Data breaches at major corporations like Target and Michael’s become high-profile news, but it’s a risk that every company with an Internet-connected computer should be worried about, according to Jason Weinstein, a partner in the law firm of Steptoe & Johnson LLP whose practice specialties include cyber crime. “Cyber criminals are interested in getting into the systems of anyone who collects customer data that can be exploited for profit. And there are groups of hackers who try to steal intellectual property and resell it to competitors or to foreign companies,” says Weinstein, who, in his former position as deputy assistant attorney general with the U.S. Department of Justice, supervised the Computer Crime and Intellectual Property Section.
Given the double-edged reality that, if a cyber criminal wants to get onto a network, he will — and commonly is on it for months, exploring what’s there and how to exploit it, and putting in the infrastructure for the attack — and that the immediate reaction by regulators and the public alike is to blame the victim, Weinstein says the important lesson for businesses is they need to focus on managing their risk. “Prevent the things you can prevent, and put yourself in the strongest possible position to deal with the consequences for the things you can’t prevent.”
There are specific steps Weinstein suggests businesses take proactively. One is to have a network security firm assess the network’s security measures such as strength of passwords and logging of all activity on the network. Having logs of the activity enables a business to get evidence more quickly if there is a breach, Weinstein explains. Another step is to have a lawyer look at a business’s privacy policies to make sure it is not promising something to the public that is inconsistent with what it is actually doing — which would open that business to prosecution by regulators for deceptive trade practices. Businesses should also look at their document retention and destruction policies, and retain only that data they need for ongoing business purposes. “Too many times, companies lose data they didn’t even need to have,” he observes. Businesses should also look at their contracts with their vendors — as attacks could come through the networks of third parties — and assign appropriate liability and responsibility for cyber security. And every business should have an incident response plan in place that spells out what actions should be taken by its lawyers and its communications and technical departments.
Having legal counsel oversee the internal evaluation puts it under the auspices of protected attorney-client privilege, Weinstein notes. Counsel can also help navigate the breach notification laws — of which there is not a single federal one to deal with but rather separate ones that have been passed in 46 states. A business may come under a state’s jurisdiction through factors that include where it operates and where its customers are located. Explains Weinstein, “There are obligations to comply with different — and maybe inconsistent — rules.”
Mobile devices pose the same security concerns as computers — with the addition of location data that can be tracked, notes Karen Dickinson, a shareholder in the Phoenix office of Polsinelli. Geolocation adds “stickiness” to businesses’ marketing, enabling them to send a promotion to a person’s smartphone when it’s in close range of the business.
There are mobile applications that track the user without having given that user notice of doing so. “That’s where regulators get concerned,” says Dickinson. And while there is no overarching federal law as yet, some states are applying unfair competition laws in suits against businesses engaging in this practice.
In terms of business liability, this is currently a dynamic, unsettled area of law, and the Federal Trade Commission is planning a conference to discuss the implications of mobile-device tracking technology. To date, decisions coming out of lawsuits have been generally on the side of the business because damages are hard to substantiate, says Kris Carlson, also an attorney in Polsinelli’s Phoenix office. But he adds, “Government regulating bodies are trying to create some kind of standard to enable consumers to have knowledge they are being tracked.”
Privacy by Design is a tool prepared by the FTC for businesses, which offers such advice as making sure to understand the differences among mobile platforms as not all have the same security. And its Bureau of Consumer Protection offers a brochure titled “Mobile App Developers: Start with Security” with tips to help mobile app developers address security issues.
While there are many issues to deal with, one of the most basic is consumer consent. The “Terms & Conditions” contract that websites employ is considered too long to be a reasonable form for mobile devices. Last July, says Dickinson, “the Department of Commerce’s National Telecommunications and Information Administration released a draft of a voluntary code of conduct for mobile applications. The code sets out guidelines for short-form notices that application developers can use to inform consumers about the collection and sharing of consumer information with third parties.”
Voluntary standards often become a law or a basis for unfair practices accusation by regulators, Dickinson observes, noting the importance of businesses staying on top of the issue. Furthermore, the federal Government Accounting Office noted in its report last November that legal privacy schemes have a lot of gaps and suggested Congress look at creating a framework to deal with those gaps.