The release of thousands of sensitive U.S. diplomatic cables by WikiLeaks raised major concerns about its impact on national security. But businesses should also heed the wake-up call regarding the need for security of their own data. While the federal government was the victim of this particular data breach, businesses are equally vulnerable. No company is immune.
The WikiLeaks incident illustrates a fundamental fact – it is very easy to copy, transfer, and distribute digital files. As a consequence, the fact that businesses create, use, communicate, and store virtually all of their corporate documents in digital form on networked servers constitutes a potential vulnerability. Anyone who is able to access those servers, legitimately or not, has the potential ability to compromise very large quantities of sensitive corporate data – such as financial data, employee and customer personal data, trade secrets, business acquisition plans and strategies, new product announcements, marketing plans, contracts, business deals, e-mails and internal memos, information regarding sensitive internal activities, and the like.
The seriousness of a major compromise of sensitive corporate documents is not difficult to imagine. That Bank of America’s stock dropped by 3% on the mere rumor that its internal documents had been disclosed to WikiLeaks is testament to that fact. And if a breach actually occurs, corporate embarrassment and public relations nightmares, loss of business, litigation and liability, investigations by regulators and government agencies, and significant expenses are just some of the headaches that the victimized business will have to deal with.
The WikiLeaks incident teaches us two key lessons that every business should take to heart:
- First, every business, large and small, should ensure that it has satisfied its obligation to implement appropriate – and legally compliant – data security for all of its information.
- Second, to supplement that security, every business should also develop an appropriate incident response plan so that it is adequately prepared to respond to a security breach in the event that the worst occurs.
The requirements of numerous laws lead to the same conclusion. In fact, failure to anticipate and protect against the threat of such an extensive breach may itself lead to legal liability.
Duty to Protect Corporate Data – The Comprehensive Security Program
Almost all businesses have a legal obligation to provide security for their corporate information. A patchwork of numerous laws, regulations, court decisions and corporate contracts impose this obligation in a variety of different ways.
Providing appropriate security for corporate data requires developing and implementing what many state and federal laws refer to as a comprehensive written information security program. This is a risk-based security “program,” not merely a security “policy.”
The concept of a comprehensive security program is based on the view of most laws and regulations that data security is relative, and thus, that providing “reasonable security” requires a fact-specific, risk-based process that reflects the company’s current business realities, and is designed to respond to technological, regulatory and business-related changes. In essence, it’s a legal recognition that there is no one-size-fits-all approach to data security.
Thus, various laws require that companies undertake a detailed risk assessment to identify and evaluate the threats they face. The goal is to understand the threats, the likelihood that such threats will materialize, and the damage they can cause. Armed with this information, the business must then select and implement appropriate administrative, technical, and physical security measures designed to address that risk. Once implemented, such security measures must be tested to ensure that they work properly, and periodically re-evaluated to take into account changes in the business, technology, and threats that occur over time.
At its essence, the foregoing process can be broken down into the following high-level component steps which, taken together, form the comprehensive information security program:
- Assign Responsibility: Designate one or more employees to maintain the security program;
- Identify Information Assets: Identify the corporate information assets that need to be protected, as well as the computing systems, storage media (such as laptops and portable devices), and off-site or cloud facilities used to store such information;
- Conduct Risk Assessment: Conduct a risk assessment to identify and assess internal and external risks to the security, confidentiality, and/or integrity of its information assets, and evaluate the effectiveness of the safeguards currently in place for minimizing such risks;
- Select and Implement Security Controls: Select and implement appropriate physical, administrative, and technical security controls to minimize the risks identified in its risk assessment, including security controls within certain “categories” specified by applicable laws and regulations;
- Monitor Effectiveness: Regularly monitor and test the security controls following implementation to ensure that the security program is operating in a manner reasonably calculated to protect the corporate information; and upgrade the security controls as necessary to limit risks;
- Regularly Review Program: Review and adjust the information security program at least annually, including: (i) whenever there is a material change in business practices that could affect personal information, and (ii) following any incident involving a breach of security; and
- Address Third Party Issues: Take all reasonable steps to verify that each third-party service provider that has access to personal information (including cloud services providers) has the capacity to protect such information in the appropriate manner, and take all reasonable steps to ensure that each third party service provider is actually applying appropriate information security measures.
The Federal Trade Commission and some state attorneys general have been particularly active in bringing enforcement actions against businesses that fail to provide appropriate data security. In some cases they have even acted in the absence of an actual security breach. As illustrated by the WikiLeaks case, various company stakeholders (shareholders, employees, customers, investors, business partners, vendors, etc.) may well be affected by a security breach. In fact, because of the risk of harm to company stakeholders, the FTC now views a lack of adequate data security as an unfair business practice that violates federal law.
Need for an Incident Response Plan
Given that no level of security is perfect, it is also important that every business develop an incident response plan so that it is prepared in advance to deal with the consequences of security breaches that will inevitably occur.
Such a plan should ensure that appropriate persons within the organization are promptly notified of any security breach, and where necessary, that an appropriate incident response team is assembled to respond to the breach.
The plan should include procedures for evaluating, investigating and containing security incidents. This involves protocols for working with law enforcement, forensics investigators, and other experts, and for communicating with government agencies, the press, and the stakeholders who may be affected by any particular security breach.
At the end of the day, having in place a comprehensive written information security program to defend against data breaches, along with an incident response plan to respond to the breaches that do occur, is critical to all companies operating in today’s digital business environment.