Cybersecurity

2013: Cyber Warfare Confronts The General Counsel

America’s corporations are under attack. Private industry built the Internet as we currently know it, and these same institutions are now being bombarded by thieves, fraudsters, and anarchists seeking to infiltrate corporate computer systems and exfiltrate data. The bad guys are usually after customers’ personal information, including name, Social Security number, date of birth, credit card number, driver’s license number, or taxpayer identification number, to name a few.[1] Other cyber attackers seek intellectual property in the form of trade secrets and sensitive commercial information that can be used for weapons systems or unfair corporate competition. The risk posed by these cyber combatants – who are usually anonymous and oftentimes committing their crimes from computer terminals located in countries that lack criminal extradition agreements with the United States – and the resulting dangers to electronic privacy and cybersecurity are just now exploding into the nation’s consciousness.

Secretary of Defense Leon Panetta sought to sound a clarion call on October 12, 2012, in a speech warning of an imminent “cyber Pearl Harbor,” though his warning was somewhat overshadowed in the news cycle by that evening’s vice presidential debate. Secretary Panetta observed that a cyber attack against the nation’s power supply, transportation infrastructure, or water supply could result in a loss of life and crippling economic consequences. We need look no further than our collective experience in the ongoing wake of Hurricane Sandy to see that disruptions in power supply and the gasoline distribution network can grind industry and households to a halt. In the storm’s aftermath, portions of northeastern states like New York and New Jersey were only a few days away from virtually all of their citizens becoming truly desperate to locate gas for their vehicles and portable generators that were powering their homes and businesses – all caused by a massive disruption to the electrical grid and distribution network that delivers power to homes and businesses. It is not fanciful to think that a cyber attack could replicate the effects of Hurricane Sandy on a power grid. Now consider these power problems on a regional or national basis, and one can understand the defense secretary’s concerns.

The need for cybersecurity security creates business risks that must be addressed by the board of directors, C-suite executives, and the general counsel of any prudent company. Companies large and small need to defend against cyber warfare. Now and continuing into 2013 is the time when all corporate entities must face these challenges if they have not already done so and refine their defenses if they are already battling these cyber attacks.

Corporate general counsel should know, first, that all companies are vulnerable to a cyber attack. If the general counsel and chief technology officer believe their company’s information systems are impenetrably secure, they are mistaken. The FBI’s former top cyber enforcement officer recently made this point quite clearly: “There are two types of companies: companies that have been breached, and companies that don’t know they have been breached.”[2] As proof that this ongoing battle is playing out each day, Barnes & Noble became the latest victim to have its systems breached on September 14, 2012. Hackers infiltrated the company’s countertop electronic keypads – used by customers who pay for goods either by credit or debit card – and stole customers’ credit card information.[3] Barnes & Noble is not alone, of course. A considerable number of companies have suffered the maliciousness of cyber attacks, including, but certainly not limited to, T.J. Maxx, Dave & Busters, BJ’s Wholesale Club, DSW Shoes, Heartland Payment Systems, and even data storage firm Epsilon Data Management. As the victims list grows, a theme emerges: hackers have developed an insatiable appetite for pilfering Americans’ personal and sensitive information. Companies must be ever mindful of this fact, and must not rest on a false sense of security. To echo the FBI’s warning, it is not a question of whether a company will have its systems compromised by hackers; rather, it is merely a question of when this will occur and, importantly, how much damage will be wrought after the infiltration. Stated differently, it may prove impossible to keep criminals out of “secure” computer systems, but companies and their IT professionals can make it difficult for the criminals to exfiltrate the illicit data they are seeking.

Second, electronic privacy and cybersecurity are national security concerns that will likely be addressed in 2013. This past summer, a bipartisan group of United States senators sought to introduce the revised Cybersecurity Act of 2012,[4] which was offered as an affirmative response to the increasing number of cyber attacks on both private companies and the United States government.[5] The Cybersecurity Act sought to establish a partnership between the federal government and private institutions, with the goal of thwarting attacks that could cripple our economy and compromise national security. To achieve this goal, the Cybersecurity Act proposed that this public-private partnership (a) conduct risk assessments to identify high-risk sectors; (b) protect the most critical infrastructures; (c) develop and propose innovative performance requirements; (d) improve the dissemination of information relating to cyber threats; and (e) develop a coordinated cybersecurity research and development program to advance the development of new technologies and secure the nation from ever-evolving cyber threats. Similar legislation has been introduced in each session of Congress dating back to at least 2009.[6]

Ultimately, the 2012 Cybersecurity Act was blocked by a Senate filibuster in August, and a renewed effort to move the bill towards passage again failed on November 15, 2012. Nevertheless, legislation, regulation, or executive order (or some combination of such measures) is going to materialize very soon in order to combat future cyber attacks. This may happen in the current lame-duck congressional session, or it may come to fruition in 2013. This is because President Obama has indicated that preventing cyber attacks will be a priority for his second term. In a July 2012 Wall Street Journal op-ed, the President evaluated cyber threats “as one of the most serious economic and national security challenges we face.”[7] It seems likely that President Obama will be imposing some form of basic cybersecurity standards on the private sector, though the form of these new government regulations has yet to be exactly defined. Of course, Congress may still act and present a bill that the President might sign. Therefore, and aside from the prudential customer service and good business reasons to protect customers’ data, companies must prepare very soon to navigate a new regulatory landscape that is, right now, largely undefined. In short, the government is about to step into this space and will exist as a regulator for as long and as far as the eye can see. After all, e-commerce is certainly here to stay.

Finally, companies must understand that the inadvertent disclosure – i.e., disclosure as a result of a cyber attack – of consumers’ personal and sensitive information could expose the corporate entity to costly litigation.[8] For example, in In re Sony Gaming Networks and Customer Data Security Breach Litigation, a federal judge in the Southern District of California recently concluded that plaintiffs had standing to maintain their lawsuit because “where sensitive personal data, such as names, addresses, Social Security numbers and credit card numbers are improperly disclosed or disseminated into the public, increasing the risk of future harm, injury-in-fact has been [established].”[9] This reality adds another layer of “regulator” into the matrix for businesses, namely, the class action plaintiff’s lawyer and the attendant expense of defending against such litigation. Aside from the business operations response to a cyber attack, in-house counsel must think ahead about ways in which they can defend and explain the adequacy of their cybersecurity measures before a judge and jury. Ironically, this litigation threat may, in fact, be a fulcrum to move Congress and the President with respect to cybersecurity because certain previous iterations of cybersecurity legislation, such as the Cybersecurity and Internet Freedom Act of 2011, have included proposed civil liability limitations for any company that meets certain baseline protocols for protecting their customers’ electronically stored, personal information.[10] This carrot could be a great benefit from the perspective of a general counsel who may perhaps take solace that there might be some limitation on her company’s civil liability provided the (as yet undefined) threshold security measures are satisfied.

Conclusion

Government is going to regulate cybersecurity because it is a national security issue. Virtually all businesses rely on secure cyber communications with their customers, suppliers, and banks, so correspondingly, virtually all companies will be impacted by whatever cybersecurity measures are hammered out between Congress and the President in 2013. The time to begin thinking about increasing the security of a company’s IT infrastructure is now, because regardless of what form the coming government regulation will take, prudential business considerations, shareholders, and (possibly) juries will all expect good corporate citizens to be working toward protecting customers’ data and electronic privacy.



[1] See, e.g., 18 U.S.C. § 1028(d)(7) (defining “means of identification” as “any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual” and listing types of protected personal information).

[2] Nicole Perlroth, Nissan is Latest Company to Get Hacked (Apr. 24, 2012, 12:34 p.m.), http://bits.blogs.nytimes.com/2012/04/24/nissan-is-latest-company-to-get-hacked/ (statement of Shawn Henry, the Federal Bureau of Investigation’s former top cyber enforcement officer).

[3] See Frank Hayes, Forget Fancy Hacking, Card-Data Theft Is Now All About Pin Pads (Nov. 15, 2012), http://storefrontbacktalk.com/securityfraud/forget-fancy-hacking-card-data-theft-is-now-all-about-pin-pads (demonstrating the “disturbing” trend of thieves who, unnoticed by checkout clerks, regularly swap compromised PIN pads for legitimate versions on retailers’ countertops in order to steal customers’ credit card information).

[4] S. 3414, 112th Cong. (2012), was sponsored by Senators Joe Lieberman (I-CT), Susan Collins (R-ME), John D. Rockefeller (D-WV), Dianne Feinstein (D-CA), and Thomas Carper (D-DE).

[5] See David W. Opderbeck, Cybersecurity and Executive Power, 89 Wash. U. L. Rev. 795, 807 (2012) (noting that “computer systems of executive branch agencies of the federal government and Congress are probed or attacked an average of 1,800,000,000 times per month” and that “cyber attacks can produce $8,000,000,000 in annual losses to the national economy.”) (internal quotation and citation marks omitted).

[6] See generally id.

[7] Barack Obama, Op-Ed., Taking the Cyberattack Threat Seriously, Wall St. J., Jul. 19, 2012.

[8] See Andrew B. Serwin, Information Security and Privacy, § 25:1 (vol. 2 2012) (“Now 46 states, the District of Columbia, Puerto Rico and New York City have enacted laws that require notice and the Office of the Comptroller of the Currency has issued notice of security breach recommendations for banks as well.”).

[9] MDL No. 11-2258, 2012 U.S. Dist. LEXIS 146971 at *49 (S.D. Ca. Oct. 11, 2012); see also Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011); Resnik v. Avmed, Inc. 693 F.3d 1317 (11th Cir. 2012); Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010); Whitaker v. Health Net of Cal., Inc., No. 11-0910, 2012 U.S. Dist. LEXIS 6545 (E.D. Cal. Jan. 20, 2012).

[10] See Opderbeck, Cybersecurity and Executive Power, supra, at 810 (citing S. 413, 112th Cong. § 250(d)(2) (2011)).

Published .