Facing the Information Security Hole in 2009:
The unacknowledged threat to our homeland and financial security
Every few days there is yet another breach of information security. And each breach seems to be The Biggest Ever, until the next one is announced.
It is now widely acknowledged by security experts from the federal government on down that the problem of data security breaches will get worse as the financial debacle worsens and companies cut spending and workers. Finally, there is growing awareness of one of the primary concerns of our team: it is inevitable that this compromised data will be used for terrorism.
As we talk with people interested in this issue, including security gurus, corporate governance and regulatory experts, privacy advocates, directors and officers, corporate lawyers, managers, and plaintiffs and class-action attorneys, we get a lot of questions about this cutting-edge subject. The answers help explain why the failure to secure information is a lurking national and global security threat, and the next shareholder derivative, director and officer liability, regulatory, consumer product safety, and class-action issue.
Why is an information security breach a potential national and global homeland security issue?
LW: Think about what data thieves do with stolen information. Data thieves drain your financial accounts, use your debit and credit cards fraudulently, use your identity and credit to open new accounts, create forged employment documents and other legal paperwork, and use your stolen identity to commit crimes and evade law enforcement. It is inevitable that some of this stolen information will be used to finance terrorism, and to create forged identities allowing terrorists to cross borders or access critical systems. This is what makes the current situation worse than even a global Enron and WorldCom fraud situation. Enron was, quote unquote, only about losing dollars. In the current meltdown, we are also losing data, on a massive scale that we have not even begun to grasp.
You said that an information security breach also creates potential class action, consumer product liability, shareholder derivative, D and O liability, and regulatory exposure. Explain.
LW: When companies have sensitive information and systems, they have certain obligations to protect that information. Those obligations are based on a variety of international, federal, and state laws; regulatory requirements and guidelines from government agencies; statements and representations made to shareholders, customers, consumers, and regulators; and agreements with customers, consumers, and other companies with which they do business.
When companies do not meet the requirements for information security, whether that shortcoming is willful or negligent, they have failed in their obligations to many stakeholders. Also, many of the statements made to these many stakeholders are Simply Not True.
You can think of a similar situation with an airline that has multiple safety requirements, and that represents to many stakeholders that it does certain things to meet these safety requirements. If that airline fails to meet the safety standards, whether through deliberate circumventing of the safety standards, or through carelessness, that company has a big problem with law enforcement, regulators, customers, shareholders, and class action plaintiffs. The individuals who flout those safety controls also have a big problem as far as their personal liability. That company and those individuals have an even bigger problem if the plane actually crashes.
I think of an information security breach as a plane that has crashed.
What are the implications for investors?
LW: The implications for investors include a loss of shareholder value if the company has an information security breach. The companies themselves acknowledge, including in industry standards and in company disclosures filed with the SEC, that a data security breach affects the brand, requires huge financial resources for incident response, remediation, audit, and legal expenditures, and increases insurance costs. So an information security breach obviously means that, despite spending hundreds of millions trying to manage security and risk, the system failed somewhere. The follow-on implications depend on whether the company met its own security obligations, or whether the company failed to meet those obligations.
If the company blew right on by the controls, it means that, in essence, the company did not tell the truth to the many stakeholders involved. Misrepresentation on these issues may mean that insurance coverage is voided, that legal and regulatory requirements, including Sarbanes-Oxley, were not met, and that the exposure of the company and the individuals who ignored the safety requirements is much larger than if the company had appropriately met its security obligations. This is a situation ripe for regulatory actions, shareholder derivative suits, claims against individual directors, officers, and managers, consumer and shareholder class-action suits, and criminal sanctions.
Why is the consumer the one on the hook when their personal and financial information is breached?
LW: My experience is that, regrettably, right now the financial industry tries to push all risk, and the consequences of an information security breach, onto the individual consumer, or onto the other companies with which it does business. I believe that to be wrong – if the financial company failed to meet its requirements, it bears at least part of the blame – the individual data thief, does not, of course, get off the hook.
Also, if it failed to meet its security requirements, the financial company should bear the costs of recovering from the breach, rather than passing that cost and inconvenience on to the consumer or customer.
I also believe that a financial company that does not meet security standards has a very dubious position in trying to impose unreasonable interest rates, late fees and other penalties, and aggressive collection practices on its customers.
I’ve heard a lot about criminal hackers who break into systems, or criminal data thieves who steal, for example, a laptop or a flash drive. Is that the kind of information security gap you’re talking about?
LW: Not exactly. The piece of the problem that I am describing, based on real-life experience, is how many in the financial industry ignore or bypass the safety standards, with the companies still claiming that they have done everything they possibly can, and are not responsible when there is an information security breach.
It’s easy for companies to blame the mean old computer hackers who break into the systems and steal the data. But that’s only part of the problem. Yes, the data thieves have committed criminal acts, and it’s appropriate that data thieves be held responsible for their actions.
The companies also like to blame careless vendors who provide unreliable products or services – that is a problem, as well.
But the financial companies also have multiple obligations to do their part to protect the information and systems. The financial industry itself acknowledges the obligation of the companies to conduct appropriate due diligence and security reviews before allowing other companies or individuals to access this data.
For financial companies to claim that they’re doing the very best they can is like a storage company that tells its customers that it has a secure fence, security alarms, and 24-hour on-site guards, but has a break-in because the guard left to go the neighborhood pub, and left the gate open and the alarm off. If your stuff is stolen, the individual burglar is at fault, but the company and the security-violating guard are also in trouble.
Aren’t the financial companies that have this data and systems legally required to ensure its security?
LW: Yes, the financial companies are legally required to protect this information. There are many laws and regulations that impose these requirements. (The particular laws and regulations will vary, according to the industry, the type of company, and the type of information.) But the gap that I’m describing arises because many companies, and other stakeholders, assume that the companies are meeting the safety standards because they spend a lot of shareholder money on security.
The companies themselves, not to mention the regulators and the other parties concerned, do not understand that these gaps exist, or how to find and fix them. It has not been well explained because, until very recently, almost nobody connected with the financial industry had any appetite for refusing to greenlight risky deals – they concentrated on volume and speed of the deal transactions. This approach has created the ‘credit default swap’ of sensitive information.
How does this gap happen?
LW: Many of these gaps happen in the deal-making and deal-managing process. The financial industry is well aware of the many laws, regulations, and safety standards, and has been for years. The industry trade groups, and the companies themselves, specify that the safety reviews are supposed to be completed before any deal is done, if that deal involves any access to sensitive systems and data. Think of this as a requirement in the aviation industry that safety checks are supposed to be completed before a plane takes off. That does not mean that the crew does not keep an eye on things during the flight, but the plane is not supposed to leave the ground until it’s been checked and cleared by experts.
Now, what happens a lot in the financial industry is that a project is pushed along, and a deal is approved, giving another company access to sensitive data, before the safety reviews are completed and the shortcomings addressed. That is like putting a plane in the air before completing the safety checks, for no reason other than ‘we need to meet a schedule’ or ‘the safety checks take too much time’.
The deal-making and contract function should be one of the strongest and most effective control points for the industry – it is the last best chance to meet these safety standards before the ‘deal plane’ takes off. Unfortunately, because the financial industry has focused on volume and speed of deals, it is, in my experience, one of the weakest, with the deals frequently done by teams who do not understand the safety standards, or even the verbiage of the contracts.
Many in the financial industry treated this due diligence and deal function as a paperpushing drill to be done as cheaply and quickly as possible. That’s like having a plane checked out by an inspector who not only is not qualified to verify aircraft safety, but literally does not know what the words on the safety checklist mean.
How do you know about this?
LW: I managed deals, involving sensitive systems and data, for three international financial organizations. The subsidiaries of these global organizations included banks, mortgage companies, insurance, financial advisors, and credit cards. I also have many colleagues with experience in other global financial companies. This is an enormous and industry-wide problem that demands attention.
Well, if you worked in the financial industry, and now you’re saying the industry is not doing its job, aren’t you changing sides?
LW: I have always worked to secure sensitive information and systems, including in my work with three large international financial companies. That work involved knowing how to find and fix these problems, which was not a common skill in an industry that was paid on volume and speed of its deals. Sometimes it also involved refusing to greenlight projects until the appropriate security protections were in place. While that work was much appreciated by the control teams, like information security, compliance, and corporate governance experts, it was sometimes not popular with teams that wanted to rush projects through without taking time for the necessary precautions.
So I now work to educate the multiple stakeholders that this is a huge security hole, but it’s fixable – I’ve done it.
Why do you care so much about this? What’s in it for you?
LW: As it turns out, my entire career, beginning with my first U.S. Army job in Military Intelligence, has been about the protection and appropriate distribution of sensitive data. In my units, people were prepared to die to protect highly sensitive systems, the compromise of which could cause grave harm to our security and our people. It was unbelievable to me that some in the financial industry failed to protect sensitive information, just because they found it inconvenient, or because extra time and due diligence on a project might delay a promotion or payment of a bonus.
Given a choice between signing off on reckless manager decisions, or protecting our sensitive information, which means protecting our security, our customers and our shareholders, I have to side with protecting this data.
When you describe these gaps and how they happen, is this real-world information?
LW: The descriptions of these gaps are based on real-world, hands-on experience, not theory. I am not interested in enabling new data thieves; I want to help educate, so that the security holes can be found and fixed before there’s a security breach. If I know of specific weaknesses in a company’s system, I believe that it’s appropriate to first notify that company so that they can take proactive protective measures, whether with our team or with someone else. But even when I publicly discuss typical scenarios at an extrapolated level without naming the company, these examples are based on facts that I and my colleagues have witnessed first-hand.
What advice can you give companies that aren’t sure whether they are exposed?
LW: Many companies think that they have everything covered, because they have internal or external auditors, or big consulting companies, or other teams that have been trying for years to address security. But my colleagues and I have identified these gaps, even in some of the largest companies in the world that spend enormous amounts of shareholder money on security. In fact, the problem is probably worse in a larger company, because it’s more difficult for various teams to coordinate information and react quickly to address gaps. I can attest that we have identified significant security gaps that had been missed for years, even a decade or longer, by the internal and external teams at some of the largest companies in the industry.
What advice can you give companies that are sure they have this problem handled?
LW: Firstly, many financial companies assume that, because they spend a lot of time and money on security, they must have it covered. That assumption may prove fatal.
For companies that choose to assume that they have this covered, even after this widespread but unrecognized risk has been explained, my only advice is: Don’t have a breach.
Don’t have an unhappy worker with a flash drive; don’t have a contractor or subcontractor who wants to use this data for harmful purposes; don’t have your data being accessed by anyone that you don’t know; don’t have anyone working in your data centers or accessing them remotely unless you know about and monitor it; don’t have any gaps in any of the products or services anywhere in your data chain. Don’t make any mistakes in what you say to consumers, customers, regulators, investors, or companies with whom you do business.
If you’re still sure you have it covered – Don’t Have A Breach.
The author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and Information-Security-Resources.com.