Obviously the recent attacks on the United States underscore the need for physical and information security to protect sensitive operational data from destruction, acts of hackers or corporate espionage. In response to this, there are a number of actions being taken in the political arena that are essential to understand as they develop.
As an example, there has been significant discussion in the information technology press about whether or not corporations should have to disclose infrastructure preparedness in ways similar to the disclosures made during preparation for Y2K. Such an approach has been mentioned more than once: at the Global Internet Summit this spring, recently at the gathering of the Computer Security Institute and during a recent U.S. House Subcommittee hearing on "Cyber Security: Private Sector Efforts Addressing Cyber Threats." As an initial step, Senator Bennett of Utah has recently introduced S. 1456 that is aimed at facilitating the voluntary sharing of information with the government, and also among industry, by creating a limited antitrust exemption and an exemption from disclosure under the Freedom of Information Act.
The following article addresses some of the current legal obligations that exist with respect to your network security.
Protecting Businesses Against Information Espionage
A remote laptop computer, using a reusable password that was saved to the browser, accesses the company’s computer network through the saved dial-up number during normal business hours. The remote user is greeted with the company’s user-friendly interface to the corporate intranet. Clicking on "document database," the remote user reviews the corporate financials, then moves to consider the research and development budget and plans. Seeing that a corporate strategic partner is involved in a secret project, the remote user downloads the project manager’s progress reports, which offered convenient "hot links" to source documents that the strategic partner contributed to the project under a non-disclosure agreement. Before logging off, the remote user checks out the corporate cafeteria’s lunch menu posted on the welcome page. A vice-president for sales later reports his laptop was stolen the day before.
E-business lawyers at McDermott Will & Emery frequently hear about unreported incidents, such as the hypothetical example above. Enough so as to conclude that many companies are not prepared for information-age hackers or espionage nor the legal liabilities that are attached to possible negligence and contractual breaches.
The Computer Security Institute’s 2001 Computer Crime and Security Survey (www.gocsi.com) confirms our experiences and indicates that financial losses due to internet intrusions, trade secret theft and other cybercrimes are on the startling increase. Most survey respondents did not report incidents. This is probably due to a concern about "bad publicity." However, what isn’t often considered are the possible legal liabilities and whether there is a duty to notify and remediate the effects of such breaches.
Viewing your company’s preparedness through the lens of potential legal liability can help you focus on the big picture and cross check whether probable risks have been identified. For example, consultants say that the first step in preparedness is identifying your organization’s assets and risks. The risks they have in mind tend to be merely operational. What about the following legal risks? Have they been accounted for?
You probably have state or federal statutory obligations to your employees regarding their employment and health records. The Gramm-Leach-Bliley Act and other financial regulations impose significant duties on how personally identifiable and non-public financial information must be treated. If you are a multinational, or gather information about foreign nationals via your website, then you must consider other countries’ requirements.
The Duty of Due Care and Remediation
You may have a duty to take reasonable measures to avoid causing foreseeable harm to others. As with the preparations for Y2K, your actions (or inactions) are likely to have an impact on others. So, using the opening scenario, what if the intruder had used the power of the network to launch a denial of service attack on the trading partner’s servers? The test here is whether your security was reasonable under the circumstances and whether the harm was foreseeable. Corporate America may find itself failing this test simply because preparedness goes beyond passwords and firewalls.
Fully mirrored systems and business-continuity plans are likely to be useful in the event of a catastrophic failure, such as those caused on September 11th. However, business-continuity plans are not the same as a plan to protect against, and respond appropriately to, hackers, insider spies, disgruntled employees, opportunists, vandals, worms, viruses and agents acting for your competitors. What is needed is an infrastructure and information security policy. If followed, such a policy can also serve as useful evidence in demonstrating reasonableness.
However, such policies tend to get stalled on the desk of someone in IT. Decision makers sometimes don’t commit the time, money and appropriate people to tackle the business and political issues, such as deciding who may access classified levels of information, which means denying access to others (i.e. the cafeteria menu should be treated differently than a partner’s trade secrets, and a sales vice-president may not need access to the weekly research and development progress reports). These are decisions that management needs to make.
In thinking about the level of commitment this will take, consider the mobilization that Y2K preparedness required. Except in this instance, it is going to be an ongoing marathon instead of a sprint to a foreseeable end. Hopefully the result will be the same: operational problems and foreseeable liabilities averted.