Why Due Diligence as a Defense is Not Enough
Corporate executives love two words, “Due Diligence”. Unfortunately, this is only half of the required formula for meeting the requirements under “Standard of Care”. It is startling when such a large percentage of these executives fail to grasp the concept and legal liability imposed under “Due Care”. Due care is the second half of the formula and equally as important. For without it, the standard of care can not be measured. Performing Due Diligence shows you where your risks lie, due care is exercising the requirements discovered under due diligence to protect or mitigate exposure from those risks.
While businesses have invested in technologies such as firewalls, intrusion detection, and now intrusion prevention, we are all too familiar with FUD (Fear, Uncertainty, and Doubt). How many presentations have you attended in the last six months where a security service provider discusses “Code Red”, “Nimda” or “Slammer”? The most recent of these is now two years old. So why are we still discussing them? One word, “fear”.
Fear of what exactly? Some might respond with, “Distributed Denial of Service (DDoS) attacks, Identity Theft, or the theft of intellectual property”. All of which occur. What are the odds of it happening to your company? Better than 60% of all US businesses face civil litigation at least once in the course of their operation. According to the FBI, approximately 85% of businesses surveyed in the United States last year reported a financial loss attributed to computer/cyber attacks. With decision maker’s core focus revolving around the types of attacks and if they originated from the outside or from within, perhaps you should turn your focus on the ramifications after the attack rather than the attack itself.
It seems almost daily that a news report highlights some form of a security breach. This barrage of reports helps the FUD factor. So, is the FUD factor justified? To an extent, yes. However, is our focus in the correct area? No! If you take vendor bias out of the equation, the one common denominator in preventing potentially negligent action is understanding “what” you do is more important than “how much” you spend. Obviously a cost is associated with security. Since security usually falls under the scope of risk management, the transference or acceptance of risk is more commonly understood than the ramifications of these same risks acting as the catalyst for civil litigation.
A common complaint from middle level management is not enough buy in from upper level managers. Even with the FUD factor in play, many maintain since court cases are not plastered all over FOX or CNN, that lawsuits in this area do not take place and therefore, the actual risk is more qualified than quantified. What any experienced attorney will concur with is that non-disclosure is commonly used in the terms of settling a lawsuit. This protocol is what keeps a lawsuit out of the public eye, not the lack of occurrence.
President Bush has set forth an initiative for tort reform. Just recently in Georgia, medical physicians are limited to a maximum of $350,000 per claim where before claims in the millions were very common. Even with tort reform in place, civil lawsuits will continue to take place. Are you ready for court? Is your CEO or President? Think so? As a result of incidents from Enron and Tyco, it should come as no surprise to business executives that security and networking personnel have a duty to document transgressions that can lead to a breach or fraud. If your networking manager provides the CIO or CEO information to support the need for enhanced security and it is denied, it should be incumbent on this same individual to say, “I understand. I need for you to sign here acknowledging that you were advised on this issue and declined my recommendations.”
This should be expected and embraced from upper level management as it holds each person to a higher level of accountability thus demonstrating a higher standard. Using this same scenario, the CEO or CIO should sign and then document the basis for their decision with the assistance of in-house or third-party counsel. Just because the CEO didn’t agree to what was presented, doesn’t necessarily mean he/she was wrong. But if you do not document the basis for your decision, will 12 jurors believe your intentions were in the best interest of the company, or are you just trying to save yourself?
A fairly recent survey reported most businesses fail to address medium to low rated risks in information security. A noticeable trend started in the middle of last year. Hackers started using older vulnerabilities as a vector of attack. Most noticeably was “Phatbot”. Phatbot is like any other “bot” designed to perform a repetitive process as designed by its creator. In Phatbot’s case, the repetitive function was designed to be stealthy and install malware. In 2004, vulnerabilities in Microsoft from as far back as early 2003 were encoded into Phatbot’s payload as well as key-loggers and remote administration exploits.
From the point a vulnerability is discovered and a remedy is made available, the clock starts ticking. The longer you wait to address the threat, the closer you encroach upon negligence. This is just one demonstration for providing due care.
While the use of antivirus products might be acceptable for short term as the vulnerability is actually being patched on individual systems. Exclusively relying on this method does not work and is not accepted under “Best Practices”. This is why you will see multiple variants of the same named worm.
Verizon discovered a valuable lesson when it pursued civil action against the State of Maine’s Public Utility Commission for a rebate because of the negative impact resulting from the Slammer worm. In Maine, the telecommunication providers sublease lines from the State’s Public Utility Commission. At the time the attack took place, a remedy from Microsoft was available for several months. A common opposing argument is that the larger the company, the more difficult it becomes to apply software patches. While many networking and security professionals believe that best practices or regulatory statutes such as HIPAA (Health Insurance Portability & Accountability Act), GLB (Graham Leach-Bliley) or even Sarbanes-Oxley do not take into consideration the size and scope of each business. However, it doesn’t have to from a legal liability standpoint!
The Defendant, The State of Maine, utilized a fairly unheard of legal principle, the “Neighbor Policy”. Defense argued that AT&T and WorldCom, both telecommunication providers like Verizon, applied the patches as recommended by Microsoft and neither of these parties filed suit because they were not harmed. This information was utilized to attack Verizon’s claim and the judge not only found in favor of the defendant but also went on record to state that these types of attacks are foreseeable and preventable.
Even though the defense won, they lost. Consider how much money was spent on legal representation in protecting their position? Still think you’re ready for court? Given the United States current legal landscape and what is now being framed for certain case law, perhaps the use of legal counsel should be rethought. Rather than rely on legal representation post facto, consider utilizing it preemptively while designing, managing and executing your business’ security posture. If in-house counsel is not trained or experienced enough in understanding this critical area, it is then wise to utilize independent legal representation.
Very few law firms specialize in this area, and only a handful or attorneys are skilled enough as litigators in information security. Because of this the legal community is rapidly embracing information security and understands a market exists for such practices. In fact, the American Bar Association has printed materials for standards on this subject matter. Rather than conduct business as usual and rely on the odds – which are not in your favor. It would be wise to understand that the cost of defining why you shouldn’t or cannot afford to apply prudent security strategies often equals or surpasses why you should. Hackers are no longer interested in the spectacle of breaching a system and winning praise from peers. The hackers of today are more organized, better funded, work in groups without national boundaries, including organized crime, and are setting their sites on you.
Still think you’re ready to go to court?