Moving beyond data breach prevention
April 2015 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
It is now a common refrain that data breaches are inevitable. Indeed, most companies, non-profits, and governments today understand that it is only a question of when, not if, they will be struck. That unfortunate reality means that an effective approach to cyber security cannot focus solely on prevention. To be prepared, organisations must assume that data breaches are a certainty, and must not only mitigate risks, but also devise methods to contain the damage once breaches take place.
This problem is complicated by the evolving nature of data breaches. The kind of breach that affected retailers such as Target, Home Depot and Neiman-Marcus is well understood: hackers, motivated chiefly by money, break into corporate networks, steal data such as credit card numbers, and then attempt to sell that data on the black market. The 2014 cyber attack on Sony Pictures Entertainment revealed a new kind of threat, data breaches aimed at private entities that are motivated by ideology. This category of breach is distinct from breaches aimed at private entities motivated by financial gain, as well as ideologically-motivated breaches that previously had been directed almost exclusively at governments. Today, individuals and organisations around the world fear that their most sensitive data will be released to the public by hackers who disagree with their work, beliefs or speech. This new form of hacking is designed to intimidate its victims by threatening to take what is confidential and make it public. To be successful, the criminals who perpetrate such attacks rely upon the assistance of third parties in order to disseminate the information that they have stolen.
Preparing to face this kind of threat requires a new approach. Financially-motivated data breaches have tended to target information that can be easily valued and marketed – think of trade secrets, intellectual property or personally-identifying information. Now companies must confront the prospect of having the email inboxes of their executives, board members or employees exposed and released, in whole or in part, on file sharing services, Twitter accounts or the front pages of newspapers. And this reality must be confronted not just in one country, but globally, as both hackers and the data disseminators that aid their objectives often operate covertly, or in jurisdictions that have weak law enforcement capabilities.
Data breaches of the type described above will immediately be followed by an open season on the victim’s most sensitive information. To be successful, an organisation’s response will require decisions to be made within days, if not hours, of the intrusion. And those decisions will have to be made while the organisation is facing immense pressure from the media, regulators, competitors, employees and shareholders. As a result, an organisation’s plan must anticipate not just how it will respond to inquiries from regulators, customers and employees, but also what affirmative steps the organisation may need to take to limit the spread of stolen data.
Containing the spread of stolen data is challenging in part because the category of electronic data is not treated the same, as a legal matter, as that of physical property. For example, if a car dealership has 10 cars stolen from it, those cars must be returned to the dealership once they are located. But if the same dealership has 10 gigabytes of data stolen from its servers, the question of whether that data would have to be returned would depend on a large number of factors, including the types of data that were stolen, the identity of the person or organisation that holds the data, and the jurisdiction in which the data ultimately are found. Indeed, although most of our vital information resides in digital form on servers rather than in physical paper files, the vast majority of legal rules regarding the protection of that information remain relics of an analogue era.
Until the legal rules governing stolen data catch up to modern realities, an effective response to a significant data breach will require a sophisticated understanding of overlapping, and often conflicting, legal rules relating to the protection of trade secrets, intellectual property (including copyrights and patents), personal privacy and online data protection, attorney-client information, the laws relating to theft or conversion of physical property, as well as the freedoms afforded to the press and speech in any given jurisdiction. At a minimum, organisations must understand how these rules operate in the jurisdictions in which they collect and store data. Ideally, an organisation should understand the categories of sensitive data it holds, the jurisdictions in which its data reside, and the legal protections available to each category in each jurisdiction. That understanding can help companies to evaluate what remedies, if any, will be available to seek the return or destruction of stolen data.
Further, incident response plans and preparation drills will have to incorporate the potential demand letters, notices or legal actions that might need to be employed to contain the damage done by an enterprise-level breach. These exercises will likely prompt difficult questions regarding each organisation’s risk tolerance, including an evaluation of the strength of the organisation’s relationships with the media, law enforcement, business partners, and online information hosting and sharing platforms, and the willingness to leverage or sacrifice those relationships if necessary. These questions, while certainly challenging to answer in advance of a crisis, will be more difficult if not impossible to answer under the time pressures imposed by an enterprise-level data breach.
Michael J. Gottlieb is a partner at Boies, Schiller & Flexner LLP. He can be contacted on +1 (202) 237 9617 or by email: firstname.lastname@example.org.
© Financier Worldwide
Michael J. Gottlieb
Boies, Schiller & Flexner LLP