President Obama’s recent Executive Order No. 13636, issued February 12, 2013, places data privacy and cyber security as lead initiatives for critical infrastructure sectors, such as financial services, health services, and energy. Data privacy and cyber security are hot topics globally. In the U.S., data privacy and cyber security regulations are challenging and vast. The EU has stringent privacy laws as well. Today, nearly every industry sector is touched by data privacy regulations, threats, and demands, and is therefore also liable for breaches or other non-compliance when things go awry.
Many companies fail to routinely audit their compliance situation or Information Technology operations. Many do not have a breach or notification plan in place. Further, high-level executives and boards often fail to review cyber security, privacy, and risk management as part of corporate good governance operations or policies. Because financial services and energy are two prime critical infrastructure sectors that attackers target, Gulf Cooperation Council (GCC) countries and those companies operating in the region are particularly vulnerable. A Gulf Business Machine (GBM) survey of regional IT professionals revealed that 35 percent of all cyber crime and breaches were from the result of an organization’s own internal employees. Social media was noted as a primary source for attack. Other attacks come from external hackers. In 2012, hackers linked to the government of Iran attacked data and disabled 30,000 computers, thereby causing millions in damages at Aramco
In the U.S., civil and criminal liability is on the rise as class actions have mounted for breaches involving Personally Identifiable Information (PII). State and federal investigations and prosecutions are on the rise for noncompliance in nearly every industry, including financial services, health services, manufacturing, and energy. Energy companies and financial institutions are particularly vulnerable for cyber attacks, and the targets may vary from customer information to company secrets. Energy companies are routinely targeted by insiders, foreign governments, organized crime, or competitors seeking corporate secrets and intelligence, control over critical industrial control systems, or other data or intellectual property. The most widely known attack against U.S. oil and gas companies was by China through use of its Night Dragon. Night Dragon was launched to steal confidential information from major U.S. energy companies, of whom at least one company said it was not aware of any successful attacks.
Because the energy and financial sectors are prime targets for data and cyber attacks, a strong compliance program and breach plan is crucial to prevention, mitigation of losses, and protection of a company’s reputation. Billions of dollar a year are routinely lost by companies simply in stolen intellectual property. Mitigating exposure to liability as a result of data security breaches can save millions per year in lost assets or reputation, intellectual property, customer information, fines, or other damages. The risks are even direr for energy companies where an attack could result in an oil spill or other environmental damage, prolonged power outages, and loss of life.
Threats and attacks from outside hackers are usually what comes to mind when one thinks of data and cyber protection, however, what most are not aware of is that the bulk of threats actually come from inside a company by either disgruntled employees, poorly trained employees, poor compliance controls, poor oversight of employees with access to sensitive information, and employees who are interested in selling competitive corporate intelligence for whatever reason. The actual amount of breaches and other cyber crime by insiders is actually much higher than the GBM survey, and most incidents are unreported, confidential, or undiscovered.
Information technology personnel cannot front the risks alone and are not equipped to conduct assessments and analysis as are regulatory attorneys. Even the best IT personnel and management need legal guidance and assistance with investigating breaches and attacks. Legal representation at every level of compliance activities and investigation is the best insurance to successful mitigation and management of risks. It is imperative that outside counsel be involved in routine audits and assessments of compliance review and development, training, and in development of a solid breach plan. Cyber and privacy insurance rarely covers liability or damages for breaches in all scenarios. Compliance will always remain cheaper than the losses a company may suffer in stolen property or loss of reputation.
Teresa N. Taylor is Of Counsel at Akrivis Law Group, PLLC in Washington and is an Adjunct Faculty member at Georgetown University Law Center. Her professional biography is available here.