Maryland Bar Bulletin
Publications : Bar Bulletin : February 2005

Previous | Next

Cyber-Security: a Regulatory And Technology Implementation Overview
By Vanessa L. Allen

Based on recent movies such as The Net, The Matrix and I, Robot, technology and those who know how to exploit it know no boundaries. Many of us are still dumbfounded by the way “cyber-monsters” corrupt our computers, steal our identities and track our Internet usage. Today’s valuable property often is transferred and stored electronically. Electronic data remains vulnerable to infringers, thieves, disgruntled employees and hackers, all of whom have few if any geographic constraints on misappropriating or breaching your clients’ data. Cyber-criminals use exotically named methods such as salami techniques, trap doors, scavenging, piggybacking, virus, Trojan horses and worms. Technology aids companies in achieving compliance objectives. Yet it poses various security threats. Lawyers must analyze how their clients’ technology implementation impacts clients’ liability and their regulatory and contractual obligations, especially regarding potential security breaches. New laws require corporate security measures or the notification of security breaches. Unlike the movies, there is not a one-size-fits-all security standard. With a regulatory overview and a script, you can direct clients to the most practical compliance and security programs.

Regulatory Overview
State and federal laws conspire to create ambiguous, conflicting legal requirements regarding security and technology. The Sarbanes-Oxley Act requires executives to certify that companies’ “internal controls” are adequate, and thus executives could be held liable for computer security if cybersecurity is included in the category of internal controls. So could a security breach be deemed a breach of internal controls, hence a breach of the Sarbanes certification and thus a criminal act punishable by the Securities and Exchange Commission? Under HIPAA, healthcare companies must ensure that electronic patient data is stored confidentially and securely. Under the Gramm-Leach-Bliley Act, banks and financial-services entities must comply with obligations similar to those under HIPAA to protect sensitive data. The FTC requires “financial institutions” (defined in the regulations) to protect consumer financial information by setting guidelines. Financial institutions must take reasonable steps to select and retain “service providers,” who can maintain safeguards for customer information. Also, “financial institutions” must develop, implement and maintain a formal information security program regarding customer data. The program must (1) ensure confidentiality and security, (2) protect against unauthorized access that could result in harm to the consumer and (3) protect against anticipated threats to security and integrity. If your client is a “financial institution,” agreements with service providers should include the required FTC provisions. If your client is a “service provider,” customers may request additional representations and warranties for compliance with the FTC regulations.

If your clients conduct business in a state other than Maryland, you should review laws such as the California Database Protection Act, which requires businesses that hold (or license) data containing personal information to disclose security breaches promptly if a California resident’s unencrypted personal information was or is reasonably believed to have been taken by an unauthorized party. If a company fails to provide prompt notice after a security breach, the affected California resident may file a civil action to recover damages. A security program is a monumental step in preventing technology breaches and demonstrating that the company made reasonable, diligent efforts to secure its data and networks, which may improve the company’s chances of success in court.

Playbook and a Script
“Playbooks” that aid companies in the management of regulatory and security compliance and public relations efforts can benefit clients. Playbooks include policies, contact information, contract forms and training material. Policies include Acceptable Use (addresses acceptable use of resources and systems provided by one party to another to protect the security, performance and integrity of computer and network systems); E-mail & Computer Usage (addresses appropriate use and distribution of electronic communications within and outside of the company); Audit and Monitoring Policy (addresses the process for auditing and monitoring systems before, during and after a security breach); Notification (addresses certain statutory requirements to notify affected parties of security breaches); and Provision of investigative information to third parties and to law-enforcement agencies and Insurance. Physical security measures deter criminals from obtaining confidential information through the theft of or direct access to computer equipment and systems. Information security involves the protection of information systems against unauthorized access, illegal modification or denial of service. Information security should detect, document and counter intentional and inadvertent threats.

Counsel should give particular analysis to software applications that enable outside counsel, vendors or third parties to access databases via the Internet. The medium by which parties communicate sensitive information to third parties and to each other must comply with regulations. Many software programs now contain security and encryption features to address threats to the systems. Counsel can cooperate with technology experts to design and implement systems that will protect the data of both the company and its client. Offer ongoing feedback to improve corporate systems periodically in light of ever-changing regulatory requirements. Help clients draft external communications to notify interested parties of a breach and the steps taken to remedy the breach. Help your client with investigative activities. Breaches are a good opportunity to evaluate the existing security practices and modify them as necessary.

Technology brings many benefits to business operations. The implementation of cutting-edge technology to manage company affairs and people will become easier and more secure as technology improves. Security measures will aid in the defense against civil and criminal actions and will lessen the impact upon a company’s reputation and/or regulatory liability in the event of a security breach. It is critical yet possible to have a hand in directing your own happy ending.

Vanessa L. Allen is Counsel for Philip Morris USA, where she concentrates her practice in the area of technology transactions.

Previous previous

next Next

Publications : Bar Bulletin: February, 2005

Back to top