When Information Security Became a Lawyer’s Thang

In the case of NotPetya, it is not simply a matter of many individual enterprises being hit but rather entire supply chains being hit as well. Reckitt Benckiser Group just announced they will likely have issues hitting their quarterly numbers because they could not invoice for millions of dollars because production lines were impacted. While you may have heard about FedEx being hit, Moller-Maersk (the world’s largest sea logistics operations) will also have their top and bottom lines take a sizeable toll as thousands of shipping containers could not be off loaded due to system failures/compromises of sea ports. Understanding cyber risk is a core element of understanding today’s business risk. (Carter Schoenberg, Buying Cyber Insurance: Buyer Beware).
In May, a piece of ransomware known as “WannaCry” paralyzed businesses, government entities and Great Britain’s National Health Service in one of the largest global cyberattacks to date. The following month, it was “Petya,” another massive cyberattack that crisscrossed the globe, bringing Russian oil companies, Ukrainian banks and a mass of multi-national corporations to their collective knees. As the frequency of cyberattacks reach epidemic proportion . . . many businesses still lack adequate protection. By taking the time to understand the threats, how to prepare, and what to look for in a cyber liability policy, you can ensure that your business has the coverage it needs to survive a breach. (Evan Taylor, The Changing World of Cyber Liability Insurance).
Companies are exposed to an endless assault on their information technology (IT) infrastructure from a variety of anonymous hackers, ranging from mischievous (much less likely) to felonious (much more likely). Breaking into servers, computers, and Cloud providers in an attempt to steal valuable information has become mainstream in the last decade. It is clear today that lawyers must play an increasingly significant role in addressing information security (InfoSec) issues. Of course, managing this issue is of paramount importance because InfoSec has evolved from an IT issue to a C-Suite strategic problem, given that a company’s reputation, valuation, business vitality, and customer confidence can hinge on how it protects its information assets. This article explores how lawyers can and should play a greater role in dealing with InfoSec.
Introduction
In March 2014, the largest exploitation of government personnel data occurred when InfoSec personnel of the U.S. government’s Office of Personnel Management (OPM) detected a hacker (widely reported to be the Chinese government) trying to gain access to the OPM servers. OPM watched the hackers maneuver around the government’s IT environment for months—or longer—looking for the perfect treasure trove of information. Upon finding it, the hackers exfiltrated 22 million past and current U.S. governmental employees’ personnel files. A catastrophic event no doubt, but just one of the thousands of massive security breaches regularly impacting entities across the globe.
A common adage among technology professionals is that regardless of how much money or effort is expended to secure an IT environment, if someone wants to get in bad enough, they will. There is no perfect security. A hacker need only find one way in; whereas, the company must protect against an ever-increasing number of more sophisticated threats able to exploit the smallest technical chink in the IT armor.
As cyber defenses have become more robust over time, hackers likewise have become much more sophisticated. Whether moving undetected within a storage environment, hacking a military facility, stealing product design drawings, or holding information hostage through various Ransomware scams, we are entering the new era of information terrorism.
Vigilance in combating information terrorism is essential. Every facet of modern life is connected, and that connectedness can lead to more harm, done more quickly, with fewer ways to combat the problem. The assault on InfoSec and the fight against information terrorism will require multidisciplinary teams that enlist lawyers and legal departments to play a more active role in making InfoSec a reality for their organization. But what can lawyers do practically?
Contracting
Typically, most lawyers fail to view InfoSec as their problem. Anything related to technology is perceived as the exclusive province of the technology department. Historically, lawyers likely had only some contracting responsibility related to technology acquisition or a software license. That mindset has contributed to the InfoSec crisis and must change.
In recent years, lawyers have been negotiating (with IT help) security level agreements (SLAs) which dictate, among other things, the security requirements mandated by contract or limitations of liability for InfoSec failures. SLAs set up parameters the service provider will follow, minimum level of service requirements, and remedies if the provider fails. Given that each provider has its own SLA, lawyers should work to develop standardized requirements and language to be used on behalf of their client.
In response to a shift to the Cloud as a cost-effective, scalable, storage solution, lawyers must also proactively address information ownership, access, discovery, security, privacy, and other compliance requirements in contract when negotiating with each new Cloud vendor. Further, as there are many ways to implement a Cloud technology solution, l