The sheer gravity of breaches is pulling General Counsel to the core of cyber-security. As bastions of corporate reputation and the architects of containing consumer and legal fallout, General Counsel are increasingly relied on to introduce control and prevent lawless freefalls. How are General Counsel orchestrating the communications around a breach to present a united front? And how are General Counsel collaborating with CIOs to remain abreast of the latest threat intelligence and share critical information on regulatory developments? How are General Counsel enforcing security diligence with external partners? And which systems are empowering in-house teams to operate with mobility, confidence and security?
My job is CEO of a technology vendor, Dazychain. We spend our time on the other side of the fence selling technology to in house counsel and designing software systems to be safe and secure.
In our experience GCs generally ask just a few preliminary questions about security, but we think there are more questions they could usefully ask. The IT departments handle all the technical issues around security, but there are important, preliminary, common-sense issues to cover off in the first stage which lawyers are well equipped to do. Lawyers can probe into
commercial security issues
how the relationship would be structured
the reputation of the vendor software
the experience of other users of the software
Assessing the risks with your vendors and suppliers is very important. Recent history demonstrates that a major source of risk for corporates are the cyber breaches which happen through their suppliers. It’s a big risk for you if you sign up a supplier who opens the door for rogue hackers into the personal information held by your company.
The consequences of a breach can be very severe.
Loss of sensitive data
You could lose a lot of sensitive data. Austal, a prime Australian defence contractor to many governments, was hacked and inadvertently shared 30GBs of their clients’ restricted information on jet fighters, submarines, patrol aircraft and smart bombs. The bad actors spent 3 months inside the firewall looking around and extracting data. They then tried, apparently unsuccessfully, to extort money from Austral. How that happened is quite telling, and we’ll get to that in a moment.
You might get a class action filed served on your organisation. Class actions in relation to data breaches are expected to increase according to a Global Legal Post survey published in April. The number of companies predicting data privacy class actions doubled from 29% to 54%. They predict collective actions under the European Union’s new GDPR as the next wave of litigation. They are also concerned about the impending California Consumer Privacy Act.
Right now, there is a John Grisham-like situation unfolding in the US over the Marriott hotel organisation data breach. The trial judge is managing over 80 different lawsuits filed against the company by various teams of lawyers competing for the lead role in the litigation. Who knows what the eventual damages might be.
Loss of life
Someone might die. A few years ago Johnson & Johnson warned patients how to take precautions against hackers exploiting the signal between an insulin pump and the patient’s remote control, possibly causing a fatal overdose.
What precautions should GCs take?
Before we sign on with a new customer, our company is usually subject to rigorous IT due diligence. Usually that process is managed by the IT Department, and the GC asks only a few questions.
We believe the GCs can and should play more of a role in this inquiry process. There are important inquiries the in-house lawyers should pose before the supplier gets to the IT due diligence stage.
Common sense inquiries
Assess the vendor. Lawyers are ideally equipped for this task. By nature, they are commonly curious, pessimistic, detail oriented, and risk averse. Factors to consider are:
What is the vendor’s history? Have they demonstrated stability over a reasonable number of years? Are they a start-up or an established business? Do they have reference customers?
Human error and fraud are the biggest causes of breaches. For example, it is easy for a rogue developer to create a back door in the code to allow hackers in. How do they manage their development process to guard against fraud?
It is generally more secure if the supplier manages their own team of developers here in Australia, rather than outsourcing to overseas teams where there is less direct oversight
Good software houses have tight internal procedures. In our company we have a system of peer review of code, and then a further developer tests the code to confirm the end result is as intended. A business review of the code follows, then the software is tested in what is called ‘regression’, to see if the application is performing as expected in comparison to the last release. Apart from being an important quality checks and control, this makes it much harder for one rogue developer to open ports for any rogue friends.
Austal’s failure was a classic example of human errors and poor planning:
Their network was small. One person managed all IT-related functions, and they'd only been in the role for nine months. High staff turnover was typical.
There was no protective DMZ network, no regular patching regime, and a common Local Administrator account password on all servers. Hosts had many internet-facing services.
The ASD's investigation found that internet-facing services still had their default passwords, admin::admin and guest::guest.
Plan your exit strategy
Plan your data exit strategy before you sign the contract. Suppliers might be compliant and friendly in the contract negotiation stage, but that may not be the case when you come to terminate. The devil is in the detail and when it comes to getting your data back and you must be sure to cover all the bases at the beginning.
There have been cases where a supplier has charged exorbitant data extraction fees, or throttled the customer’s bandwidth when extracting data. In one example, the supplier allowed the data download, but provided such a narrow bandwidth that the download took 2 years.
Contracts are often silent on specifics such as download mechanism (for example, batch or real time) and format (csv, a database, spreadsheet, XML, original format or current application service provider format).
Moving data from a SaaS solution to another system may require costly, time-consuming data conversion.
Enterprises may not actually own all their data that is in the cloud, such as metadata, taxonomies, "likes" or folder structures. Despite the value, separating "mingled" data may pose an issue with extraction.
It’s worth remembering that with widespread SaaS adoption, IT departments have lost their deep internal skill sets related to technologies that are now in the cloud, making it difficult to migrate off cloud solutions in the future.
Understand your data
Negotiate SaaS contracts to include clear data ownership, and for cost-effective data migration and extraction timelines. Determine which data should never go to a cloud provider due to risk, privacy, security, complexity and scale.
Check if vendors that have a good set of APIs or portals to enable straightforward migration, extraction and perhaps even integration of data.
Keep a balance
It’s very easy to say “no, this proposal entails too much risk”. IT leaders will often block the use of new technologies because of concerns about security. Sometimes these concerns don’t strike the right balance between the risk to the business versus the potential advantage for the business. As a result, they may miss business opportunities and create unnecessary security expenditures.
It is important that the GC is equipped to argue a position and participate fully in decision making on risk versus business benefits.
Dazychain CEO, Ian Goddard recently spoke about the importance of information security at the GC Summit. Click here for the wrap up.