14 May, 2012
Increasingly sophisticated hackers and the boom in mobile and cloud computing means company data has never been so vulnerable to loss. In-house counsel have a vital role to play as part of a company’s team effort to improve cybersecurity.
The virtual world is getting more dangerous. According to recent research, although traditional crime is going down in many parts of the Asia-Pacific region, cybercrime is increasing.
The Australian Institute of Criminology’s latest annual report speaks of a dramatic rise in both the number of “compromised website notifications” and “compromised host/computer notifications” in 2010, as well as an increase in sites hosting malware (malicious software capable of infecting a visitor’s computer). There were also many more reports of online scams, resulting in a significant amount of financial loss to consumers and businesses.
Meanwhile, data quoted in an article published on Conventus Law in September 2011 from the Ponemon Institute, a US-headquartered research centre, showed that 83% of multinational companies had been targeted by a cyber attack over the past 12 months and that there has been a 20.6% rise in cyber attacks in the same period. And contrary to common belief, these issues are not confined to certain industries.
The global dangers are clearly too big to ignore, and companies operating in Asia may be particularly vulnerable.
“Generally, data protection in Asia is weak and in a fragmented state,” says Ling Ho, a partner of Clifford Chance’s Asia litigation and dispute resolution practice. “Although in most countries, data privacy is generally recognised or regulated in industry specific legislation, the position and extent of protection or obligation to protect data is not clear.”
Fortunately, governments in the region are starting to take data protection a lot more seriously. Although data privacy has always been ensured in part by general laws on computer and email misuse, remote selling, and confidentiality, the past few years have seen a push toward the enactment of specific legislation. Unfortunately this means that, unlike in Europe, laws in Asia now vary quite widely from jurisdiction to jurisdiction.
Taiwan, for example, has updated its Personal Data Protection Act in 2010, while South Korea did so in 2011 and Malaysia is expected to bring its Personal Data Protection Act into force soon. Japan has a comprehensive data protection law but without a central regulatory authority, which lawyers say makes enforcement of the law patchy. Hong Kong’s current privacy law is based on an EU Directive and guidelines from the OECD, and is overseen by an independent regulatory body. The city is planning a new Personal Data (Privacy) Ordinance in 2012.
Meanwhile, in Singapore, a new Bill is expected to be passed in the third quarter of 2012. Once in force, it will impose obligations on all private organisations in relation to the collection, use and storage of data. It will also incorporate do-not-call rules, an important issue for consumers.
Although government initiatives aiming at better statutory data protection are generally seen as a positive thing, businesses will be acutely aware of the additional burden that new laws may place on them. Local lawyers say the Singapore Bill has been drafted with those concerns in mind.
“It’s intended to be a balanced piece of legislation to provide a baseline protection – we’re not looking at something with a high bar, bearing in mind that at present there’s very little protection at all,” says Sheena Jacob, a partner of ATMD Bird & Bird in Singapore. “In that sense it shouldn’t be too unfriendly to businesses. It’s intended to balance the interests of businesses and individuals.”
Bring your own risks
As well as bearing in mind new and updated national laws, in-house counsel will be keen to focus on more specific risks directly affecting their companies’ own cybersecurity. You would be forgiven for thinking that the biggest risk comes from malicious hackers carrying out sophisticated, headline-making attacks; however, Alan Brill, senior managing director at Kroll Advisory Solutions, says that often it is the “simple stuff” which can pose the greatest risks. He talks of two recent trends. The first is related to the proliferation of mobile devices and could be named bring your own data (or BYOD) because employees can end up with company data, including emails, stored on their own personal devices.
“There are significant security concerns with that,” Brill says. “For counsel, there are extremely sensitive legal issues with regard to questions such as: Do you have the right to remotely destroy what’s on the phone in certain circumstances?”
The second issue, termed bring your own cloud (BYOC), arises when an employee in a company without the right IT security controls installs web-based file-hosting software (such as Dropbox, SugarSync or Live Mesh) on his or her workstation. By dragging-and-dropping documents into a special folder, the employee can store them “in the cloud” (a popular and much-abused buzzword generally referring to services hosted remotely on the internet rather than on a user’s own physical server). Should an employee decide to use one of these tools to store attachments from company emails in the cloud, for example, those attachments will now be available instantly on any number of other computers and mobile devices. This can raise serious questions should the company become involved in litigation.
“Let’s say emails in the company are usually deleted after 60 to 90 days, but one year later in litigation and e-discovery the question will be ‘Can you legally provide information from the cloud?’” says Brill.
The use of the cloud to store data brings up other, quite complex legal issues, and brings with it a number of shared responsibilities. Data stored in the cloud must in reality be stored on physical machines somewhere in the world, meaning at least one third-party provider will be involved. A business must therefore be careful to understand what rights and responsibilities are involved in its relationship with that provider, as it would be in any outsourcing situation.
“There are responsibilities all up the stack,” says John Galligan, regional director of government relations at Microsoft Asia Pacific. For example, a company will need to make sure it knows what its cloud provider may do with the data it handles and how the data is being protected from hacking or misuse, as well as what contractual penalties there may be if a service is denied or if there is some other kind of impact on access to information.
“There are a lot of considerations,” Galligan says. “A lot are legal, but often you need a whole of company approach.”
He also cautions against assuming that the cloud is right for all of a company’s applications.
“Not all data is created equal – for example if you’re operating in a highly-sensitive sector, you may want information retained in your own data centre than in a third-party provider,” he explains. “You also need to think about the impact on privilege. The cloud is unveiling some incredible opportunities and some interesting questions.”
One such question is whether data hosted by on an outsourced server becomes part of the regulatory framework of the country in which it is physically sitting. Issues like this may be behind the recent proliferation of new laws in Asia (described above). Although it is clearly in the best interests of governments to enact modern data protection laws, particularly given the recent worldwide trends in cybercrime, they may also be concerned about the potential application of extraterritorial laws. EU rules on data privacy are particularly tough: any company with a connection to European data must ensure all of its processes are in compliance with applicable EU law.
“I won’t discount that public interest in [things like] hacking is a factor, but I also think countries in Asia are responding to an economic factor,” says Jacob. “A lot of outsourcing of data centres is out here, so it makes sense to have those laws in order to attract European companies, or companies that deal with European data.”
Specialists also say that due to the complex nature of many modern outsourcing contracts there is considerable uncertainty over where responsibilities lie if things go wrong. This leads to governments erring on the side of caution by imposing more constraints in the shape of tougher data protection laws.
Ask the Right Questions
As well as the burden of laws and regulations, and risks arising from the activities of employees, there are other issues which present serious potential risks to businesses. One such risk which is of particular relevance given the present difficult economic conditions, is misplaced attempts to save money. A case recently dealt with by Kroll Advisory Solutions involved an online data provider which suffered a loss of approximately 40,000 customer records.
“They had a system scheduled to be replaced, but because of economic conditions the management went to IT and asked if the system could operate for another year,” says Brill. “IT said ‘Yes,’ although they knew it was really just on death row and had received a reprieve for a year.”
The system in question had a vulnerability that could easily have been fixed but was not, as none of the IT personnel wanted to work on a system which was overdue for replacement. Hackers identified the vulnerability during routine scanning, and were later able to use a relatively simple process to extract customer records from the database.
“We had to tell them that it didn’t have to have happened. We discovered that putting into place a free, open-source filtering program, which took us 90 minutes to download install and tune, absolutely stopped the problem,” says Brill. “The lesson you learn is that if you don’t do the basics, you become a terrific target because it’s easy.
The buck stops … somewhere
Stories like this make it obvious that companies need to take data protection, and cybersecurity in general, very seriously. Even without a comprehensive or clear general obligation imposed by law, a company has responsibilities to its clients and end customers to look after important information. According to Norton Rose Hong Kong lawyer Hank Leung, a company “should take all reasonably practicable steps to ensure that personal data held by it are protected against unauthorised or accidental access, processing, erasure or other use.” This means having regard to the kind of data and the harm that could result if any of those things should occur, the physical location where the data are stored, security measures incorporated (by automated means or otherwise) into equipment in which the data are stored, measures taken to ensure the integrity, prudence and competence of persons having access to the data, and measures taken to ensure the secure transmission of the data.
But who should be responsible for overseeing such important and often complicated matters? The question can be a surprisingly difficult one for some companies to answer. There are highly technical issues involved, which often leads to the assumption that it should be the job of the IT department. However, there are also important legal questions at stake, meaning lawyers must also be involved.
“At first glance, these decisions may appear to be wholly within the domain of the IT people,” comments Brill. “Because many organisations have very packaged solutions, they don’t always think to go to counsel and this can be the start of a very slippery slope.”
“The role of the in-house lawyer is fundamentally important in this environment, in looking to identifying risks and maximising the value of any cloud contract working in tandem with their clients across the company,” adds Galligan.
Other specialists suggest appointing a designated data protection or privacy officer to deal specifically with data protection issues, but nevertheless add that the in-house counsel would be the next most appropriate person to handle these issues.
A recent case in the US highlights the need for proper legal oversight of data outsourcing from the start. During the case, the court imposed an obligation on one of the parties to provide it with certain information in a specific data format. Unfortunately, the information in question was stored with a cloud provider which was unable to provide it in the correct format.
“But the court … said it was the company’s responsibility. You can delegate authority, but you can’t really delegate responsibility,” says Brill.
Unfortunately, in many organisations in-house counsel can be under-used or underappreciated, and may even be seen as the people who are going to mess up a deal. Another potential sticking point is that IT necessarily involves technical issues, which IT specialists may find difficult to communicate to lawyers and management. To combat this, specialists says in-counsel need to be more proactive and not be afraid to push back if they encounter obstruction or obfuscation. This includes asking the right questions (see box) and keeping on asking them until clear answers are given. But an in-house lawyer, like any human, is not an island, and most specialists advocate a whole-company approach to handling cybersecurity.
By putting in place a cross-departmental team, if something bad should happen a representative from the compliance department can coordinate with the in-house counsel, while IT staff work with external forensic investigators to determine what happened and what information may have been accessed. The in-house counsel should then try to determine what the legal implications may be. Support from the top is also vital in all this.
“Legal cannot perform … unless they have management support to ensure [the] business keeps them informed of the company business operations and complies with legal’s guidance on the subject,” says Ho.
If things do go wrong, the good news is that monetary fines for data breaches like this are generally quite low in Asia. The bad news is that penalties may span more than one country, depending on the effect of the breach and where the data was lost. As Ho points out, there may also be civil liability to the owner of the data that has been lost. Data breaches can also have a very damaging effect elsewhere.
“The most significant risk to companies in the case of breaches to privacy laws, and especially for security breaches, would be reputational damage,” says Gigi Cheah, a partner of Norton Rose (Asia) LLP. “It’s often difficult to restore the trust or goodwill of the customers after a serious security breach incident.”
Huge costs can also arise from the mandatory requirement (being introduced in many Asian jurisdictions) to notify customers of a data breach. According to the Ponemon Institute, notification costs in the US have risen from $100 to $200 per record in the past two years. A company which loses 10,000 records (quite a low number on the face of it) could therefore face a bill of $2 million simply to tell its customers what happened, and before even beginning to factor in the costs of putting the breach right, and defending civil lawsuits.
Of course, where there is a risk, there is also money to be made from it. Global insurer Chubb became the first to introduce a cybersecurity insurance product in the early 2000s, initially offering it to financial institutions. As US states and then the EU, UK, Canada and Asian countries began passing or strengthening data privacy laws including mandatory notification requirements, the market for cyber-insurance began to take off. The company now offers a product which covers some of the costs of what it calls “crisis expenses”: preparing and sending notifications, setting up call centres, hiring PR firms and retaining legal counsel. It also provides a liability element to protect a customer in the event of third-party legal action.
Of course, before it underwrites any potential losses, an insurer will need to be able to assess the risks. In the case of outsourcing data storage, this means knowing where and how the data is hosted – bringing us back to the importance of a business knowing exactly what terms govern its outsourcing contracts.
For in-house counsel in Asia the message is clear: as well as keeping up to date with the fast-changing legal and regulatory environment, you must get to know the actual and potential risks presented by technology before it is too late.
For further information, please contact:
Phil Taylor, Conventus Law
Follow Conventus Law on Twitter @conventuslaw