Editor’s Note: This is the second in a two-part series of cyber security articles. Part one can be found here.

Reasonable Contractual Expectations

One of my best contractual stories revolves around a conversation with the president of a local web site design firm – a good friend and one who feels comfortable with being candid with me. During one of his development projects, I offered to do a free security evaluation of the soon-to-be-released web application. His rejection of my offer came with the rationale that if the web application was ever compromised, he wanted to be able to honestly tell the client that, to the best of his knowledge, the delivered web site was secure.

I haven’t the faintest idea of the legality of my friend’s hope for plausible deniability, but it should be obvious that two very poor consequences come out of his approach to security. The first is that his client will end up with an unsecure web site, when they could just as easily have had a product that would have withstood all but the most experienced and persistent hackers.

The second eye-opening realization is that the client never asked about security, and the development contract never addressed security. In this case, the client (and potentially the law firm that reviewed the contract) never included security development and testing as one of the primary requirements of the relationship. A single section added to the development contract might have the effect of preventing a devastating security breach.

A favorite statement of mine goes as follows:

Businesses end up with a lack of security because they never, ever ask about it. 

Almost all web site development contracts include obvious legal details like payment schedules, software ownership, and product specifications. These terms protect the interest of the business as well as the development firm – standard boilerplate.

A well-written contract should also include a requirement that the contracted web site be developed under strict security guidelines (consider OWASP as a source of information) and that a comprehensive third-party security penetration test (Acunetix as one such test) be run and presented before product acceptance.

The additional cost for security-oriented development should be minimal, since a knowledgeable development firm should be adhering to these practices regardless of a request. The third-party security penetration test can be contracted for with one of many firms and should cost only a few thousand dollars.

Again, the role of a law firm in this environment should certainly be the crafting and approval of the basic development contract, but also making sure security validation is a well-defined requirement of the overall agreement.

How to Respond After a Breach

When a security breach does occur, businesses (and their counsel) need to be ready to react thoroughly and decisively. A few of my suggestions for the days, weeks, and months following a breach are:

• Don’t panic. Carefully consider the nature of the breach, what data (if any) has been compromised and what the business’ next steps should be. A premature release of breach information may cause unnecessary customer panic or, even worse, make management look even more inept when they revise information sent out too hastily. Advise them to take the time to respond with dignity and thoughtfulness.
• If required, inform the appropriate financial and legal entities as soon as possible. Depending on the industry, there may be strict requirements for reporting security breaches. Your client’s problem will only get worse if they are caught hiding information. Keep in mind that many security breaches become public knowledge as the compromised data is used or sold within the cyber underground, not as a result of company disclosure. As a side note, an embarrassingly large number of security breaches are never discovered by the company that was breached.
• Inform users or clients and customers as soon as appropriate. There is a line between keeping a company viable and an ethical responsibility to customers. My thoughts on this line are to consider the damage that might be done to customers and think about how you would expect to be treated.
• Call the insurance company. Depending of the nature of the breach, the business may be covered for some, if not all, of the expenses associated with recovery. Suggest that the business give their insurance company a call. They might also take the time to talk about cyber insurance with their agent – for the next time.

As a legal professional, you should easily be able to see the pitfalls inherent in panic-stricken businesses reacting to security breaches. Legal, financial, and professional stakes surrounding a security breach may be high enough to shut down the business. The correct reaction may be well outside of the expertise of the business, or, even worse, the business may naively attempt to react on their own.

Conclusion

Hopefully, I have provided food for thought on the security opportunities and responsibilities of law firms supporting small businesses and their own technological infrastructure. Obviously, I’ve brought up far more issues and concerns than solutions. My hope is that even a casual discussion of security problems will prepare you with far more knowledge than the majority of your clients.

It’s a mean world out there; cyber crime is an industry run by foreign nationals from countries where cyber criminals are not prosecuted. An industry-accepted statistic is that more than 70% of all Internet web sites contain critical security vulnerabilities. Many of your clients, and your own web sites, undoubtedly are on the wrong side of this depressing number.

One final note to add one more level of additional worry: Web application security awareness has only recently entered mainstream web site development. If your web site or your client’s is more than four years old, not only is it certainly open to a critical security attack, but it is probably a target for even the most amateurish hackers: script kiddies, young kids who hack web sites because doing so is more fun than playing a predictable Xbox game.