Cybersecurity is becoming increasingly innovative, and the law is trying to respond effectively to these fast-moving changes.
On a basic level, as Roberta Anderson, partner at K&L Gates LLP, points out, there has been a move away from antivirus software and firewalls. She explains that antivirus software does not work well with custom-tailored malware. Instead, newer, more sophisticated forms of protection are being developed.
Another trend in cybersecurity is the need to respond to massive breaches. Recent breaches have targeted healthcare data as well as personal identifiable information.
Lawyers realize there are now 47 different state data-breach notification laws in place. Yet, there have been problems when attempting to pass other laws on cybersecurity. “By the time you’ve enacted the legislation, it's obsolete,” Anderson says. “It's hard to set parameters in a space that is constantly evolving.”
Many companies are asking for clear standards on cybersecurity. For the time being, the National Institute of Standards and Technology (NIST) framework will likely be the default standard for cybersecurity in the absence of a comprehensive federal law, Anderson explains. “That framework is likely to be something regulators and plaintiffs’ lawyers will look to as far as securing data,” she says.
Share and share alike
Meanwhile, the Obama administration has been trying to encourage businesses to share cybersecurity information with other companies and with the government.
“Nobody is secure until everybody is secure,” Frank Ip, vice president of marketing and business development at Black Lotus Communications, explains. “Definitely, the sharing of information is important.”
But Anderson and others have pointed out that sharing information with the government could expose a company to possible civil or criminal litigation or hurt its reputation.
“As of right now, there are insufficient protections offered,” Anderson says. She adds that Obama's recent executive order in this area does not go far enough in protecting companies, and that Congress needs to pass something more. Board members and the C-suite are particularly concerned about the risks pertaining to the the release of cybersecurity information.
Another key trend, the expansion of the Internet of Things (IoT) —a network of connected devices— poses additional liability exposure and further loss of data privacy, Anderson says. When it comes to the IoT and other innovations, Ken Westin, a security analyst at Tripwire, says, “It is important to look at the motives of the attacker.”
“Most attackers are after personal data they can sell in bulk to brokers in underground markets, or in the case of state-sponsored actors, can be overlayed with other data to provide higher fidelity of individual espionage targets. Hacking an individual device like a fitness device, an Apple Watch, or a car for that matter is not an easy task and requires a great deal of effort and resources to pull off. ... However, when it comes to black hats monetizing their efforts, they have a better return on investment by targeting the infrastructure of things than they do the Internet of Things,” Westin says.
There are also issues related to insurance and the IoT. There is a new market emerging to cover third-party bodily injury and property damage arising out of electronic data-related exposure, according to Anderson. “Inside counsel and risk managers can be of great help to their organizations in proactively identifying and working with outside counsel to address potential gaps in coverage for emerging risk,” Anderson adds.
Step by step
Stewart Baker, a partner with Steptoe & Johnson LLP, former general counsel at the National Security Agency and a senior official at the Department of Homeland Security, identifies four specific trends associated with cybersecurity.
A “revolution” in attribution capabilities. It has become more likely that a forensics firm can give a company an idea who attacked them based on particular styles. That means companies can defend themselves based on their greatest concerns. Also, the companies could find a way to neutralize the value of the information that was stolen. For instance, if a thief stole intellectual property and sold it to a company's competitor, the company can sue.
Electronic audit tools are much better and more widely deployed. Sensors tell companies what an attacker did in a system. It becomes easier to detect how a breach occurred, what malware was used and whose machine was compromised. Legal claims can be made against suppliers, websites or email correspondents who may not have patched a vulnerability properly or had lax security practices.
With persistent threats, there is a dramatically reduced ability to move from one part of the network to the next part. The network is more segmented. That makes it, for instance, harder to do e-discovery on the entire network.
There are issues related to encryption of data. A company could theoretically have access to sensitive data, such as login credentials, even if it does not look at that information. Someone could raise this is in a liability action.
Overall, Baker says that there could be more attacks by foreign nation states, such as North Korea or Iran, which means companies likely will need to find a way to carry on business activities even if they are attacked. Lawyers will be called upon to help the company provide the services. “Your lawyer is going to be working overtime,” Baker says.
Boards also have been asking about cybersecurity issues, according to William Ide, a partner at McKenna Long & Aldridge LLP. These issues involve far more than just the information technology department. The general counsel, senior management and the board all have a role to play.
Specifically, general counsel are increasingly involved with IT strategy and policy, and more recently with data security, according to Elizabeth Spainhour, a partner at Brooks, Pierce, McLendon, Humphrey & Leonard, LLP.
“High profile breaches have driven this home for in-house lawyers,” Spainhour says.
“Everything we do now is subject to intrusion by third parties. … This problem is not going to go away,” Ide says. “It's going to take time.”
Companies also need to remember that a lot of cybersecurity actions tend to be “reactionary” after a breach takes place, Jonathan Katz, director of the Maryland Cybersecurity Center, explains. But he recommends being more proactive about cybersecurity. Spainhour agrees and recommends that an interdisciplinary team develop a response plan before a breach takes place, for a team needs to be in place if a breach occurs. Legal, public relations, financial and technology are some of the units that need to be represented.
“An incident response team is critical,” Randall Bennett, managing director of Agio, adds. “You need a leader driving if you have an incident.”
Also, with the Internet of Things, all of those sensors will mean people do not have a choice if their information will be collected. It will be, Katz says.
The greater storage of documents in the cloud has also impacted the legal sector. General counsel are evaluating cloud vendors carefully, Spainhour says. Increasingly, not only is data stored in the cloud, but applications are run in there as well.
As these advances take place, the Federal Trade Commission expects the companies it regulates to be able to provide “reasonable security.” Sectors like healthcare and finance are used to security regulations. Now, the scope of industries being monitored is expanding.
Looking at the bigger picture, the Obama administration is trying to adopt a more comprehensive approach to privacy. That kind of approach is seen already in the European Union, rather than the industry-specific method seen more typically in the United States. But, there are challenges for attorneys trying to work on these issues.
“Threats are constantly changing. The law takes time to catch up,” Spainhour said. “It's hard to forecast innovative and creative vulnerabilities out there for a bad actor to exploit.”