There is no organization in the world impervious to the threat of a cyberattack. In fact, a Kaspersky Lab and B2B International survey found that 91 percent of organizations dealt with an attempted data breach at some point in 2013. In all likelihood, the remaining 9 percent are ignorant of attempted break-ins rather than immune to them. With money, regulatory action and reputation all on the line, cybersecurity is an ongoing issue for companies of all sizes, and the legal department undoubtedly needs to be involved at multiple steps along the way.
But in the new technological environment, no department is an island. The need to be involved early and often with departments like IT, security and compliance is essential to defend against cyberattackers.
The first step to that defense is to know what you’re up against.
Headline making cyber incidents are most often associated with theft of customer information, and that is no doubt a risk for larger customerfocused companies. But while these disruptive incidents carry great narrative potential due to their visceral impact on the public and the outrage they trigger, consumer data theft is the end goal of a variety of attack vectors.
“The most challenging piece for inside counsel is figuring out what criminals are doing. I was a criminal prosecutor for 12 years before coming to Walgreens, and then, as now, the criminals are always one step ahead. What we’re least likely to be aware of is what's next on the horizon for those criminals,” says Shannon Couffer, director of regulatory law at the Walgreens Company.
The fact is, consumer information can be stolen as the result of a point of sale (POS) infiltration, malware infection or even something as simple as a disgruntled employee walking out the door with a hard drive. There's no way to tell what breach vector you could be up against next. Rather than just preparing to defend against an array of attacks, looking at the actors involved could better prepare a corporation for the inevitable breach.
“I think a lot of companies have geared their strategy towards information security incidents concerning people that are trying to get consumer information, credit cards and social security numbers,” says Ed McNicholas, co-leader of Sidley Austin's privacy, data security and information law practice. “A modern threat vector that they need to be more concerned about are advanced persistent threat attacks, agents that are often affiliated with foreign nation states, and they are seeking to go after the intellectual property of the company.”
In May, the Department of Justice charged Chinese hackers with ties to the People's Liberation Army, and Russia and the United States frequently trade accusations of cyberespionage against each other. It's clear that in addition to the average hacker, highly organized criminal and military hacking campaigns will continue to evolve as a threat for corporations.
“Two key things are happening; one is that we’re seeing some of the organized criminal elements which previously focused on identity theft use techniques typically employed by the nation states, making them much more dangerous. The other element is that some of the actors in the nation states’ threat, although closely tied to the government, may be operating independently as if there were a military unit that has become a band of mercenaries.”
From the inside
Undoubtedly, organized criminal units are of the utmost concern to the organizations, but just as troubling are threats facilitated by human error.
“I’ve seen internal employee misuse situations which can either be malicious or the result of human error. Malicious if you have an employee who turns out to be a bad actor. Or human error that puts the company at risk, whether that's forgetting a laptop in a car, or clicking on a link that infects the entire organization,” says Liisa Thomas, a partner at Winston & Strawn and chair of the firm's global Privacy and Data Security Law practice.
Though Verizon's 2014 Data Breach Investigations Report showed that insider misuse contributed to only 8 percent of data breaches, the study looked only at confirmed security incidents. The cost of such mistakes can still be quite large for a corporation. A Ponemon and IBM report released in May pegged the average expense associated with human error-facilitated breaches at $117 million annually, but also indicated that as training sessions that educate employees on data risk become more common, incident rates have also dropped.
“The insider threat is, in my experience, responsible for considerably more than people realize. It's far more common for so-called “trusted insiders” to negligently or maliciously abuse their authorized access to engage in activities that expose the company to risk than it is for criminal organizations to target a company,” says Jason Straight, senior vice president and chief privacy officer of UnitedLex.
The bottom line is, whether it's from inside or outside, perpetrated by foreign covert agents or bumbling sales managers, the threat of a information breach has never been greater. The legal team can no longer sit on the sidelines.
A balanced approach
Defending against cyberattacks requires the focus of multiple departments. IT and security can select and implement the technology solutions that offer some semblance of defense against attackers, but only the legal team can assess the risk and address the mired tangle of regulations associated with a cybersecurity incident. In terms of where specifically those efforts should be focused, the experts that spoke to InsideCounsel had several recommendations.
“It has to be a balanced approach as it relates to all aspects of this. Heavy on protection and risk assessment, but with a contingency plan if there is an event,” Couffer says. The organization of her team at Walgreens allows her to keep track of all potential legal ramifications that could stem from a breach, and could be useful for others looking to form a phalanx against cyber criminals.
Couffer adds, “Our legal division is staffed against different business units. If they have an issue, they’ll go to their assigned person directly and make sure they have a seat at the table, that person learns all of their business and operational structures, what makes them tick and what their pain points are. That allows us to help as a business partner. It gives you an instantaneous team in the event of an incident.”
Straight says that when the inevitable breach has occurred, “the number one area legal should be focused on is incident response, and making sure that there is a plan that is documented and is implemented where people understand roles and responsibilities, and to make sure that legal has a very formal and central role in the response. We see legal getting caught off guard by incidents partly because they’re not brought into the incident early enough. You don't want subjectivity in this area of the plan; there should be an automatic trigger.”
Straight says that often the emotional shock that comes along with a cyberbreach can prompt an organization to do too much. Time is certainly of the essence, but fully understanding the incident ensures that “oversharing” or need for correction will not occur.
In reality, risk assessment, data audit and employee training will only take an organization so far. Current trends show that sooner or later your organization will be attacked. While there is no silver bullet for addressing the issue, each of the experts we talked to said that the first and most critical step to more effective breach preparation starts with understanding the high level threats, and knowing where your data is.
“Focus on understanding what data you have and what your protection measures are. Organizations may have thought about the larger groups of data they have, but most have not sat down and done a comprehensive audit of exactly what they have and how it's stored,” Thomas says. “That exercise will eventually allow you to build a list of priorities on what you need to address.”