Visceral and Vested:
What’s the Risk?
I wrote this essay in my professional capacity for publication in a prestigious magazine's spring 2018 issue. Ultimately, it was not accepted. However, I think that it properly addresses the conundrum of legal liabilities that face business people when facing real-world cybersecurity threats. Since it has languished unpublished some two and a half years, it is mine, I wrote it, and, lacking a professional outlet, I decided to publish it here for no reason other than to preserve the result of several hours work.
When a malicious intruder breaches a corporation’s data infrastructure, many things can happen, much of which depends upon the overall perception of harm. Harm falls into several categories, some of which have been generally rejected by the courts. For example, emotional distress, increased risk of identity theft and future fraud, and spending time and money to prevent future fraud—such as signing up for credit monitoring—have all been rejected by the courts. Historically, the plaintiff must show the harm to be visceral and vested, reflecting palpable injury or financial loss.
For example, in 2014, Wyndham stockholder Dennis Palkon brought a lawsuit against Wyndham Worldwide Corporation and numerous corporate officials after the board refused his demand to investigate and remedy the harm inflicted on the company by a series of data breaches.
The plaintiff alleged that the company failed to implement proper data security measures and promptly disclose the data breaches between 2008 and 2010. The court dismissed the lawsuit because the board had acted consistently within the principle of the business judgment rule. In short, the board had acted responsibly within the accepted business practice, and the plaintiff had shown no visceral and vested harm.
The court reasoned that the company had followed the accepted business practice and that the plaintiff had failed to show actual harm. Thus, the Wyndham case ended in dismissal because the directors had supervised their security practices under the business judgment rule, the accepted business practice of the day. Under that rule, the courts presume that the board acted in good faith, on an informed basis, and the honest belief that the action was in the company's best interests. Even so, the legal expenses of defending such cases are high, and depending on the specifics of insurance coverage, may not be covered by a general commercial liability insurance policy.
Along with many others, this case illustrates the necessity of ensuring that the company is following industry best practices and has a comprehensive liability insurance package in place. Despite the trouble and expense, the outcome was favorable.
More recent cases have experienced vastly different outcomes. Target, for example, had some 140 lawsuits filed over their security troubles. CEO Greg Steinhafel and Chief Information Officer Beth Jacob lost their jobs, and in 2017 the company stated(I) that the total cost of the breach had reached $202 Million. The question of visceral and vested harm did not arise. Instead, the courts assumed de facto evidence of harm.
Equifax CEO Richard Smith became a casualty after a Category 5 data breach that exposed information on half the adult US population. Further, Smith was called before the Senate Banking Committee on October 4th and found himself apologizing to Congress. But again, courts have not insisted on proof of visceral and vested harm.
The hits keep coming. Hardly a day passes but we see a report of yet another, ever more egregious data breach.
January 4, 2018, the Washington Post(II) reported a massive data breach in India’s Unique Identification Authority, estimated at more than eight times the size of the Equifax breach. The biometric ID program, one of Prime Minister Narendra Modi’s flagship policies, has now exposed more than a billion people to identity theft and privacy intrusions.
In the case of Equifax, the specific flaw that led to the break-in had been patched by the vendor only two months earlier. Had Equifax cybersecurity management reacted faster and patched the vulnerability sooner, they would have prevented the breach. Critics have perhaps rightly excoriated Equifax management for tardiness in updating their systems.
Not to excuse any unnecessary delay, but the simple reality is that updating complex systems requires proactive planning and scheduling and logistics management that is difficult and tricky. There is a constant race between discovering new vulnerabilities and their mitigation across a sophisticated IT infrastructure. There will never be perfect IT systems, and there will always be newly discovered, unmitigated flaws.
The problem is not one of technology alone. Elevating the corporate approach to cybersecurity is essential. Part of doing so requires containing liability in the event of a breach and channeling the effects into a structure of policy, procedure, and insurance designed to contain and defuse.
Responsible executives must take steps to protect themselves and their company’s interests. However, relying on a visceral and vested “best practices” defense as saved Wyndham ignores the escalating cyber threat and the evolving ideas of what constitutes cybersecurity best practices.
Due to the increasing cacophony of outcry over seemingly endless data breaches, the cybersecurity landscape is shifting, changing, and becoming ever more unpredictable. As a result, executives must raise their game, as the defense of 2014 will not be viewed through the same legal liability lens in 2021 and beyond.
Containing liability mandates a proactive defense. Therefore, before any data breach occurs, the board must make themselves well-informed of the company’s cybersecurity practices and the protocols in place for a response. A cursory understanding is no longer sufficient.
The company must appoint officers with solid expertise in cybersecurity, including a Chief Information Officer, a Chief Security Officer, and a Chief Privacy Officer. These officers should also chair a technical committee responsible for cybersecurity oversight, including senior management, which regularly briefs the board on evolving issues.
Historically, the board of Directors and CEO are not technically focused and lack a deep understanding of technical issues. The board must not rely on non-members alone for technical expertise in today’s technological landscape. The board should proactively include a tech-savvy member who would also sit on the cybersecurity committee.
Further, risk management cannot be focused internally alone. Effective cybersecurity risk management requires managing a complex layer of hardware, software, devices, networks, telecommunications, and people, not only within the enterprise but across all interconnected third parties.
The risks of connected organizations via business and technological interconnections further amplify exposure by ad hoc and inconsistent policies and approaches of each interconnected enterprise. Therefore, companies must adopt and implement a consistent framework of minimum standards across all businesses.
The US Executive Order of May 11, 2017, titled “STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE,” mandates the use of “The Framework for Improving Critical Infrastructure Cybersecurity” developed by the National Institute of Standards and Technology (NIST) for government agencies.
The NIST Cyber Security Framework (CSF)(III) provides a policy framework of computer security guidance which is equally helpful in guiding how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber-attacks. As such, the framework defines a suitable minimum standard for cyber hygiene.
This puts the issue of visceral and vested harm at bay because if a company uses the CoT legal framework and ties the definition of cyber hygiene to a NIST standard, then it can be shown the board had acted responsibly within the accepted business practice, and the plaintiff had shown no visceral and vested harm.
Standardized interconnection agreements enforcing a minimum cybersecurity standard consistent with CSF Tier 3 forms the basis of the “Community of Trust” concept. Within a Community of Trust, Boards of Directors define the cyber risk as a subset of overall risk and put checks and balances in place that ensure a timely and organized response to vulnerabilities.
A Community of Trust incorporates a warehouse for security data across the Interconnected 3rd parties, enabling all involved entities to better visualize the state of the security of their enterprise and the community of interconnected parties. This ensures coordination across the association in disseminating vulnerability awareness and countermeasures, keeping all interlinked member parties in sync regarding deployment of updates and on a universal level of risk understanding.
The legal framework is technology agnostic. It allows any Enterprise to choose any vendors or use existing and already deployed technology to create the Community of Trust. It provides an Enterprise-wide look at the status of the Enterprise network and all activities of all the end users, employees and other Interconnected 3rd parties in relation to the Community of Trust Owner's Network. The Master Interconnection agreement which is one of the three Master Agreements that defines that all the Interconnected 3rd parties to a private Enterprise Network collect and utilize data to manage the cyber hygiene of the group of interconnected entities.
Cyber insurance is a critical component of any cyber risk policy but is difficult to obtain in sizable financial dollar amounts. Use of standard interconnection agreements along with clear and consistent security policies plus attentive and involved executives make defining and pricing risk a straightforward business proposition. A Community of Trust membership fosters the development of a large pool of companies who want cyber insurance in a consistent and repeatable format with defined risk (using CSF Tier 3 as the standard), improving availability at more efficient pricing. Lower enterprise risk due to standardization also introduces fungibility, which not only streamlines origination but enables the syndication of cyber risk.
The NIST CSF Tier 3 Framework further mandates a secure methodology for collaboration in security matters, both before and after a breach is detected. It does not do, for example, to discuss sensitive issues via a messaging system that may be involved in the compromise under discussion unless perhaps one is seeking to provide misdirection to possible attackers.
Further, one might argue that telephone systems are merely another form of computer, thus using the public switched telephone network presents a security exposure and that something more secure is desirable.
Encryption provides one such methodology via secure XMPP text messaging and encrypted Video and VoIP telephony using NSA Mobile Access Capability Package compliant multi-layer encryption technology.
Historically, the definition of best practices has evolved on an ad hoc basis, employing testing methodologies based on known vulnerabilities. Such testing methodologies, while valuable and productive, lack architectural consistency and repeatability. A more structured approach is needed.
Just as a responsible application developer follows structured programming principles to develop bug-free software rather than relying on post-development testing to instill quality into an unstructured project, cybersecurity must build upon a structured framework.
Ad hoc penetration testing validates that specific vulnerabilities have been dealt with in the past tense but does not ensure that future vulnerabilities will be addressed consistently, nor does it ensure a sound and effective response should a breach occur. Further, ad hoc testing does nothing to contain liability and protect the organization and its officers in the event of a breach.
If an enterprise seeks to protect itself to the highest possible standard, it must:
1. Employ a legal framework and follow the guidelines to enforce standardized interconnection agreements.
2. Employ sophisticated technology for coordinating a consistent security profile across interconnected parties.
3. Employ secure collaboration and communications tools within the security envelope.
An Enterprise that follows these strategies will have protected itself to the highest possible standard. Also, it will have created a structure within which organized and repeatable updates and validation flow naturally as a consequence of routine business. Cyber insurance, as the final protective component of risk mitigation, becomes straightforward.
Tying this to an evolving "best practices" standard such as the CSF puts the Board and CEO in the position of staying current with evolving standards while having a written agreement in place that evolves with the standard.
Trusting the historical concept of best practices for a visceral and vested defense and trusting that corporate structure plus ordinary commercial business liability insurance protects executives in the event of a breach is living in the past. The standards of 2014 are obsolete. Anyone who doubts this should talk to the ex-CEO of Equifax, or Target.
I “Target Pays Millions to Settle State Data Breach Lawsuits” Fortune Magazine, May 23, 2017, http://fortune.com/2017/05/23/target-settlement-data-breach-lawsuits/
II “A security breach in India has left a billion people at risk of identity theft” The Washington Post, January 4, 2018: https://www.washingtonpost.com/news/worldviews/wp/2018/01/04/a-security-breach-in-india-has-left-a-billion-people-at-risk-of-identity-theft/?utm_term=.3215c39d9f8a