July 15, 2019

Law Firms and Small Businesses: Protecting Security Interests (Part 2)

Editor’s Note: This is the second in a two-part series of cyber security articles. Part one can be found here.

Reasonable Contractual Expectations

One of my best contractual stories revolves around a conversation with the president of a local web site design firm – a good friend and one who feels comfortable with being candid with me. During one of his development projects, I offered to do a free security evaluation of the soon-to-be-released web application. His rejection of my offer came with the rationale that if the web application was ever compromised, he wanted to be able to honestly tell the client that, to the best of his knowledge, the delivered web site was secure.

I haven’t the faintest idea of the legality of my friend’s hope for plausible deniability, but it should be obvious that two very poor consequences come out of his approach to security. The first is that his client will end up with an unsecure web site, when they could just as easily have had a product that would have withstood all but the most experienced and persistent hackers.

The second eye-opening realization is that the client never asked about security, and the development contract never addressed security. In this case, the client (and potentially the law firm that reviewed the contract) never included security development and testing as one of the primary requirements of the relationship. A single section added to the development contract might have the effect of preventing a devastating security breach.

A favorite statement of mine goes as follows:

Businesses end up with a lack of security because they never, ever ask about it. 

Almost all web site development contracts include obvious legal details like payment schedules, software ownership, and product specifications. These terms protect the interest of the business as well as the development firm – standard boilerplate.

A well-written contract should also include a requirement that the contracted web site be developed under strict security guidelines (consider OWASP as a source of information) and that a comprehensive third-party security penetration test (Acunetix as one such test) be run and presented before product acceptance.

The additional cost for security-oriented development should be minimal, since a knowledgeable development firm should be adhering to these practices regardless of a request. The third-party security penetration test can be contracted for with one of many firms and should cost only a few thousand dollars.

Again, the role of a law firm in this environment should certainly be the crafting and approval of the basic development contract, but also making sure security validation is a well-defined requirement of the overall agreement.

How to Respond After a Breach

When a security breach does occur, businesses (and their counsel) need to be ready to react thoroughly and decisively. A few of my suggestions for the days, weeks, and months following a breach are:

  • Don’t panic. Carefully consider the nature of the breach, what data (if any) has been compromised and what the business’ next steps should be. A premature release of breach information may cause unnecessary customer panic or, even worse, make management look even more inept when they revise information sent out too hastily. Advise them to take the time to respond with dignity and thoughtfulness.
  • If required, inform the appropriate financial and legal entities as soon as possible. Depending on the industry, there may be strict requirements for reporting security breaches. Your client’s problem will only get worse if they are caught hiding information. Keep in mind that many security breaches become public knowledge as the compromised data is used or sold within the cyber underground, not as a result of company disclosure. As a side note, an embarrassingly large number of security breaches are never discovered by the company that was breached.
  • Inform users or clients and customers as soon as appropriate. There is a line between keeping a company viable and an ethical responsibility to customers. My thoughts on this line are to consider the damage that might be done to customers and think about how you would expect to be treated.
  • Call the insurance company. Depending of the nature of the breach, the business may be covered for some, if not all, of the expenses associated with recovery. Suggest that the business give their insurance company a call. They might also take the time to talk about cyber insurance with their agent – for the next time.

As a legal professional, you should easily be able to see the pitfalls inherent in panic-stricken businesses reacting to security breaches. Legal, financial, and professional stakes surrounding a security breach may be high enough to shut down the business. The correct reaction may be well outside of the expertise of the business, or, even worse, the business may naively attempt to react on their own.

Conclusion

Hopefully, I have provided food for thought on the security opportunities and responsibilities of law firms supporting small businesses and their own technological infrastructure. Obviously, I’ve brought up far more issues and concerns than solutions. My hope is that even a casual discussion of security problems will prepare you with far more knowledge than the majority of your clients.

It’s a mean world out there; cyber crime is an industry run by foreign nationals from countries where cyber criminals are not prosecuted. An industry-accepted statistic is that more than 70% of all Internet web sites contain critical security vulnerabilities. Many of your clients, and your own web sites, undoubtedly are on the wrong side of this depressing number.

One final note to add one more level of additional worry: Web application security awareness has only recently entered mainstream web site development. If your web site or your client’s is more than four years old, not only is it certainly open to a critical security attack, but it is probably a target for even the most amateurish hackers: script kiddies, young kids who hack web sites because doing so is more fun than playing a predictable Xbox game.

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security – from evaluation to web development and remediation.

Learn More: Cyber Security/Privacy CLE Homestudy Programs

Is Your Sensitive Data Secure: Cyber Insurance for Your Firm and Your Clients (video on-demand and mp3 download)

Avoiding The Lawyer’s Digital Nightmare: How To Safeguard Your and Your Clients’ Sensitive Information And Survive The Inevitable (?) Security Breach (video on-demand, mp3 download, and audio CD)

Ethics in a Wild Wired World (video on-demand, mp3 download, and audio CD)

To Use and Protect: Privacy Basics for Business (video on-demand and mp3 download)

Law Firms and Small Businesses: Protecting Security Interests (Part 1)

Editor’s Note: This is the first in a two-part series of cyber security articles. Part two can be found here.

Is there anything more financially fragile than a small business in the U.S. today? As we climb out of the Great Recession, many of the surviving small businesses were forced to cut corners, often making compromises on the IT side. Combine this with an unprecedented rise in cyber crime that took the 2011 U.S. cost of security breaches to $32 billion, and one can easily predict the future security troubles of many small businesses.

As legal, and sometimes operational and financial, advisers to small businesses, law offices should be more aware than ever of the security risks to small business clients, understand how to mitigate these risks, and lend support when a security breach occurs.

These considerations are also important for attorneys to make regarding their own online presence and security risks, especially solo/small firm practitioners.

While I can’t cover IT security in its entirety here, I’ll touch on three areas, each of which should give you an idea of security troubles ahead and what you might be doing to anticipate these troubles:

  1. Professional and financial liabilities
  2. Reasonable contractual expectations
  3. Responses after a breach

To set the stage for my thoughts on the advice and support a law office might provide to small businesses, consider for themselves, or at least be aware of, let me start by sharing a few details of my background. I am the managing partner of 403 Web Security, a web application security company, and WDDinc, a software development firm with close to 20 years of developing software, much of it for small businesses. While I am not a legal expert, I have seen more than my share of software related contracts and have a firsthand view of the risks these organizations place themselves under.

For the sake of simplicity and to take full advantage of my experience, I’ll limit my notes to web application security – more commonly known as security within small business web sites.

Professional and Financial Liabilities

Without hesitation, I can say that the vast majority of small businesses not only have inadequate security protections in place, but also are oblivious to the fact they are security risks. Even worse, recent headlined security breaches of high-profile companies seem to engender only a misguided belief that they are immune from security attacks because they are small fish in a huge ocean.

The truth is, not only are small businesses not immune from attack, they are prime targets because of their lack of security. Consider the monetary value of even small, undetected breaches – unlimited time to exploit compromised data and the opportunity to revisit the sources months and years into the future.

When considering security liabilities, I like to separate small businesses into two categories. The first would be those businesses that collect and save protected data (i.e., medical, identity) within their own environments. The web sites that support these businesses tend to be custom built by design or development companies that have little or no experience in creating secure web sites, and almost never have the capabilities of testing new sites for security vulnerabilities. These companies potentially are open to huge fines when their data is compromised.

The second, and larger, category is small businesses with e-commerce components. These businesses usually, and wisely, use well-established (and secure) external web services to handle credit card and other payment transactions. Unfortunately, this approach is successful only when the business’ basic web site is secure. The point almost always missed is that a hacker does not always breach a web site for its underlying data. For example, a hacked site may be modified in subtle ways to take an unsuspecting consumer to a fraudulent e-commerce service that will happily collect and exploit the consumer’s credit card as soon as it is entered. Or, one of my favorite security flaws, Cross Site Scripting (XSS), might allow a hacker to take over a legitimate user’s browser – effectively compromising that user’s e-commerce transactions or invading the user’s entire computer.

In either case, a small business may be financially and legally liable for the fraud and illegitimate use of information from its security breaches. Perhaps just as importantly, the loss of reputation and consumer confidence alone might be enough to ruin any small business.

A proactive law firm might be in a unique position to address potential security issues and breach consequences with their clients. This should be part of the support of any client and attorneys should heed the same advice themselves.

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security – from evaluation to web development and remediation.

Learn More: Cyber Security/Privacy CLE Homestudy Programs

Is Your Sensitive Data Secure: Cyber Insurance for Your Firm and Your Clients (video on-demand and mp3 download)

Avoiding The Lawyer’s Digital Nightmare: How To Safeguard Your and Your Clients’ Sensitive Information And Survive The Inevitable (?) Security Breach (video on-demand, mp3 download, and audio CD)

Ethics in a Wild Wired World (video on-demand, mp3 download, and audio CD)

To Use and Protect: Privacy Basics for Business (video on-demand and mp3 download)

Cyber Insurance: An Efficient Way to Manage Security and Privacy Risk

Practically every company in our modern economy has information security and privacy risk. There is no way to completely eliminate it. Whether it is your firm or your client, most companies of all shapes, sizes, and wealth profiles use information technology and handle sensitive information including personal information and credit card numbers. That means organizations face potential direct losses, lawsuits, and liability due to data, security, and privacy breaches.

The frequency and magnitude of data breaches by hackers has only been increasing. We read about security and privacy breaches practically every day in the newspaper. As the world continues to change at seemingly light-speed and cyber risks increase, the need for risk transfer with cyber insurance is also growing. Relying on a general liability or property policy to provide the coverage is no longer a wise choice (if it ever was), and companies could be well-served to get peace of mind and relative predictability by learning more about cyber policies that are actually designed to address the risk.

CBA-CLE will be hold a program on Thursday, March 29 to address the impact of data breaches and the trend toward cyber insurance. The program presenter, David Navetta, Esq., has written several articles about data security and cyber insurance. Read some of his insights below, and then join us to learn more about protecting sensitive information with cyber insurance, an option that may be of great importance to your clients or law firm.

In the early 2000s, just around the “DotCom Bust,” some insurers began developing a product designed to address the financial loss that might arise out of a data breach. This was a time where most “brick and mortar” companies were just beginning to leverage the economic potential of the Internet. At that time, insurers wanted to target the big “dotcom” companies like Amazon, Yahoo, eBay, Google, etc., and other companies pioneering e-commerce and online retailing. At some point, somebody dubbed this type of insurance “cyber insurance.”

The early cyber policies included liability and property components. The liability coverages addressed claim expenses and liability arising out of a security breach of the insured’s computer systems (some early policies only covered “technical” security breaches, as opposed to policy violation-based security breaches). The property-related components covered business interruption and data asset loss/damage arising out of a data breach (during the holiday season many online retailers suddenly developed a tasted for business interruption coverage after realizing just how negatively their business would be impacted by a denial of service attack).  Additional first party coverages included cyber-extortion coverage and crisis management/PR coverage.

Unfortunately for the carriers, it was not easy to get people to understand the need for this coverage (and that is still a challenge today, but certainly a lesser challenge with all of the security and privacy news constantly streaming). Early on there were very few lawsuits and regulators were just beginning to consider enforcement of relatively new statutes like GLB and HIPAA.

Two things changed that made cyber insurance much more relevant. One was a rather sudden event, and the other more gradual.

First, in 2003, California passed SB1386, the world’s first breach notification law. The reality then (as now) is that companies suffer security breaches each and every day. Prior to SB1386, however, breaches of personal information simply went unreported. With SB1386 and the subsequent passage of breach notice laws in 45 other states (and now coming internationally), the risk profile changed for data breaches. Instead of burying the breaches, companies were required to incur significant direct expenses to investigate security breaches and comply with applicable breach notice laws, including the offering of credit monitoring to affected individuals (which is not legally required by existing breach notice laws, but is optionally provided by many companies or “suggested” by state regulators). As a result, the plaintiffs’ bar now had notice of security breaches and began filing class action lawsuits after big breaches (usually involving high-profile brand name organizations). As such, cyber insurance coverage went from coverage addressing a hypothetical risk of future lawsuits, to a coverage addressing real-life risk (and now we have lawsuits getting deeper into litigation and public settlements of these types of cases). Moreover, shortly after the passage of SB 1386 many cyber insurance policies began covering the direct costs associated with complying with breach notification laws, including attorney fees, forensic investigation expenses, printing and mailing costs, credit monitoring expenses and call center expenses.  Breach notification costs are direct and almost unavoidable after a personal information breach.  Regardless of lawsuit activity, a direct financial rationale for cyber insurance coverage now existed.

The other change that occurred more gradually over time, but which has had a significant impact concerning the frequency and magnitude of data breaches, was organized crime. In the early 2000s, hacking was more of an exercise in annoyance or a used for bragging purposes. Hackers at that time wanted their exploits talked about and know. They wanted credit for hacking into or bringing down a sophisticated company (or better yet a division of the Federal Government or military). As such, when an attack happened it was discovered and remediated, and that would be the end of it.

True criminals, of course, are less interested in such notoriety. In fact, when trying to steal thousands/millions of records to commit identity theft or credit card fraud it is much better to NOT be detected. Lingering on a company’s network taking information for months or years is a much more profitable endeavor. Recognizing that this type of crime is low risk (it can be performed from thousands of miles away in Eastern Europe with almost no chance of getting caught) and high reward, organized crime flooded into the space. And in this context the word “organized” is truly appropriate – these enterprises retain very smart IT-oriented people that use every tool possible to scale and automate their crimes. They leverage the communication tools on the Internet to fence their “goods” creating, for example, wholesale and retail markets for credit cards, or “eBay”-like auction sites to hawk their illicit wares (e.g. valuable information). The change in orientation described above has essentially resulted in a 24/7/365 relentless crime machine constantly attacking and looking for new ways to attack, and always seeming to be one step ahead of those seeking to stop them. That is why we read about security and privacy breaches practically every day in the newspaper.

Fast-forward to present time. Cyber insurance is a much more established market with more carriers entering on a regular basis. There are primary and excess markets available for big risks, and companies of all sizes are looking at cyber more as a mandatory purchase rather than discretionary. As the world continues to change at seemingly light-speed and cyber risks increase (with the advent of hacktivism, social media and the consumerization of IT/BYOD ) the need for cyber is also growing. With competition pushing cyber insurance prices down, and significant security and privacy risk being retained by organizations, risk transfer is becoming very attractive (and from an overall big picture systemic point of view, spreading risk is also attractive). The price may be right, and the peace of mind priceless.

Click here to read the full article. Program registration information below.

CLE Program: Is Your Sensitive Data Secure? Cyber Insurance for Your Firm and Your Clients

This CLE presentation will take place on Thursday, March 29. Participants may attend live in our classroom or watch the live webcast.

If you can’t make the live program or webcast, the program will also be available as a homestudy in two formats: video on-demand and mp3 download.

Tenth Circuit: No Authority to Suggest that Possibility a Record Might Be Revealed to Unauthorized Readers through Negligent or Reckless Transmission is Sufficient to Violate Privacy Act

The Tenth Circuit Court of Appeals published its opinion in Luster v. Vilsack on Wednesday, December 28, 2011.

The Tenth Circuit granted the motion to publish the order and judgment previously issued on December 1, 2011. In the case, the Tenth Circuit affirmed the district court’s decision. Petitioner, a full-time Visitor Information Specialist with the Forest Service, claimed that “(1) she was not selected for a Forestry Technician position because of her gender; (2) she suffered disparate work conditions because of her gender and in retaliation for her Equal Employment Opportunity (EEO) discrimination complaint, and (3) a Forest Service attorney inappropriately disclosed her EEO complaint information in violation of the Privacy Act.” The district court granted summary judgment to the Forest Service on all claims.

The Court agreed with the district court’s analysis. The Court determined that the district court did not err in its pretext analysis of Petitioner’s non-selection discrimination claim. Also, the Court concluded that Petitioner did not present evidence suggesting that her “summer job conditions occurred under circumstances giving rise to an inference of gender discrimination or that the Forest Service’s proffered justification for those job conditions is so weak, implausible, inconsistent, or incoherent that a reasonable factfinder could rationally find it unworthy of credence.” Lastly, the Court found that Petitioner cited “no authority to suggest that the possibility that a record might be revealed to unauthorized readers by negligent or reckless transmission is sufficient to constitute a prohibited disclosure under the Privacy Act.”

Colorado Supreme Court: Framework that Trial Courts Should Use when Deciding Discovery Requests Implicating the Right to Privacy

The Colorado Supreme Court issued its opinion in In re Cedar Street Venture, LLC v. Judd; Moreland/Manoogian, LLC v. Judd on June 27, 2011.

Discovery—Right to Privacy—Financial Records.

The Supreme Court discussed the framework that trial courts should employ when deciding discovery requests implicating the right to privacy. The party requesting the information must always first prove that the information requested is relevant to the subject of the action. The party opposing the discovery request must show that it has a legitimate expectation that the requested materials or information is confidential and will not be disclosed. If the trial court determines that there is a legitimate expectation of privacy in the materials or information, the requesting party must prove either that disclosure is required to serve a compelling state interest or that there is a compelling need for the information. If the requesting party is successful in proving one of these two elements, it then must also show that the information is not available from other sources. Finally, if the information is available from other sources, the requesting party must prove that it is using the least intrusive means to obtain the information.

The Supreme Court held that the documents requested in this case fall under the umbrella of the right to privacy. The case was remanded to the trial court for analysis under this framework.

Summary and full case available here.

July 7 Program: Electronic Privacy in 2010: Impact of City of Ontario v. Quon Decision

Recent major decisions by the U.S. Supreme Court and the New Jersey Supreme Court address highly contentious and unsettled issues of electronic privacy and electronic monitoring in and related to the workplace. Employees are increasingly moving off the corporate e-mail server. They are conducting business and engaging in non-work-related activities, sometimes using employer-supplied equipment, through text messaging, personal e-mail accounts, personal smartphones, and “friends only” Facebook pages. In short, today’s tech-savvy workforce is using technology in ways that raise new privacy issues and that have rendered most electronic resources policies obsolete.

How should employers respond to these new challenges in the workplace? Find out on Wednesday, July 7, during a lunchtime presentation featuring employment lawyers Philip L. Gordon, of the Denver office of Littler Mendelson, P.C., and Barry D. Roseman, partner at McNamara, Roseman, Martínez & Kazmierski LLP. This presentation will provide the following insights and practical take-aways:

  • The impact of the U.S. Supreme Court’s recent decision in City of Ontario v. Quon (pdf);
  • The impact of the New Jersey Supreme Court’s recent decision in Stengart v. Loving Care;
  • Employees’ reasonable expectations of privacy;
  • Reasonable and lawful searches of employees’ electronic communications;
  • Recommended policy language to address new technologies in the workplace;
  • Recommended strategies for lawful searches of communications off the corporate e-mail server; and
  • How plaintiffs’ counsel can protect their clients’ privacy.

Register today for this timely and important program. The presentation will also be available as a live webcast, an mp3 download, and video on demand for those unable to attend in person, and has been submitted for one general CLE credit.

Click here for our past coverage of the Quon decision.

(image source: Wikimedia Commons)

Resource: Outline of FTC Online Fair Information Practices and COPPA Rule

We recently posted on an upcoming CLE program (June 2) we’re hosting called “Privacy Basics for Business,” taught by Bruce L. Plotkin of Brownstein Hyatt Farber Schreck.

We have since received Plotkin’s materials and we thought his “Outline of FTC Online Fair Information Practices and COPPA Rule” was too good not to share, below. We hope to see you next week.

This program will be held in our classroom on June 2, 2010. Live attendees receive lunch with their registration. It is also available via live webcast, MP3 download, and video on-demand. It has been submitted for one general CLE credit.

Outline of FTC Online Fair Information Practices and COPPA Rule