure. As in-house counsel, you can help navigate the legal and regulatory requirements governing the scope of notification, and when and how it should be given. If breach notification is required, then it should be clear and unambiguous. The lawyer can help here, too, by ensuring that language used is clear and unambiguous, satisfies applicable statutory and regulatory requirements, and does not provide extraneous information that might expose the company to additional liability. Finally, a company may consider offering public assistance along with notification, such as providing internet links to credit check services or identity theft watch providers. Offering public assistance may help retain customer goodwill and even prevent additional litigation spurred on by a victim s discontent. In-house counsel should be attuned to the company s business needs and the importance of maintaining customer relationships. At the same time, the lawyer can help manage the company s potential legal exposure if too much data is disclosed to customers. Conclusion To be effective in responding to a cyber attack, you need persistence and an adaptable plan. Be diligent in monitoring your security controls and in learning about technology. Technology is the frame on which your company operations work. You do not need a computer science degree to gain a basic understanding of cyber issues. Learn enough to understand the basic issues and possible solutions. Much of this education can be self-taught. When you understand and can communicate the issues, your security team will respect your input and ideas. You will also sleep better at night, confident that you understand your company s security plan and how to respond if there is a major incident. The time to dust off your plan and find an answer is not when an attack occurs and your CEO is on the phone asking for advice. If you follow the suggestions in this article, then you will be involved in the plan from the start, understand how to respond, be able to confidently assure your CEO that the situation is under control, and in the process, become the new inhouse legal hero. ACC NOTES 1 Ponemon Institute Report May 2013 ( US and UK companies received the greatest reduction in Symantec Internet Security Threat Report (ISTR) Symantec Internet Security Threat Report (ISTR). 44 ASSOCIATION OF CORPORATE COUNSEL