IT Security Confronts New Legal Liabilities

Upcoming legislation and changing threats prompt our cautious security manager to double-check the corporate liability policy.

Word of upcoming security-related legislation and a recent security incident at my company have prompted me to investigate cyberinsurance. I had to review how well my organization is positioned to deal with a lawsuit or the need to file a claim as a result of a cybersecurity incident.

Like many security professionals, I have been so focused on keeping up with the fast-changing IT security landscape that I haven't thought much about how those changes affect potential insurance-related issues at my company.

For example, in California, Senate Bill 1386 will become law next month. It will require companies to disclose to consumers any event in which data pertaining to them was possibly compromised as a result of a security breach. Under SB 1386, not only California companies will be required to notify customers of security breaches; instead any company that does business in California will have to disclose security breaches to California customers. So if your business is located in Boston or New York and you have customers in California, you will have to comply with this law.

Possible Loopholes

I'm told that there are several loopholes in this bill that give us some flexibility and protection. For example, the law will apply to instances when a customer's data is "reasonably believed" to have been compromised. In my experience, any time that phrase is used, there is room for interpretation. The term reasonable seems to take on different interpretations depending on whom you talk to. Even so, defending interpretations favorable to our company in court could require an army of lawyers and lots of time and money.

Another loophole involves a possible exception if the stolen customer data was stored in encrypted form. My company keeps all of its customer data in an encrypted Oracle database.

Of course, the bill doesn't specify the type of encryption. It could be weak or strong. So the question becomes this: If a hacker is able to compromise a data store and decrypt the data, does that require disclosure? And how do you know whether the hacker did in fact decrypt it?

There's also a provision that says a company doesn't have to disclose a breach if a law enforcement investigation or inquiry is under way. Such investigations can last for years.

Besides situations involving the new California law, there are other instances when we might want to file an insurance claim.

Recently, an employee, prior to leaving the company, created several new accounts on a huge, publicly accessible FTP server that serviced some 400 user accounts. He also configured one of the accounts to have administrative privileges and then created a trust relationship between the FTP server and another server. The latter had direct access to a database server housing customer credit card data. By simply logging into the FTP server, he could have accessed the database server and copied the sensitive data.

Fortunately, we discovered the breach shortly after the employee left during a routine audit that included a review of administrative privileges. Our investigation showed that no customer data had been compromised, but the incident gave us enough of a scare to take a new look into the issue of cyberinsurance.

No Publicity, Please

Even if we could catch the perpetrator, my company, like others, would be disinclined to try to prosecute and recover damages. I had wanted my company to take legal action against the former employee, but management didn't want the publicity that would have resulted. And even if we had prosecuted, it would have been hard to prove that this individual actually conducted the unauthorized activity. Yes, his account was used, but we would have had to show that he performed the keystrokes to gain unauthorized access to the backdoor accounts.

When a user has administrative-level privileges on a system, he has the ability to make my life miserable. In this case, he could have deleted the entire database, causing significant downtime and serious monetary losses.

In fact, had he done so, we would have lost a lot of revenue during the time it would have taken to rebuild or restore the data. Our e-commerce site generates more than $1 billion per year in online transactions. We do replicate the site to minimize downtime, but this trusted administrator could have taken down both sites if he wanted to. Depending on the extent of the damage, it could have taken our IT team more than six hours to resolve the problem. That could add up to a potential seven-figure loss. To recoup losses in such situations, it might be prudent to be able to file an insurance claim.

I made some inquiries to our legal department and, fortunately, we do have a cybersecurity clause in our policy that covers loss as a result of dishonest or criminal acts by our employees. In this scenario, even though the employee was terminated before accessing our infrastructure, the fact that he was an employee when he created a back door into our system meant we would have been covered. Now we just have to worry about the potential saboteurs we don't employ.

What Do You Think?
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com, or join the discussion in our forum: QuickLink a1590
To find a complete archive of our Security Manager's Journals, go online to
computerworld.com/secjournal.

Related:

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon