Between 2012 and 2014, the number of companies in the US hit by cyber security breaches doubled. There is now a common expression in the information security industry: “There are only two types of companies: those that know they’ve been compromised, and those that don’t know.” What is interesting about malware cyber attacks is that few attack are targeted at a specific company. Rather, 90% of malware is hovering around the internet programmed to attach to unprotected persons and businesses. More than 317 million new pieces of malware — computer viruses or other malicious software — were created last year. That means nearly one million new threats were released each day. (CNN Money, April 14, 2015). From a practical standpoint this means is that small and large businesses are equally likely to suffer an attack. Companies can, and should, take steps to assess, monitor, and protect themselves from cyber security breaches. Failure to do so can result in devastating financial damages to the company and its clients. The board of directors and officers of companies have a duty to the company and shareholders that they serve. With the significant uptick in high profile cyber security breaches, officers and the directors can no longer play naïve to the risks of data breaches. A lack of oversight and management of cyber security risks can result in members of the company’s board of directors and officers being found personally liable for damages. The following is a general overview of 5 main areas that a company should assess related to its cyber security protocols and procedures.
1. Data Management Risk
- § An effective due diligence process should analyze what data the company holds on its networks and work stations and where it gets that data from. Does the Company retain PCI (personal credit card information) or HIPPA materials for its clients? It is important to quantify how valuable and confidential the retained data is to the business (and customers) and then focus on how the company protects and exploits it. Track the flow of data. Where is data stored? How is data received? How is data transmitted? How is data destroyed? Who has access to company data?
2. Technical Risk
- § If valuable data is used in an internet environment, a forensic IT security consultant should be retained to assess how the data is encrypted and what firewalls and other systems are in place to keep it safe. A business is only as secure as its third-party suppliers, these systems should also be analyzed.
3. Contractual Risk:
- § A company’s contracts with its third-party suppliers, vendors, customers, and insurance carriers should be evaluated and reviewed by legal counsel. What contractual obligations has the company assumed? What risk shifting mechanisms are in place? What indemnification provisions are required? What are the jurisdictional and venue requirements for lawsuits/arbitrations? Are there any express limitations of liability? What insurance policies are in effect and what do those policies cover and exclude?
4. Employee Risk
- § Effective cyber security is about more than just expensive and complex technical systems and contractual safeguards. Human behavior is a bigger risk to data security than even the most sophisticated hacker. It is vital to assess what processes a business has in place to protect its data and how these are reflected in its employee and subcontractor relations, contracts, and operations. Are their confidentiality/trade secret/NDA contracts in place with employees? An IT security firm should be retained to analyze and evaluate all employee workstations, emails, networks, tablets, laptops, passwords, and phones to determine potential weak links in cyber security. Protocols should be established, monitored, and reviewed on an ongoing basis.
5. Track Record/ Past Risks
- § If a business has already suffered a known data breach in the past, that risk needs to be reviewed and evaluated on an ongoing basis to prevent future similar attacks. An assessment should then be made of how the company dealt with the breach and what procedures were put in place to guard against a repeat attack.
As the number and frequency of cyber attacks continue to rise, companies must remain diligent and continually monitor and improve their cyber security protections. Officers and directors who underestimate or overlook cyber security threats face the potential of personal liability for company damages. In future blog posts we will continue to explore this ever increasing business and legal risk.
The attorneys at MLMW are experienced in working with clients on cyber security related issues including in litigation, employment contracts, transactions, and mergers and acquisitions. We also work regularly with specialized IT cyber security firms. Please contact us if you would like to speak more about your company’s cyber security issues.
(Mallon Lonnquist Morris & Watrous, PLLC, is a business, employment, real estate, and litigation law firm. Craig T. Watrous is a Colorado business attorney with MLMW, based in Denver, Colorado. Craig regularly represents clients on cyber security matters. Craig can be reached at cwatrous@mlmw-law.com and (303) 722-2165)