This article can also be found in the Premium Editorial Download "Information Security magazine: 2010 Security Readers' Choice Awards."
Download it now to read this article plus other related content.
What happens when your company experiences a data breach involving intellectual property or valuable trade secrets? In the last year, there's been a significant uptake in the number of corporations seeking legal advice around the protection of their high value intellectual property -- particularly organizations with large overseas operations. While this type of data may not be as regulated as personally identifiable information (PII), its loss can be more financially damaging.
Take, for instance, the real-life example of an organization in the process of closing a deal in the hundreds of millions of dollars. The entity with whom the organization was negotiating had a suspiciously high amount of privileged information, right down to references made by key executives in their emails. A forensics investigation determined that the organization, and its outside advisors, had indeed been the victims of a breach where emails and intellectual property relevant to the deal were accessed.
While CEOs might think this type of industrial espionage sounds like the fiction found in a Tom Clancy novel, most security professionals now are very aware how commonplace these types of threats are, in part due to the public disclosure Google made earlier this year about a security incident dubbed
Develop a Disclosure Strategy
There are a number of reasons why your organization will want a disclosure strategy if you think you've been breached. These are strategies either your legal team or outside legal experts on data breach regulations can put together on your behalf, and should take these issues into account:
1. In this day and age of heightened regulations, publicly traded companies are under tighter scrutiny from auditors who are asking increasingly pointed questions around how an intrusion may intersect with the IT controls relevant to Sarbanes-Oxley. While your company may not have a legal obligation to disclose the event publically, more and more our legal and security teams are called upon to answer these auditor questions. Understanding how an intrusion event may or may not have impacted controls around financial reporting before engaging in that dialogue is a key to success.
2. Even if the attackers were after intellectual property (whether or not they succeeded), it doesn't mean they didn't touch any other systems holding PII. Frequently, advanced malicious intruders do not have any desire to steal PII, but in the course of their intrusion may have placed malicious software on servers or databases that contain such protected data. Companies conducting investigations into these types of intrusions need to understand that state attorney generals have taken a very broad construction of the term "access" when it comes to PII. Some states may take the position that even if PII theft was not the intended target, to the extent it was exposed the organization needs to consider whether it has an obligation to notify employees or customers in accordance with state, federal or country-specific regulations.
A critical lesson from breach investigations is that frequently a disconnect exists between the legally important questions, such as the type of data "accessed" and the "root-cause" analysis conducted by forensic and network security specialists. By working with the in-house or outside legal experts who are knowledgeable in data breach notification regulations, your organization will benefit by focusing your forensics team on what you will need to disclose and report.
Cooperate with Law Enforcement
It's important to realize that if your company has its intellectual property stolen, regardless of whether the culprit is a state actor or criminal gang, you are the victim of a crime. A critical question that breached companies need to confront early is whether to involve law enforcement. What many lawyers don't realize is that they (and the security and forensics teams) can work smarter by working collaboratively with law enforcement. Sharing what you know about how you've been breached can allow law enforcement to compile a case against those who broke in and accessed your systems.
We have also observed that law enforcement can help contain an incident by providing valuable "missing link" information, allowing corporations to find hidden backdoors the intruders used that would have otherwise gone unnoticed. They can also provide knowledge of important aspects of the intrusion based on past experience that can not only be extremely helpful, but also allow you to save time, when every second counts.
In addition, working with law enforcement can allow a breached entity to receive a "delay notification," giving them more time to accurately understand what data may have been accessed and/or acquired. This is important because some organizations have been able to significantly reduce the number of customers for which notification was required. There are a number of instances where a breached entity over-reported the number of customers exposed, incurring much greater scrutiny than otherwise required. While law enforcement can't always give out delay notifications, they are more likely to do this for corporations who are cooperative..
Due to the increased risk, now is the time to take a hard look at what data is valuable to your organization and consider what your organization would do if compromised. Start the conversation and incident response planning today before your organization is responding to a crisis tomorrow.
Kim Getgen, principal at consulting firm Trust Catalyst, has authored a data breach prep kit. for organizations looking for free tools to help them prepare for a breach. John W. Woods is a partner at Hunton & Williams LLP, where he focuses on conducting internal investigations and advising corporations in the legal response to network security intrusions and data breaches. Send comments on this column to firstname.lastname@example.org
This was first published in September 2010