Assume for a moment that you’re involved in the security of all data contained within your organization. You could be corporate counsel for a multinational corporation. Or you’re in the legal department of a nationwide conglomerate of interconnected healthcare facilities. Or somehow you’ve advanced to the position of CIO or the most recent C-Suite fad—Chief Information Security Officer. Or you’re the managing partner of a large law firm.
To say the least, these are far from easy times for a lawyer or other legal professional to be in such a position. On the one hand, you face the internal pressures to advance the efficiency, and thereby the profitability, of your organization by adopting the latest broad-ranging technology.
On the other, we currently live in a very unsettled world. For political and societal reasons beyond anyone’s control, there exist highly-motivated and determined individuals and organizations both within the U.S. and without who are primed and well-funded to attack the American way of life.
Their primary target is our economic system. Among our greatest vulnerabilities are the flaws inherent in any organization’s poorly planned, poorly executed, and poorly maintained technology choices which have made it increasingly easy for remote attacks to readily succeed.
Think this is just the imaginary fodder for modern fiction-writing? That such story lines exist solely to make great novels and movies? A few recent real-life situations will dispel that suspicion.
Evidence is amassing to support the belief that the remote cyberattacks who recently perpetrated numerous businesses (Target Corp., The Neiman Marcus Group, P.F. Chang’s China Bistro Inc., The Home Depot Inc., to name just a few) used a single form of malware created by a couple of teenagers in Russia. The malware was designed to attack the “Point-of-Sale” technology used today by almost every retail provider of goods and services—the number of customers already identified as affected total in the hundreds of millions.
In August, Tennessee-based Community Health Systems, Inc., which operates 206 hospitals in 29 states, announced a data breach exposing 4.5 million patients’ personal information. CHS is blaming the incident on Chinese hackers.
These incidents are merely the tip of the proverbial iceberg. Consider the June 2014 report of the Center for Strategic and International Studies that calls cybercrime a “growth industry” where “returns are great, and the risks are low.” The report approximates that recent yearly losses to the worldwide economy are conservatively estimated at $375 billion and as much as $575 billion—and are only likely to increase significantly in the years ahead.
The governments of the world are, as anyone would expect, drawn into this vortex like a solar system caught in a black hole. Their respective citizens expect not just a response, but a fix. We can only wonder if the recent flurry of legislative and regulatory activity occurring worldwide— predominantly in countries with the most to lose economically—are desperate times calling for desperate measures.
The Health Information Technology for Economic and Clinical Health Act of 2009 was Congress’s first major foray into rewriting the regulatory landscape to secure personal digital data. It substantially expanded the Health Insurance Portability and Accountabilty Act reach to include more enforcement agencies (each state's attorney general), more affected entities (a healthcare provider’s business associate and its subcontractors), and greater fines (from a prior maximum of $50,000 per violation to $1.5 million).
Probably the greatest game changer was the creation of a new breach notification rule. It is modeled after several of the states’ rules in the business and government world of compliance. The burden of who is responsible for announcing data breaches has shifted from the regulatory agencies previously conducting the investigations to the entities actually breached. In effect, the entity—which is at phenomenal financial risk re: publicity of a breach—is now required to be the party that announces the breach.
This year, Congress has shown a renewed interest in enforcing cybersecurity. Both Houses have passed numerous bills awaiting presidential approval. Congress also demanded testimony from Target and Neiman-Marcus executives regarding their POS attacks. On Sept. 9, Rep. Elijah Cummings (D-Md) sent a letter to the House Oversight Committee Chair demanding a legislative investigation of the recent CHS breach.
The European Parliament is considering a Data Protection Regulation that will update the Data Protection of Directive of 1995. If approved, it will make numerous changes in the network of privacy rules and regulations existing throughout the 28 member states of the European Union.
The directive currently in effect is only advisory. The regulation will instead be the minimum mandatory standard for all member nations. It will impose previously non-existent breach notification, a novel “right to be forgotten” upon request of the data owner, and will apply not only to businesses physically present in the E.U. but to those that do business there. It will also set a maximum fine of 2% percent of a business’s global revenues for noncompliance.
The Best Answer?
Are these potentially desperate measures the best answer? The reality is that these are the times we live in, and these are the challenges we, as attorneys and legal professionals, face. The only true question that must be immediately answered is "how do we respond?"
• Don’t relinquish responsibility for technology decisions to the IT department.
• Don’t be afraid to ask questions when you don’t understand a technology.
• Don’t just accept the word of the people you’re supervising. Do your own research, and learn the answers for yourself.
Ultimately, the reasons for the chosen technology should make good common sense. If they don’t, never give up until you can find options that do. Once you find the right and sensible choices, fight for them even when the bean counters say they’re not economically wise for your organization. Document every decision whether supportive or not. Make sure you do everything in your power to stay at the front of the learning curve of the statues and regulations that affect your organization.
Never forget that you also have a significant stake invested in how this ultimately plays out. Like it or not, once the responsibility for these decisions has fallen on your broad shoulders, everything above those shoulders is at risk of being chopped off when things go wrong. This is not fantasy fiction-writing, it's a reality.