By Michael Gottlieb and Matthew Schwartz
The threat to cybersecurity has evolved more rapidly than the technologies and processes available to defend our most sensitive information, and the speed with which new threats are emerging is leaving the legal framework that governs data privacy and security in the dust.
When data breaches began to seep into general public consciousness some time in 2013, the incidents garnering public attention tended to fall into one of two categories. The first and most widely appreciated category was breaches obviously motivated by financial gain. The poster child for this category is the large-scale retailer breach, including the attacks on The Home Depot Inc., Target Corp., Neiman Marcus Group Ltd. LLC and others. Hackers penetrated these retailers' networks to steal financial and other personally identifying information and subsequently sell that information on the black market.
The second category involves breaches of U.S. government organizations orchestrated chiefly by foreign governments (along with state-affiliated criminal networks) in order to steal government secrets for military, intelligence, economic or other foreign policy gains. The most recent example of this type of breach was the brazen attack on the networks of the U.S. Office of Personnel Management, likely launched by hackers employed by or affiliated with the Chinese government, which compromised the personnel security files, including fingerprint records, of millions of current and former federal employees.
A third type of breach — cyberextortion — entered the limelight when North Korean hackers launched a coordinated cyberattack against Sony Pictures Entertainment Inc. in late 2014. The purpose of the Sony attack was to intimidate the company into scrapping the release of its movie, "The Interview," by threatening to disclose publicly all of the company's most sensitive documents if it failed to comply. The Sony breach is the most visible example of cyberextortion designed to intimidate by threatening to reveal private information unless the victim agrees to certain demands. Both the Sony breach and the more recent attack on Ashley Madison have underscored that hackers may be motivated by political or ideological objectives.
These three categories do not represent an exhaustive taxonomy of cybersecurity threats, but they can help us understand both the diversity of hackers' targets and the creativity of their methods. Recent attacks, particularly in the category of breaches motivated by financial gain, demonstrate the inadequacy of traditional approaches to cybersecurity, which have focused overwhelmingly on the protection of personally identifying information and, to a lesser extent, proprietary information such as trade secrets. Although such efforts remain important, it is clear that a data security program that focuses exclusively on these types of information is likely to fail.
THE PRESS -RELEASE SCHEME
An illustration of how hackers have evolved is the scheme to hack corporate press releases recently uncovered by the U.S. Department of Justice and Securities and Exchange Commission (SEC). The press-release scheme involved a conspiracy in which traders paid hackers — who developed sophisticated organizational and marketing tools, and even took orders from their customers about which press releases to target — to obtain thousands of press releases from PR Newswire, Business Wire and Marketwired prior to their release. The traders then used early access to those releases to execute profitable trades on companies such as Radio Shack Inc. and Panera Bread Co.
The conspiracy to steal press releases is significant for a number of reasons. First, the hackers did not seek out one particular target based upon a perceived vulnerability. Instead, they targeted a group of companies that collectively creates, stores and disseminates a particular and specialized type of information — corporate press releases — of great value to those willing to disregard the insider-trading laws. That is to say, the hackers targeted the news services not because of their vulnerability, but simply because of wealth of information they stored. Second, the press-release scheme involved a large-scale enterprise in which traditional financial fraudsters joined with hackers-for-hire to achieve a common objective. As these types of enterprises become more common, nearly all types of crime will become easier to commit and conceal.
One obvious lesson to draw from the press-release cases is that any organization that holds material nonpublic information relating to public companies is likely to become a target for hackers. This includes public companies, but also — and perhaps especially — entities that are likely to hold material nonpublic information concerning multiple public companies, such as professional-services firms, private-equity funds and news organizations. Any entity that collects or holds material nonpublic information should perform risk assessments that examine access, storage and retention policies that apply to such data.
Attention must also be given to the policies and procedures that define the entity's relationships with third parties, such as vendors and contractors that have access to systems that store such information. Furthermore, such information should be clearly identified as a separate category in incident-response plans, and table-top exercises should be structured to test identification, mitigation and notification procedures in the event of a breach.
For SEC-regulated entities, such as brokerage and advisory firms, this type of planning has become mandatory. The SEC's Office of Compliance Inspections and Examinations recently launched its second round of cybersecurity examinations of registered entities.
The commission's first sweep, which began in the spring of 2014, established clear areas of SEC concern, including the need for firms to conduct risk assessments; the importance of developing a written information-security policy appropriately tailored to the business; and appropriate cybersecurity governance, including board and senior executive participation, employee training and third-party controls. The new round of inspections is likely to bring with it a more aggressive brand of enforcement, including the possibility of enforcement actions similar to those that the Federal Trade Commission has brought over the past several years.
Perhaps the most important message is that prevention and preparedness efforts must assess all of an organization's data, rather than simply the data that initially appear to be high risk based upon past breaches. All of a company's data could be transferred in one attack, and innovative hackers will continue to find new buyers for new types of stolen data. Thus, sound preparation should begin with a thorough data mapping and risk assessment exercise that considers not just how a company uses its data, but how others might misuse them.
Although no amount of preparation will eliminate the risk of a breach, beginning with the appropriate inquiry may help decrease the risk of relying upon information security policies that are stuck in the past.
Reprinted with permission from the October 5, 2015 edition of The National Law Journal © 2015 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 - [email protected] or visit www.almreprints.com.