Articles Posted in Risk Evaluation and Management

padlock-cybersecurity-300x203

You spent valuable time and resources crafting a cybersecurity breach action plan. You’ve assembled a multidisciplinary response team. You’ve identified who is responsible for what, and what decision-tree will go into effect. The plan has been circulated. You’ve even engaged a separate law firm that will be on call in the event of a breach. You’ve done the same with a PR firm, a private investigator and data breach hit squad.

But if the action plan stays put on a shelf, it isn’t really of much value. Smart companies run a tabletop exercise, where first responders sit at a conference table and run through what will happen in the event of a breach. But really smart companies do something more – they take their efforts out of the conference room and into the real world. Breaches involve stress, panic and urgency. It’s not the time to be opening a binder and flipping through tabs for instructions. All those with responsibility for securing the breach need to be battle tested.

Just as fire drills are mandated safety requirements, breach drills should be mandatory training for your team. These exercises bring to light the weaknesses, if any, inherent in your breach response plan. These drills take a good plan and refine it into a great plan.

The key to testing the plan is making your drill as realistic as possible. Notify responders there will be a drill, but not when it will happen. Then, perhaps on a weekend, unleash a hypothetical and set things in motion. Designate several observers to follow the drill to see how closely actions hew to the plan. Document what went right and what went wrong so adjustments can be made later. Continue reading

Web analytics concept - Multicolor versionWhile there is no nationwide cybersecurity program, the Federal Trade Commission has brought more than 50 actions claiming that the cybersecurity practices of a variety of companies in a variety of industries. While these actions have primarily been administrative and resulted in settlements, and the specifics of each order apply only to the company affected, these actions are instructive as to what the FTC expects of cybersecurity programs.  A byproduct of the FTC’s actions is a guide to companies to create better privacy and security policies and programs.  While these cases don’t necessarily identify how to run “gold-standard” programs, they identify what the FTC expects as minimum standards for efforts to protect data.

The FTC has said that most enforcement actions it has brought involve “basic, fundamental security missteps.” Many are human error, but there are also plenty that show deficiencies in cybersecurity risk assessments and programs.  This piece describes baseline guides; companies should consult qualified counsel for specifics. Engaging counsel itself on these issues is a sign to regulators that a company takes cybersecurity seriously. But doing it correctly depends on engaging top legal counsel and experienced advisors early on.

Human Factor.  No cybersecurity program is ironclad as long as human error exists and the skills of hackers evolve at the same rate as technology itself. But many cybersecurity breaches are the result of more simple mistakes. The FTC requires “reasonable” efforts, not complete security.

It’s also important to note that cybersecurity solutions are not one-size-fits-all, even for companies within the same industry. Prevention programs depend on the unique circumstances and business practices of each company. Regardless of company or industry, however, a demonstrated commitment to security is required, both to satisfy the government and to protect valuable corporate and customer assets.  Continue reading

The Big Data deluge - A businessman tries to crunch the numbers at his desk.pngCybersecurity horror stories tend to focus on government agencies, retail outlets, health care institutions, and other companies serving consumers. But business professionals such as lawyers, accountants and business managers are increasingly at risk of attack, and may be less prepared to handle a cyber assault.

Late last year, three Chinese citizens were criminally charged in the United States with trading on confidential corporate information obtained by hacking into networks and servers of two prominent law firms, reported to be Cravath, Swaine & Moore LLP and Weil, Gotshal & Manges LLP, working on sensitive and highly confidential mergers. This was market-moving data, including information on Cravath’s work and information on an acquisition of its client, Pitney Bowes.

Prosecutors said the hackers gained access to the law firm’s computer system using an employee’s credentials. The hackers then installed malware on the firm’s servers to access emails from lawyers, including a partner responsible for the Pitney deal. Similarly, the hackers obtained information about an Intel acquisition from the IT system of its counsel, Weil Gotshal. The hackers made millions of dollars trading on the confidential information about the deals, and exposed the danger law firms and other professional service firms face.

What’s worse, consider this: in all likelihood, there are probably dozens of professional service firms that have experienced cybersecurity breaches and don’t even know it. Continue reading

Last year, SEC Chair Mary Jo White named cybersecurity as the biggest risk facing financial markets. But the risk isn’t limited to the financial industry – even a casual review of breach reports in the mainstream press shows that cybersecurity is a risk common to all companies in any industry.  The challenge facing companies is how to prepare for what seems to be inevitable, and how to do it in an efficient and economical basis.

The key element in preparing for a data breach is less a technical matter than a traditional evaluation of business risk.  Companies regularly analyze the risks of business decisions, and just as regularly, recognize that risk analysis requires legal advice.  Evaluating cybersecurity risk is no different – it requires that a company understands the risks it takes, which risks it is willing to assume as part of its business and which risks need to be eliminated or shifted (through insurance, contractual arrangements or otherwise).  Understanding this, obtaining competent legal advice before a breach is a critical aspect of any cybersecurity plan.

Despite this fact, many companies focus their data protection programs in IT, and only bring in their lawyers late in the game to bless their cybersecurity measures. While legal expenses are always a concern, companies will reap a greater return on their overall cybersecurity investment by soliciting advice early on, and stand better odds a breach will be handled correctly and efficiently.

What can cybersecurity lawyers bring to the table?

Hand-in-Glove Collaboration

Perhaps most importantly, legal counsel commonly work with a variety of corporate players and are in a unique position to work hand-in-glove with IT, HR, and other functions to assess and reduce cybersecurity risk while still permitting a company to function efficiently. An experienced lawyer is often the best person to lead a team that establishes key protocols to avoid a breach, including policies and procedures for privacy, confidentiality, mobile device usage, record retention, and breach protocol.  Lawyers are particularly able to address the key elements of an effective cybersecurity plan. Continue reading

Cyber risk affects businesses of every size and industry. A data breach can lead to negative publicity, loss of customer confidence and potential lawsuits. There can be a variety of unanticipated – and costly – business disruptions.

Just ask the owners of the Romantik Seehotel Jaegerwirt hotel, in the Austrian Alps, which recently had their systems frozen by hackers, resulting in the complete shutdown of hotel computers. The hackers breached the hotel’s key card system, making it impossible for guests to enter their rooms and preventing the hotel from reprogramming the cards.

The hackers did not scrape guests’ credit card data, as has happened with other hotel data breaches, but instead demanded a ransom payable in Bitcoin. The Romantik Seehotel Jaegerwirt – which was fully occupied at the beginning of ski season – paid the ransom, at which time control of the key card system was restored.

While highly disruptive, it’s easy to imagine how it could have been worse. Fortunately, the hotel located and fixed the backdoor left by the hackers (which the hackers tried to exploit almost immediately) and secured their systems.

Vulnerability to hackers seeking to take control of a building’s system is a very real threat to organizations of all kinds: hospitals, hotels, law firms, research facilities, banks, retailers – virtually any kind of business that is housed in a “smart” building. Continue reading

human-firewall-superhero-300x166One of the great frustrations in contemplating a data security program is that there is no such thing as a one-size-fits-all solution.  There is no law or regulation that specifies the exact steps a company needs to take in order achieve data security.  While there are some regulatory and industry recognized compliance programs – like health law requirements under HIPPA and the data security standards established by the Payment Card Industry – these provide compliance guidelines, not actual data security.  And these compliance guidelines themselves emphasize that each firm must establish security standards which meet the requirements of their business operations.

The fact is that data security, like any kind of security, requires a clear understanding of the unique needs and operations of a company.  Every company has different information requirements and standards as to the information it collects, how it retains and how it uses that information.  Consequently, data security can only be achieved by understanding what a particular firm does, not what is common or typical in an industry.

Assessment Defines Approach

Another factor is that while it is common to look at data security as a technical issue, technical compliance addresses only part of the goal; any review of data breaches will show that individuals – the human factor – are the most common source of insecurity.  This is not just due to the possibility of an employee clicking on the wrong website or responding to the wrong email; human error can start at the point that a data security plan, and its technical components, are contemplated.  Without understanding the scope of the company’s data security requirements, those selecting and implementing the “solution” will find that they have not addressed the security challenges.

Continue reading

December is the month for predictions.  During this month, commentators of all sorts and in all areas predict the trends and actions that will impact us during the coming year.  While speculating the future is a questionable pursuit, we at the Cybersecurity Lawyer Forum would hate to be left out of the fun.   With that in mind, a few thoughts on what we might expect in the year to come.

National Cybersecurity Legislation

Legislation in the United States is less an exercise in establishing comprehensive systems than in reacting to events; much legislation tends to be anecdotal and designed to fit the day’s headlines.  Moreover, legislation is a curious process, and even with the Congress and White House held by the same party, legislation is hard to pass.

Cybersecurity legislation faces additional hurdles.  It is not always the highest priority for lawmakers, especially during a year when an entirely new administration must be established, and when the campaign promises of the last year did not include cybersecurity as a priority. Continue reading

3679571-business-peopleParalysis is one of the biggest obstacles to achieving a cybersecure environment.  Companies are often unable to take the steps necessary to bring security to an enterprise. It’s not only common; it’s entirely understandable.

Achieving cybersecurity appears to be an overwhelming task. Every day brings another headline announcing a data breach, or reports on the enormous cost of data breaches – one has to wonder if implementing a cybersecurity regime would even achieve its goal. Companies are challenged by the complexity of their systems and the seemingly impenetrable jargon used to describe them.  Funding a cybersecurity program is a challenge – as one CEO put it, “I gave my team an unlimited budget, and they exceeded it.”  Spending valuable time and scarce resources on security takes away from operations that ground an enterprise. Companies fear that focusing on cybersecurity can only come at the expense of their core operations.

Continue reading

Digital Padlock on Circuit Background - Web Security Concept

Spring is the season for many things, including the publication of cybersecurity surveys. In the past few months, Verizon has published its Data Breach Investigations Reports, Ponemon Institute Published its 2016 Study on How Organizations Manage Data Breach Exposures, the California Attorney General published its annual California Data Breach Report, and a variety of others have published reports describing the state of cybersecurity and privacy, and the threats individuals and businesses face in online security. While the reports each contain important facts and focus on different aspects of cybersecurity, they also have some key lessons for enterprises that focus on risk reduction:

Continue reading

The Big Data deluge - A businessman tries to crunch the numbers at his desk.png

We are flooded with news reports of major data breaches and malware attacks. The reports focus on attacks against businesses with significant volumes of sensitive personal and financial information, like financial institutions, hospitals, retailers – and most recently, law firms. There is no question that the press pays the most attention to a data breach when large volumes of valuable information have been stolen or encrypted for ransom.

Some firms, like business managers and family offices, have not received much media scrutiny. But lack of media coverage is not a reason for comfort. These organizations are ripe targets for intruders, precisely because of the people they represent and the information they possess. Business managers and family offices hold the most confidential information of their clients – financial records, bank and securities account information, health records, estate planning and trust documents, physical locations of valuable assets and the like. Intruders do not gravitate only to the largest companies or those with the highest public profiles. Rather, intruders are attracted to targets with valuable information, regardless of who they are.

Continue reading