The world of legal accountability in cyber space and data privacy is continually evolving. The United Nations is on the horizon of applying international law to cyber space based on sovereign principals that countries are responsible for actions and harms that occur within their borders as a result of data breaches.  Hackers today widely vary from bored rudimentary teenagers to rogue governments with surprisingly successful tactics, yet over ninety percent of hackers are successful. Iran has posed one of the biggest hacker threats in suspected retaliation against banks and financial institutions in response to Stuxnet. The bulk of critical infrastructure (i.e., energy, telecommunication, transportation, financial services, food and water, public health) and private corporate networks remain nevertheless particularly vulnerable to internal and external cyber attacks and data breaches of Personally Identifiable Information (PII), proprietary information, intellectual property, business intelligence, and customer information. Universities and non-profit organizations are particularly vulnerable targets as well.

Most companies have no strategic plan in place to deal with attacks, insider threats, or data privacy breaches, including law firms. Companies must have a framework for protection that goes beyond mere technological filters. Lawyers now have an additional duty technologically to protect against such attacks and breaches internally, and to also advise clients on strategic plans and compliance that effectively address cyber attacks and data protection in effort to mitigate potential liability and damage stemming from such attacks. Law firms have to be as well-informed as any other organization and must have a model in place to address attacks. Law firms are persistently targeted by insidious hackers. Financial institutions are now auditing law firms to see if they have such protections in place to secure their clients’ data.

Passwords and Supervisory Control and Data Acquisition (“SCADA”, used to collect real time data) systems with default passwords are easily available through forums such as Russian hacker chatter. Yet the most commonly used employee password remains “password.” Mobile devices remain big targets, and many employees charge these devices at work thereby opening the door to another avenue of attack. Many computer networks are easily defeated by malware.  Malware is available for sale on the internet and is easily available for purchase to carry out cyber attacks. Firewalls and similar technological protection software are too often easy to hack, and therefore due diligence requires companies to go beyond technological protections. Many companies who have experienced attacks or have had data breaches remain completely unaware and unprepared. In fact, it is more probable that the only reason a company may not have yet been attacked would be a lack of intent or interest by hackers or insiders with access, and would not be because the data is not available or the networks are not accessible.

Unpatched programs pose a serious, major threat, but this is not merely a technical issue as it is really a business risk issue. Companies need to ask where their critical information is located. Most company Information Technology personnel and service companies cannot respond to this question easily. A company’s critical information is usually scattered across the company, and identifying and finding the location of that information is an ongoing process requiring continuous high-level conversations.

Data retention is a key issue for corporations. The usual cost to remediate a data breach is roughly $200 per file. Customer lists containing 10,000 or more persons can therefore be very expensive.  Adherence to data retention policies by destruction of information and records when this information is no longer needed is good policy. Regular risk assessments in different business lines is also good policy given that business lines have different types of valuable data and therefore have different targets; different targets equates to different methods of targeting by internal and external threats. Good data hygiene requires that data security policies and procedures are up to date and regularly checked by a third party. This should be an ongoing process.  All corporate stakeholders must be involved to have a full business view of the risks, as opposed to merely a technical view of the risks. Effective data security and compliance therefore mandates that corporations work across business lines and together with high-level management and the C-suite, and finance, legal, and IT departments. It is also prudent for corporations to involve the Board, set up a high-level Risk Committee, and develop an external audit system with major assessments to identify threats and the most valuable corporate information. Corporations need more than just one or two solutions, but require a series of interventions at every possible level to effectuate due diligence and compliance.

Soon due diligence will not be optional, but in the foreseeable future will involve liability for attacks and tighter regulation beyond mere voluntary frameworks.  Privacy laws are complex and directly related to cyber security. Protection of PII, such as credit card information, health care information, and corporate secrets are at risk by phishing emails. Insidious tweets or false social media postings can cause immediate harm to a corporation’s bottom line and net worth. A filibuster of cyber legislation does not mean that corporations can ignore and escape due diligence responsibility or liability concerning data protection.  Data protection concerns public safety on every level and the complexity of legal issues are only mounting.

More legislation and regulations are surely looming in the near future.  Potential initial investigative steps following a data breach can be difficult and daunting tasks for a corporation, such as responding to a Foreign Intelligence Surveillance Act (“FISA”) subpoena, determining whether any protected personal and private information has in fact been shared, and determining whether a corporation has therefore triggered mandated notification requirements. Over time litigation will end up shaping corporate guidance governing data breaches beyond the current voluntary suggestions. It is therefore imperative that corporations begin now to learn how to monetize various potential data breaches of differing information and how to conclude what constitutes a material breach requiring notification. Corporations often have no way of predicting how or when information might be exploited following a breach. These exercises are vital for corporations doing international business, particularly in Europe given the European Union’s intent to tighten requirements governing data protection within two years and that will affect aid.

Data protection is a never-ending process. Corporations can no longer be static or concerned solely with defense should a breach occur; corporations must be proactive.  Hackers have been successfully hacking for many years. Corporations who are unaware of who is operating the network place their money at risk and stand to lose huge amounts of money daily should a breach happen. All corporations and states in the United States have theft of data despite data privacy laws. How corporations share data about these breaches, and how they overcome information sharing hurdles, such as how to address breaches involving national security and secret information that cannot be conveyed to other members of board or company, is imperative to mitigation. Cyber space is now a global network that has become a global problem.  No country or corporation, no matter how big or small, is exempt from these risks, the loss of data, or the resulting damage.