There is no more important time than now—perhaps even yesterday—to understand the critical importance of implementing, enforcing and training on policies reflecting best practices to protect companies against the all too real threat of cyberhacking and privacy breaches. Technology has undoubtedly evolved faster than the law, and tech-savvy culprits—often appropriately labeled criminals—have made their presence felt across an array of industries. In-house counsel are often too busy, preoccupied and/or disinterested to recognize the impact of technology, but that must change in order to adequately safeguard businesses against potentially catastrophic consequences. For better and for worse, technology has become tremendously influential in this landscape.
Cyberhacks in the retail, health care and financial service industries have been instructive—managing risk and solidifying heightened security is more important than ever. The vulnerability is highlighted by recent attacks on more high-profile sectors such as sports and—moral judgment aside—a “secret” online community with millions of users, most of whom have an interest in preventing disclosure of identifying information that extends past the basic desire for privacy. Companies small and large, and regardless of industry, must take on the challenge of protecting against cyber and privacy hacks, and must do so now. Staying with the curve or, even worse, falling behind it, could cause irreparable harm to both personnel and consumers alike. This is no longer a mere possibility; recent news stories have shown that we are now at an unprecedented level of risk.
With respect to the sports industry, the FBI and the U.S. Department of Justice, with the involvement of the U.S. Attorney’s Office, are investigating the possibility of an inter-team or other cyberhack/privacy breach involving two Major League Baseball franchises, the St. Louis Cardinals and Houston Astros. The Cardinals have the bestrecord in baseball and the Astros are not far behind. Each team must now, as the playoff race approaches, play ball both on and off the field. These teams face a reality in which personnel from both organizations, from top to bottom, must cooperate with the ongoing investigation with the hope of both avoiding bad PR, or worse, criminal indictments. The FBI publicly announced on the eve of Independence Day a recommendation that charges be brought against one or more person(s) in connection with the probe. On July 4, shivers ran down the spines of many within the industry that represents America’s most coveted pastime.
As to the (im)moral proclivities reference above, the website Ashley Madison—self-proclaimed as “the online personals and dating destination for casual encounters, married dating, discreet encounters and extramarital affairs”—announced publicly that it was the subject of a cyberhack. Worse, the not-so-discrete announcement suggested that the hack came from an Ashley Madison customer, that the hack compromised identifying and private information of millions of other Ashley Madison customers, and that the stolen private information was being held hostage unless and until Ashley Madison ceased operations entirely. We can speculate as to why this particular hack found its way to the front page of every media outlet (some might say there were some terrified individuals in positions of power fearing what their spouse or other loved ones might discover), but, more important for these purposes, the incident demonstrates that consumers may not always be safe, even from each other.
Where did we go wrong and what do we do now?
Hackers generally target two things: high-profile money and high-profile chaos. The continually expanding stable of hacking and cybercrime targets reinforces the vulnerability of all industries. In-house counsel must act now—the flag has been raised, and proactivity is critical. Proactivity means a few things: first, remaining up-to-date with respect to both state and federal legislation. The landscape is highly active as to requisite security measures and reporting requirements. And not everyone is on the same page—some states are at odds with federal initiatives, insisting the efforts at the federal level are not sufficiently stringent. Accordingly, tracking of both federal and state legislative changes is necessary. Additionally, legal precedent on this subject has been inconsistent, so companies must track the standard in all applicable jurisdictions.
From a technical perspective, there are various policy measures in-house counsel can implement to facilitate mitigating the risk of cyberhacks. To name a few, though there are certainly others, be mindful of (1) limiting what, if any, information may be stored in any cloud-based platform; (2) appropriate encryption standards for sensitive information; (3) mandatory password protection of all devices and, in some cases, requiring multiple passwords for information access; (4) password variance across different devices for individual users and across company server access; (5) mandatory periodic changing of passwords on both enterprise and individual user levels; (6) requiring multiple layers of user authentication; (7) prohibitions related to automatic or manual linking of accounts (e.g., social media); (8) limitations on automated and manual data backup to local devices such as phones, tablets or any other device; (9) utilizing software to individualize any transmission of sensitive data (e.g., transmission of consumer credit card information when buying tickets to a ballgame); and (10) requiring IT to re-route and/or mask sensitive data that is transmitted through the Internet.
There is no one-size-fits-all solution, but it is necessary for in-house counsel to interface both with IT and, when appropriate, outside technology support and/or legal counsel. While day-to-day business operations are never simple for in-house counsel, privacy and cyberprotection should be the top of the to-do list. Companies need to closely review—and create and revise as necessary—iron-clad policies, and train employees to ensure best practices. This is essential to protecting personnel, customer and any other private information. Technology will continue to move faster than most other sectors, certainly the law.
The crux of the problem is that there has been a pervasive resistance in recognizing the times have changed. Corporations in each and every industry sector must accept evolution and adapt as necessary. While change is often difficult and/or uncomfortable, in this case, it should be viewed as an opportunity, and in any event, it will pay dividends down the road.
Whether a 15-year-old hacker, or a criminal hacker seeking to extract money or extort a high-profile company, the warning signs demonstrate extreme vulnerabilities. Nevertheless, many within the legal community have unfortunately suffered from tunnel vision. There is a bigger picture here, just as there was for the retail, financial services and other industries a few years ago. Bottom line: Wake up and face the music.
As Judy Garland said in “The Wizard of Oz,” “I’ve a feeling we’re not in Kansas anymore.” We need to keep up with the times and acknowledge the risks surrounding privacy and cybersecurity, as hacking becomes more omnipresent and its effects continue to permeate across industries of all kinds. It’s not too late, and it’s certainly not too early.
Originally published in The Legal Intelligencer on August 5, 2015.