Legal Blog

Cybersecurity For The Non-Cyber Company

800px-Cyber_Security_at_the_Ministry_of_Defence_MOD_45153617

The Washington Post labeled 2013 the “Year of Cybersecurity” and with good reason. You can’t pick up a magazine, read a newspaper or log onto a newsfeed without being bombarded with stories about cyber threats. The recent attack on Target’s database and Edward Snowden’s removal of confidential information from NSA are just two of many examples of the on-going attack on our nation’s data networks. These attacks prove that even the most costly systems can fail against this onslaught of threats from increasingly sophisticated hackers worldwide. Federal contractors have become accustomed to the need for vigilance and have been immersed in actively identifying and thwarting invasions to their computer system. Unfortunately, cyber attacks are not limited to federal contractors or even to large companies; recent studies reveal that hackers regularly attack businesses with far smaller revenue. In fact, smaller businesses have become favorite targets for hackers precisely because security is typically more lax. The message is clear that no business is safe from attack and all companies must take steps to shore up their vulnerabilities against the loss of data. A recent study found that basic knowledge of systems and procedures to handle cyber attacks is inconsistent and inadequate across most industries in the U.S. It also revealed that current laws offer disincentives to many businesses to report threats and attacks, a situation which ultimately has an adverse impact on protecting against such attacks. The federal government has recently attempted to change this tide and create an environment more conducive to reporting cyber threats and attacks. This framework is in addition to numerous federal and state laws introduced to promote protections against cyber threats. Regardless of the efforts of state and federal governments, establishing an effective system for identifying and stopping such threats has now become every business’ mantra. Identified below are a few simple steps which should be taken to protect a company’s assets and insulate it from unnecessary exposure. Agreements with Employees Sound data protection efforts and policies are not limited to the IT department or hiring competent vendors and subcontractors. All businesses must first address the biggest threat in the company—their own staff. Essential to fighting the battle against cyber attacks are carefully crafted policies and practices required of all employees. This human element, which may intentionally access a system or negligently leave a door open to unwanted eyes, represents one of the biggest holes in a company’s preventive system. At a bare minimum, all staff should be aware that the company does not own the data it possesses, be conscious of the privacy rights of the customers it serves and data it owns and be held accountable for ensuring protections are maintained. These simple traits should be found in employee handbooks, employment agreements and in training provided by employers. Staff should be aware of simple protections necessary to protect data such as complex passwords which are changed regularly and across multiple platforms and access points, the hazards of opening certain email or visiting various internet sites, and the dangers posed by disgruntled current and former employees. Most importantly, there needs to be an understanding by all staff of why access to the company’s network should be limited and why there need to be clear limits to access the company’s systems using external hard drives and other personal devices. Addressing Customer Expectations Another issue which must be addressed is the expectations of customers and clients in storage and use of the data. Traditionally, many companies had policies which indicated that client files and information would be deleted or returned to a client after a certain point in time. With the growth of electronic media storage, the ability to effectively carry out file destruction policies is not as clear as it once was. Not only may portions of files not be destroyed as originally intended, but without a sweep across multiple datasets, it is no longer clear that all data has been destroyed. Even when companies believe that data is destroyed, there needs to be some assurance from cloud providers that the data has indeed been deleted. An in-depth examination of a company’s file retention policy needs to be undertaken. Third Party Providers, Subcontractors and Vendors A recent settlement reached by the Federal Trade Commission demonstrates one of the other fundamental aspects of data security which is often overlooked—the importance of examining the terms of contracts with subcontractors and vendors who have access to data. The FTC reached a settlement with GMR Transcription Services, Inc. (“GMR”) and two of its executives in connection with the leakage of sensitive medical files due to inadequate data security measures used by GMR’s subcontractor. According to the initial complaint, GMR failed to make reasonable inquiry into its subcontractor’s security practices and failed to contractually require the subcontractor to implement “reasonable and appropriate security to protect personal information.” It is not enough for a business to implement strong cyber controls; businesses are also responsible for ensuring third-party providers have in place reasonable cyber controls. If a third-party provider does not have in place good practices, the employer can be just as liable as the third-party vendor This settlement sends a warning and teaches a valuable lesson for any company which is involved in the collection or transmission of sensitive data. All companies must make some level of effort to adequately ensure that their subcontractors’ data protection practices are adequate and in line with appropriate privacy and security policies. All subcontracts and supply agreements with vendors who will have access to the data should identify, represent, warrant and agree to maintain adequate physical and technological security measures. In addition to requiring this level of protection, businesses must make sure that their vendors also start reviewing existing agreements with other vertical providers in the data chain of the organization. Not all cloud providers guarantee the confidentiality, secrecy or segregation of data stored in the cloud. For example, many typical cloud agreements reserve the right to access, remove or edit data content, disclaim warranties and damages for any breaches of the cloud, have no clear processes for releasing data under subpoena and notify users that there is no protection for any information in “public areas.” At a minimum, third-party agreements and the process for selecting third party providers should address the following areas:

  • Identification of all parties, including subcontractors of the provider, who may have access either physically or virtually to the data
  • Representations and warranties about protections currently in place
  • Analysis of the steps taken to ensure the integrity of data including representations as to whether and when it is encrypted and/or commingled with other data
  • Identification of steps taken to backup or archive data and where these backups are stored or managed
  • Whether the vendor will make any use of the information or collect any metadata
  • Whether there are any audits of the vendor’s processes and who has access to the audits
  • What is the provider’s response to subpoenas for data stored on its servers and equipment
  • What notices the vendor will provide of any breach or loss of data and how quickly it will notify you of the breach or loss
  • What ability exists to move data to other providers as necessary and whether all copies are thereafter destroyed by the vendor
  • What policies exist for termination and destruction of data over time
  • Indemnification against any losses and damages due to failure to safeguard data
  • Consent to any sub-subcontracting
  • A dispute provision including choice of law and choice of venue for resolution of disputes

Policy Development Finally, a critical element to any cyber policy is making sure that the development of the policy and its enforcement crosses multiple desks of responsibility in an organization. Developing an effective policy involves IT, human resources, compliance, records management, risk analysis or insurance and legal. Internal policies need to touch on the need for protection, obtain buy-in and compliance throughout the organization as well as in supply chains, and make sure that audits and tests of the security are regularly conducted and demonstrated. If possible, effective insurance policies should be in place to address the costs of dealing with a breach. Any such assessment and development of policies requires that a few basic areas to be evaluated—

  • Who should be involved?
  • What are the Company’s current data protection policies?
  • Has an effort been made to identify protected data?
  • Is there a confidentiality statement in your general polices for all employees?
  • Does your company handbook restrict use, access and removal of certain data?
  •  Is critical data protected in a meaningful fashion?4
  • Have all possible entry and exit points been identified for access to data?
  • What, if any, access may be made through personal devices?
  • What policy is in place to handle a breach once it has been identified?
  • Who is to be notified?
  • Who is responsible for closing any holes?
  • What efforts will be made to preserve evidence of the breach?
  • What notification needs to be made?

Conclusion In contrast to the installation of passwords or antivirus software 15-20 years ago, there is no one simple thing that a company can do to reasonably protect the security of its information and data. Protection is no longer as simple as putting a password on a computer or downloading an antivirus program. Protecting information and data, which includes access to a company’s IT infrastructure, is an essential requirement for doing business in the United States and globally. Cyber security efforts cannot be limited to one department or to one group of employees. The effort must be comprehensive throughout the organization, and at the forefront of every employee’s consciousness. There is no doubt that your infrastructure will be compromised; the only question will be whether you are ready to address it when it does happen.