Sharing cyber vulnerabilities with the government
May 2016 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
The sophistication of cyber intrusions has increased exponentially over the past two years, evidenced by the devastating hackings of companies in every industry, including major retailers, healthcare companies, banks, movie production studios, governmental databases, and now, utilities. Chief information officers are frequently lamenting (and rightfully so) that they don’t have the resources or expertise to combat the increased sophistication of hackers. The Federal Bureau of Investigations (FBI) continues to warn certain industries of vulnerabilities, and now the Internal Revenue Service (IRS) and other governmental entities are issuing their own warnings in order to better inform industries of cyber threats that are focused on certain behaviours or information.
For instance, on 1 March 2016, the IRS issued an alert to all payroll and human resources departments that a sophisticated phishing scheme had already targeted and successfully obtained personal information of employees of thousands of companies throughout the US. The scheme started with an email claiming to be from a high ranking employee in the company, usually the chief executive officer, to an employee in the payroll department asking for W-2 information of company employees. The email looked real, and sometimes cc’d another high ranking employee in the company, but both emails were re-routed to hackers’ email accounts. The email asked someone in the payroll department something like, “please send the W2s of our employees as soon as you can”. The hackers were able to use social engineering to determine how email addresses were set up in the company (usually from the employee’s name), and who the highest ranking employees are in the company. Requests from higher ranking employees of the company to lower level employees are less likely to be questioned. Based upon our own experience, by the time the IRS issued the warning, many companies had already fallen victim to the scheme and W2s were sent to the hackers. Of course, W2s include the name, address, social security number and salary information of the employee. The information contained on a W2 usually triggers state breach notification requirements.
Luckily, many companies reported the scheme to governmental authorities, including the IRS. As such, the experience of the companies that reported the scheme could be relayed to other companies so they wouldn’t fall victim to the same scheme. Reporting the scheme protected other companies from becoming victims, and provided these companies with the opportunity to inform their employees of the scheme and heighten awareness of data privacy and security issues within the company; undoubtedly this is a very positive result.
The sharing of information by these companies definitely helped other firms. So why are companies so reluctant to share cyber intrusion information with the government? In the past, one concern voiced by private industry was that they didn’t want to share cyber intrusion information because they didn’t want the government to be aware of their specific data security vulnerabilities, particularly since the government has become more aggressive recently in enforcing data security cases. Companies were concerned that if they shared specific data security vulnerabilities with the government, it could be used against them in an enforcement action.
Even though this is an often cited reason to keep cyber intrusion information close to the vest, there are no reported (even anecdotally) incidences when one governmental entity that is assisting a private company with a cyber intrusion investigation has provided information gleaned during the investigation to another governmental entity, which then used it in an enforcement action. Why? Because the FBI (and other federal governmental entities) is encouraging private industry to report cyber intrusions so everyone can use the information to combat the cyber hacking crisis together. If the FBI gets the reputation that it hands over company vulnerabilities to the Federal Trade Commission (the most aggressive enforcer of data security), no one would ever report their experience and the whole system of helping each other would collapse.
There are a number of pros and cons of sharing cyber intrusion information with the government which companies should be aware of, though this is by no means exhaustive. The first advantage is that organisations providing cyber intrusion information to the government may alert other companies to the intrusion and prevent them from becoming a victim. Equally, the intrusion may already be under investigation and the government can assist with your investigation if they have information from other companies about the intrusion. Companies providing the information will assist the government to investigate crimes and prosecute hackers. Furthermore, attitudes about cooperating with the government will soften and will help the whole system if more and more companies share information to help each other. In terms of the bigger picture, amassing more information will help combat the increased sophistication of hackers in a collaborative way. Additionally, the intelligence and expertise of the whole (both private sector and government) is greater than the individual.
However, as noted, there are some drawbacks. First and foremost these concern the government’s ability to maintain the confidentiality of information from Freedom of Information Act (or other) requests. The government may also complicate a company’s internal investigation, and may lead to potential delays with breach notification obligations.
The pros and cons should be considered by a company in each instance, and the number of the pros and cons is irrelevant to the final analysis. Each factual scenario is different, and whether a company decides to share cyber intrusion information with the government will depend on the circumstances. However, the decision to share information with the government should be considered each time, particularly in this age of technological sophistication. The schemes will only continue and become more refined.
We are all in this together. The more information the government and private industry can glean from each other, the better we will be able to combat this widespread problem and prevent others from becoming victims. As a start, you may wish to find out who in the government to call if you have questions or need assistance with an investigation. The FBI, Secret Service and Department of Justice are all heavily involved in cyber security and most cities have a cyber task force. From our experience, they are eager to assist, very helpful and welcome developing a relationship with private industry.
Linn F. Freedman is the chair of the data privacy & security team at Robinson & Cole LLP. She can be contacted on +1 (401) 709 3353 or by email: firstname.lastname@example.org.
© Financier Worldwide
Linn F. Freedman
Robinson & Cole LLP