Should in-house counsel be more concerned with cyber security?

To answer the above question, Ronald Yu of Gilkron Ltd looks at recent cases of cyber security going wrong, as well as their consequences and short and long term concerns.

Two recent news articles suggested^1,2 that despite the highly publicised data breaches suffered by large retailers such as Home Depot, revelations regarding computer vulnerabilities in companies’ loyalty card systems³ and the high profile hacks of Sony Pictures Entertainment and Sony PlayStation Network⁴, Microsoft’s Xbox gaming network, JP Morgan’s and even the European Central Bank’s⁵ systems, organisations have been reluctant to invest further in security because of a lack of financial incentive to do so.

The numbers are (relatively) small
For instance, consider the November 2014 Sony hack. Despite the size of the data loss, some 11 terabytes – enough to contain the contents of 11 million books – as well as the loss of customer data, unusable gaming devices, leaking of confidential information (including private correspondence among Sony executives, salary and performance data about Sony employees, projects in progress, passport and visa information for the cast and crew working on various Sony Pictures movies, scripts for upcoming movies including the new James Bond movie Spectre⁶ and the release of several movies,⁷) the breach ended up costing Sony relatively little. Although the company initially estimated a loss of more than US$100 million, Sony noted in its Q3 2014 financial statements that the breach resulted in a loss of just “$15 million (which represented less than one percent of Sony’s total projected sales for 2014) in ‘investigation and remediation costs’ and that it doesn’t expect to suffer any long-term consequences”.⁸

Similarly, although retailer Target Corporation suffered a data breach in 2013 that involved 40 million credit and debit card records and 70 million other records (including addresses and phone numbers), the company only lost – after adjustments for insurance reimbursement and tax deductions – US$105 million or about 0.1 percent of its 2014 sales as a result of the breach.⁹

Short term v long term concerns
Yet, though many companies have ostensibly concluded that the financial losses associated with cyber breaches have thus far been so small compared to their revenues that worrying about data breaches is neither worth the expense nor the trouble, this is potentially dangerously short-sighted, particularly when losses of intellectual assets as well as, for instance, losses of confidence or failure to meet obligations under privacy or other laws, are also considered.

In-house and general counsel have obligations of confidentiality and other fiduciary duties to their employers they can exercise by ensuring their organisations meet their legal obligations. But they can also do so by drawing attention to the fact that good cyber security may help their organisations:

• Avoid legal entanglements arising from the loss of client data
• Avoid alerting competition to future plans
• Avoid dramatic fluctuations in stock prices caused by news of data breaches that, in turn, could trigger regulatory investigations
• Safeguard the organisation’s freedom to operate its business, protect its ongoing and future revenue streams and/or its ability to secure intellectual property rights (e.g. the publication of ‘secret’ technologies may prevent the subsequent prosecution of patents for related inventions).

In-house counsel also should find better ways to more securely communicate with their external counsel and advisors given the dangers lurking in the cyber world.

Security: not just technology
Though it may be unreasonable to expect the average in-house counsel to be an expert on technical security and authentication, in-house counsel should at least appreciate the limitations of technical systems; such solutions do not deal with all potential risk sources, can be expensive¹⁰, clumsy, complex, occasionally annoying (as anyone who has had critical emails and/or useful attachments unnecessarily blocked by his/her company’s junk mail filters can attest), circumvented, become technologically obsolete or all of the above.

Counsel must also know that they should not rely on government to find a satisfactory solution – consider that over a decade and a half ago, governments introduced public key infrastructure (PKI) schemes to great fanfare as a means of increasing transactional confidence and security when dealing online, only to later abandon costly PKI investments when PKI’s implementation and technical complexity proved too overwhelming for the average user.

Most importantly, counsel ought to be cognisant of non-technical means of circumventing an organisation’s security and authentication systems.

Kevin Mitnick, once the world’s most wanted hacker¹¹who broke into the networks of companies such as IBM, Nokia and Motorola, managed to compromise some of the most complex technical systems not only through technological means, but also through ‘social engineering’ (not to be confused with the term that refers to the use of sociological principles to solve societal problems) where he would, for example, phone the target organisation and convince the person on the other end of the line to give him access to something he should not have access to, then use that bit of access to obtain additional information.

The role of insiders should not be ignored. During the time of the recent Occupy Central movement in Hong Kong, external parties were able to send malware through the email systems of various organisations and educational institutions.¹² To have successfully accomplished this, they would have needed to access these systems to test for vulnerabilities and determine which malware could or could not successfully pass the technological security checks implemented at these organisations, and to obtain access, they would have needed someone on the inside either to grant them the requisite access and/or to help with the testing.

Moving forward Given recent concerns regarding the security of email systems, as well as the successful circumvention of several organisations’ electronic safeguards, in-house counsel ought to ask themselves questions such as: ‘how do I securely exchange sensitive information with my external counsel?’ and ‘how can I securely exchange sensitive information with firms that are currently not on my panel?’ The latter is of particular importance to general counsel tasked with lowering legal costs without compromising quality, who are considering new, more cost-effective advisory relationships, for example, with qualified local firms. As many professionals continue to use Blackberry handsets for their enhanced security13 which arises in large part because of the use of a proprietary, trusted network14 it is now possible to communicate with external counsel – securely exchanging documentation (that may or may not be encrypted) with vetted parties (i.e. external counsel) through an independent secure system, rather than through normal email. Some of these systems, such as LIVSs are also patented. Conclusion Though it may be tempting for in-house counsel to ignore or dismiss the threat of cyber attacks – or espionage – they ought to be cognisant of the potential costs beyond short-term financial losses and be aware that not all cyber security breaches are technological in nature. In-house counsel can help protect themselves and their employers by reducing the threat of social engineering through their own awareness, education (of other corporate employees), programmes to protect their organisations from non-technical cyber and general security breaches and vigilance.

Email: ron.yu@gilkron.com
Website: www.inhousecompliance.com

Endnotes:

• http://www.cbsnews.com/news/the-reason-companies-dont-fix-cybersecurity/
• http://www.npr.org/2014/12/18/371721061/how-much-will-the-hack-cost-Sony
• http://www.usatoday.com/story/money/columnist/tompor/2015/03/08/hacker-loyalty-card-tompor-rewards/24520343/
• http://www.vox.com/2014/12/14/7387945/Sony-hack-explained
• http://www.zdnet.com/pictures/2014-in-security-the-biggest-hacks-leaks-and-data-breaches/12/
• http://deadline.com/2014/12/james-bond-spectre-script-stolen-Sony-eon-productions-1201324726/
• http://www.technobuffalo.com/2014/11/30/fury-annie-and-other-Sony-movies-leaked-online-following-system-hack/
• http://theconversation.com/why-companies-have-little-incentive-to-invest-in-cybersecurity-37570
• http://theconversation.com/why-companies-have-little-incentive-to-invest-in-cybersecurity-37570
• For example, the Blackphone, a mobile phone handset specifically designed for secure communications, retails for US$629 – a significant premium over comparable Android phones. http://www.engadget.com/2014/10/03/blackphone-review/
• http://www.wired.com/2014/09/kevin-mitnick-selling-zero-day-exploits/
• Presentation by Dr. K.P. Chow at the University of Hong Kong, ‘Occupy Central and Cyber War: Technologies behind a Political Event’, Feb. 26 2015
• http://bizblog.blackberry.com/2014/08/fundamentals-of-security/
• Also important are secure design and the use of encryption. See: http://docs.blackberry.com/en/admin/deliverables/67038/BlackBerry_10-Security_Overview.pdf