No More Narrow Focus: Is 2016 the Year of Cyber-Risk?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.law.com/sites/articles/2016/01/11/no-more-narrow-focus-is-2016-the-year-of-cyber-risk/?slreturn=20160012120000

As 2015 came to a close , cybersecurity topped the news. Terrorist attacks
in Paris and California fueled the debate over whether law enforcement
ought to be given access to encrypted communication. Data breaches also
continued to impact companies and government agencies throughout the year.

Cybersecurity promises to remain a major risk for all organizations in
2016. “We’ll likely see continued massive data breaches, unfortunately, as
companies, governments, and other organizations holding data continue to
lag behind hackers and identity thieves in both technologies and good
practices,” Joe ‘Chip’ Pitts III, a lecturer at Stanford Law School and
former chief legal officer at Nokia, says to Legaltech News about his
predictions for 2016.

Yet despite all the talk of “how quickly things are changing” in the
cybersecurity arena for companies, “things really aren’t moving that fast,”
says Matthew F. Prewitt, an attorney at Schiff Hardin. “The more talk about
how things are going to change, the more things stay the same.”

Pitts agrees, saying, “Boards of directors and C-suites have been taking
greater cognizance of these issues, but understanding the nature of the
risk remains deficient, as do the required cybersecurity measures to manage
the risk.”

The Business Case

Breaches are impacting many companies. Some 31 percent of in-house counsel
said in 2015 that either their current or former company has experienced a
data breach, according to a study from the Association of Corporate Counsel
(ACC).

However, what is emerging on cybersecurity is how businesses are moving
away from the “very narrow focus” on personal privacy and data breaches,
which are “headline grabbing,” to broader issues such as the impact on the
protection of business assets and intellectual property, Prewitt says.

But what will be the impact if a company loses a plan for the launch of a
flagship product two years before a launch? It may be “much harder” to
bounce back from that kind of cyber theft, Prewitt says. There is also a
concern that business operations can be disrupted after cyber attacks, and
there can also be a significant loss of revenue.

On the federal level, despite a challenge from Wyndham Worldwide Corp. that
the Federal Trade Commission (FTC) did not have the authority to go after
companies which did not sufficiently protect consumer information, the U.S.
Court of Appeals for the Third Circuit sided with the FTC and validated the
commission’s enforcement authority (more on this case can be found on page
36).

Another noteworthy case in 2015 was a ruling from the 7th Circuit involving
a large data breach at Neiman Marcus. Remijas et al. v. The Neiman Marcus
Group addressed the issue of standing and whether customers impacted by the
data breach are likely to be injured despite that they did not yet
experience identity theft or other kinds of fraud. But there is an
“‘objectively reasonable likelihood’ that such an injury will occur,” Judge
Diane Wood wrote in the appellate ruling.

That decision could make it “likely to see a lot more litigation in the
future,” says Allison J. Bender, an attorney at Hogan Lovells who formerly
worked at the Department of Homeland Security.

Looking at the state level, there could be some cases related to
cybersecurity coming from appeals courts in states, if cases are brought
regarding negligence and the fiduciary duties of company boards. Prewitt
says the issue could be seen in such states as Delaware, California,
Massachusetts and New York. In the meantime, Prewitt advises general
counsel to expect “in the future your company’s current level of
cybersecurity is going to be second-guessed by persons you cannot currently
anticipate by issues you don’t expect.”

That means regulators or plaintiffs can challenge companies on
cybersecurity issues. Therefore, responsible companies need to evaluate,
investigate and make diligent efforts to understand what they should be
doing on cybersecurity, Prewitt adds.

Into the Future

However, there may be some new wrinkles in 2016. Billions of more products
will be able to communicate among each other as part of the Internet of
Things “with the net result of burgeoning cybersecurity risks from this new
segment,” Pitts says.

In addition, because of the increasing popularity of the cloud, even small
companies are likely using the cloud now for systems such as human
resources or accounting “one way or another,” says Michael R. Overly, an
attorney with Foley & Lardner. “It’s incredibly hard to avoid it.” But be
forewarned: in contracts cloud providers “are not going to assume much in
the way of responsibility” if there is a breach, he adds.

Looking ahead, doxing, which is the hacking of computers followed by the
publishing of documents in order to embarrass the target, “is on the rise,”
Pitts says. Previous examples took place at Sony and Ashley Madison, and
there were additional instances involving celebrities who stored sensitive
photos, and even CIA Director John Brennan, according to Prewitt.

“We can expect it to increase further in the U.S. during [2016],” Pitts
says, pointing out that the risk is higher especially because it is a
Presidential election year. There also is likely to be more pressure on
tech companies to provide “back doors” so law enforcement officers can
unravel encrypted communications. “We’re seeing stepped-up support at the
moment for private and government hacking and computer network and product
backdoors in government bills and laws, but as the immediate aftermath of
the Paris and San Bernardino attacks fades more reasoned and deliberate
approaches will again assert themselves,” Pitts says. He warns that “adding
vulnerabilities and backdoors to technology networks and products threatens
to expose all of us to greater hacking, identity theft, privacy violations
and other tangible as well as intangible harms on the misguided theory that
allowing government access will somehow fail to also allow access by
terrorists and cyber-criminals and prevent determined terrorists from
communicating securely with each other as they plan attacks.”

Course of Action

When it comes to the NIST Cybersecurity Framework—which was released
2014—Bender says it is “likely to continue to have major influence on how
companies are assessing and organizing their cybersecurity.” She describes
it as being a “very flexible” framework which draws on existing standards
and best practices. But critics argue the NIST framework is of limited
value.

Prewitt points out the NIST framework is “vague by design.” A new version
of the framework may be proposed in the near future. In fact, in December
the NIST published a request in the Federal Register for feedback on how
the framework “is being used to improve cybersecurity risk management, how
best practices for using the framework are being shared, the relative value
of different parts of the framework, the possible need for an update of the
framework, and options for the long-term governance of the framework.”

As for now, Bender recommends companies respond appropriately to
cyber-risks by:

- Spending time assessing a company’s current cybersecurity program and
involve a counsel to have attorney-client privilege;
- If there is a data breach, make sure the first call is to an attorney;
- Adequately invest time and resources to be “responsible cybersecurity
citizens”; and
- Have drills and policies in place proactively before a data breach takes
place.

Companies need to continue to be proactive in 2016 and prepare for whatever
cyberattacks that are directed at them. Otherwise, they are more legally
and technologically vulnerable than their well-prepared peers.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.