Heading 1

Download

Cyber In security News

TM

SUBSCRIBE FOR FREE
BEFORE AND AFTER THE BREACH
An ABA webinar served up a cyber scenario, but the panelists also examined the causes and the aftermath.

By David Hechler
NOVEMBER 1, 2018
LAW FIRMS AND COMPANIES are waking up. And if they’ve had a hard time opening their eyes to the threat of cyberattack (and companies seem far ahead of outside counsel), they’re getting help. General counsel are nudging. News reports have highlighted the dangers. And the American Bar Association has yanked off the covers and announced that it’s time to get up.
     “Cybersecurity Wake-Up Call: The Business You Save May Be Your Own” was the title of the series sponsored by the ABA Cybersecurity Legal Task Force. The fifth and final installment, called “What Clients Want: Cybersecurity Requirements You Never Dreamed Of,” was livestreamed in October.
     Unlike its predecessor , which surveyed the risky and fast-changing cybersecurity landscape, this webinar focused on one attack. It was a hypothetical scenario, but it brought home the dangers that companies can face.
     The story of the breach was complicated, as they often are in table top exercises of this sort. The breached company was a high-tech hotshot called IOT NOW, and naturally many patents and designs of its latest internet of things (IOT) devices had been stolen. The customer data that disappeared included a trove from an EU-based company—no doubt to provoke questions about the General Data Protection Regulation.
     What was particularly effective about this webinar was that a good deal of the 90- minute exercise was devoted to what IOT NOW could have done, and should have done, in the nine to 12 months before the breach, and what it needed to focus on after it.  
     Plenty of practical advice was dispensed, and there was even some good news for companies that have suffered a breach. Having come through the experience may actually help those companies get a better cyber insurance policy at a better rate, one panelist said.

Before the Breach
Information access was a key topic, the panel agreed. Moderator Jill Rhodes talked about the importance of companies’ setting appropriate levels of access for its employees. Then Rhodes, the chief information security officer (CISO) at health care company Option Care, pointed to a relevant passage in the scenario. IOT NOW’s policy was open access to employees at the director level or higher “to encourage collaboration.”
     “How do you feel about that?” Rhodes asked the panelists.
     “This sentence makes my skin crawl, because it strikes at the heart of least privileged access, which is one of the tenets of information security,” said Andy Sawyer, director of security at Locke Lord. “Everybody doesn’t need access to everything,” he continued. “Operating on a need-to-know/need-to-do and least privileged access is just essential.”
     Mayer Brown partner Lei Shen agreed. “Minimum access isn’t just good practice,” she said. “A lot of state security laws and also guidance from various regulators, including the Federal Trade Commission, require that minimum access be in place.” A company that hasn’t embraced this standard may be found to lack “reasonable security measures” and could be found in breach of various state security laws, she added.
     Excessive employee access may even affect a company’s insurance coverage. Underwriters “may not only frown upon this practice,” said Kevin Kalinich, a managing director at Aon. “They may exclude data that is disclosed that should not have been open access.” As a result, the insurance company may not cover defense or indemnity for that data, if it’s exposed.
     Another matter companies would do well to attend to before a breach is getting to know their regulators. Company lawyers should introduce themselves to local representatives, Rhodes advised, so that if and when they’re confronted by a crisis, they know whom to call. There may not be time when trouble lands, she said.
     In Chicago, she noted, the Federal Bureau of Investigation has an outreach program that she’s tapped. She’s invited agents to visit company leaders and help set expectations. When should the executives call? When should they not? What could they expect when they did? The agents answered a host of questions, Rhodes said. “They weren’t here for very long, but they provided a lot of great information.”
     There’s also a way to reach out virtually. Sawyer recommended connecting with the FBI through infragard.org —the agency’s partnership with private industry that features a very active legal section and lots of information sharing. But first you must apply and be accepted, he added.

After the Breach
The panel offered plenty of post-breach advice as well. And the timing was fortuitous. On the day of the webinar, as Rhodes mentioned, the ABA released Formal Opinion 483: “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack.”   The focus on a lawyer’s ethical responsibilities complemented the webinar’s smorgasbord of practical advice in order to avoid or effectively contain the damage.
     The webinar’s big suggestions, other than to review deficiencies in the company’s incident response plan, were to carefully follow all of the insurance policy requirements and to build a robust program of employee training.
     Aon’s Kalinich talked about the detailed records insurance companies require after a breach, and the importance of reviewing the wording of the policy. Then he changed gears.
     “Here’s the part that may surprise you,” he said. “Once you’ve had a cyber incident, you may be considered a  better risk. And you might be able to get broader coverage for a lower price going forward, if you’ve appropriately learned lessons from the last breach.”
     Sawyer took up the subject of training. “Education is key,” he began. “Your people are your best firewall. But you can’t expect them to defend you if they don’t know against what.”
     Phishing is a big vulnerability, he said. So Sawyer runs antiphishing campaigns to test his attorneys. He encourages his people to send him email that strike them as bogus. He often publishes these, and employees are proud when their selections are dubbed his “phish of the day.” His colleagues “love to be published,” he said. And the exercises keep them on their toes. That’s particularly important, he explained, since email is supposed to be involved in 96 percent of data breaches. As Sawyer observed a few minutes later, “cybersecurity is as much social science as computer science.”
     Rhodes wrapped up the session by calling for better communication. As a CISO herself, she urged lawyers to sit down with the security professionals they work with and ask questions. “It is not rocket science,” she said. “All of us can understand cybersecurity and need to understand cybersecurity within our organizations. That’s how we all stay protected.”
Jill Rhodes
Andy Sawyer
Lei Shen
Kevin Kalinich