Target, Neiman Marcus and nearly 100 million of their customers whose personal information was stolen this past holiday season learned the hard way what companies of all sizes must: cybercrime is becoming more pervasive, its perpetrators more sophisticated and the harm it causes (individuals and companies) harder to calculate.
As cyber attacks become more common, companies are adopting policies to prevent and respond to them. Unfortunately, cyber attacks are like viruses: they are not static, but rather always evolving and adapting in order to infect as many people as possible. In most cases, before companies or industries can agree and implement defensive measures or best practices, those perpetrating cyber attacks are diligently working to circumvent the defensive measures and expand into completely new areas. Thus, companies must keep a vigilant eye on both yesterday’s attack and the emerging threat that may not materialize for another six months to a year.
This article seeks to assist companies in anticipating where new threats will emerge and understanding how the cybersecurity landscape is likely to change in 2014. Below are our predictions.
Cybersecurity threats designed to steal information, disrupt infrastructure, create public panic and interfere with companies’ day-to-day operations will continue to become more sophisticated and frequent in 2014. They will also increasingly target mobile devices. The individuals behind the attacks are also becoming more creative, looking to explore and exploit all possible vulnerabilities. As a result, it would be foolish to believe “this won’t happen to me” just because your company or industry sector was not previously in the crosshairs of cyber criminals.
If past is prologue, corporate America is going to experience year-over-year double (and in some cases triple) digit growth in the frequency of cyber attacks. Overall, cyber attacks increased 14 percent in 2013. However, the pharmaceutical, agriculture, mining, chemical and electronics industries experienced a 600 percent increase, and the energy, oil and gas industries saw a 400 percent increase. It is estimated that a large percentage, about 95 percent, of these cyber attacks were aimed at stealing intellectual property, trade secrets and technical information originating from China and Russia. For its part, the FBI believes point-of-sale (POS) malware crime – what caused the Target and Neiman Marcus breaches – and other types of cyber attacks will continue to grow in 2014 despite law enforcement and security firms’ best efforts.
In addition to expanding their list of potential victims, the perpetrators have dramatically increased the level of sophistication of their attacks. For many cyber criminals, the weapon of choice has been Distributed Denial of Service (DDoS) attacks. Over the course of 2013, the average bandwidth for DDoS attacks increased by 925 percent, from 4.47 gigabits per second (Gbps) to 49.24 Gbps. As the businesses become more interconnected and the cost of sophisticated technology decreases, expect to see a corresponding increase in the complexity of attacks as we enter 2014. What this means for businesses is that you need to ensure your networks are secure, but also that the networks of everyone with whom you do business are secure. In the case of Target, the attackers used the stolen credentials from a vendor to plant malware on Target’s point-of-sale registers. The creativity of this breach highlights how every point of contact in your network can act as an opening through which cyber criminals can enter. Aside from honing their offensive capabilities, cyber criminals are becoming more skilled at evading detection. They are regularly employing new stealth methods to evade traditional security measures, such as firewalls, intrusion prevention systems and anti-virus (AV) systems. Defenses that address only a small number of known threats or limited range of network traffic are no longer sufficient.
Like the rest of society, cyber criminals are going mobile in their quest to exploit vulnerabilities across a wide array of technologies and software platforms. Mainstay technologies such as Microsoft Windows, whose software runs 95 percent of the world’s computers, will certainly remain popular with cyber criminals. This is particularly true now that Microsoft has announced that support for Windows XP is terminated and there will not be any new security upgrades. But newer platforms are being targeted with increasing frequency. The year 2014 is expected to see cyber criminals shift their focus to mobile phone and tablet platforms, such as Android, which holds accounts for 70 percent of the mobile OS market. This should come as no surprise since mobile devices are becoming ubiquitous, the primary computing device used by most people, and are increasingly being used as a payment mechanism in many countries. More troubling for businesses is the growing acceptance of “bring your own device” (BYOD) policies. Cyber criminals will surely exploit this trend to target companies by first infecting the personal devices of their employees – devices that lack rigorous security measures – and then using the device as a Trojan horse to infect the networks with which they are connected. This will be a continuation of a trend that started with spear-phishing and other malware attacks targeting employees who access social media sites while at work.
One thing is sure: with the number of Internet users expected to surpass 25 billion (as individuals can have multiple internet accounts) by 2015, the issue of cybersecurity and attacks from cyber criminals is only expanding. This is why it is critical for companies to remain vigilant about the threat of cyber attacks and to ensure their defenses are keeping pace with the changing face of the threat.
As attacks become more frequent and impact larger numbers of average people, they are also becoming more public. The days of keeping a breach secret and hidden from the press, authorities, customers and stockholders are quickly coming to an end. During 2012 and 2013, we witnessed a move toward voluntary disclosures of cyber attacks. Most notably was the SEC “guidance” regarding the need to disclose cyber breaches that would have a material impact. The failure of companies to make such voluntary disclosures following significant breaches, however, is likely to result in mandatory disclosure requirements. Many in Congress are pressing for such changes and citing Target’s decision to avoid a securities filing related to its breach as exhibit A for why disclosure must be mandatory. While disclosures may please Congress and the public, they will have a negative impact on companies. Aside from the immediate financial cost of responding to an attack, disclosures result in negative publicity, loss of customer loyalty, tarnished brand value and loss of stock price. Statements made in public disclosures, particularly those filed with the SEC, will also be binding on companies and likely used by adversaries should litigation with customers, government or business partners result from a breach.
As the attacks become larger, ensnare more people/businesses and become increasingly costly, those impacted will turn to the courts to seek redress – not against the cyber criminals, but to hold their victims accountable. It may seem illogical to “blame the victim,” but that is exactly what will happen. The customers whose credit cards were charged, banks who needed to cancel and issue millions of new credit cards, stockholders whose investments declined and the countless other parties who suffer a secondary loss following a breach of the magnitude suffered by Target or Neiman Marcus will hold companies accountable for their failure to do everything possible to have prevented the cyber attack in the first place. In this regard, 2014 will be an educational year as the courts sift through the various cases and begin to define what conduct will and will not result in liability.
Two major developments that will help define the scope of one’s liability following a breach are the finalization of the National Institute of Standards and Technology’s (NIST) cybersecurity framework and the court challenge to the Federal Trade Commission’s (FTC) power to bring enforcement actions against companies who suffered a cyber attack. Third, as mentioned, courts across the country will hear privacy class actions brought by consumers. In addition, courts will likely be faced with derivative shareholder class actions alleging that directors and officers breached their fiduciary duty. There will likely be lawsuits between and against third-party vendors for breaches of contract and negligence.
NIST Cyber Security Framework
A major concern for companies is the absence of a framework that identifies reasonable cybersecurity measures. In February 2014, however, the NIST sought to fill this void by releasing its Cybersecurity Framework, which is intended to help “critical infrastructure” organizations address cybersecurity. Companies must pay attention to these standards because although they will initially be voluntary, they are likely to set the “standard of care” in cybersecurity litigation.
NIST’s standards were developed in coordination with industry members to serve as “best practices” for companies in sectors such as power, telecommunications, transportation, financial services and energy. The standards do not mandate specific security controls, but instead are intended to provide specific guidance for detecting and responding to attacks, mitigating fallout from cyber incidents and managing overall cyber risks.
The framework provides a common language and mechanism for organizations to:
The NIST Cybersecurity Framework is voluntary, but its implementation provides a roadmap for determining whether a company acted reasonably in preventing and responding to an attack. Indeed, if the NIST framework sets the standard of care in dealing with an attack, liability can arise if a company fails to comply.
The law of personal and corporate liability is replete with examples of standards, recommendations and best practices that initially were not legally required, but which became de facto binding via the judicial system. In this regard, the NIST Framework represents the best efforts of government and the private sector to develop cybersecurity protocols sufficient to prevent information technology infrastructure. Protocols that comport with or equal the industry “approved” standards will be viewed as “reasonable” and thus falling within the standard of care, whereas companies with less stringent protocols deviating from the NIST Framework will be analyzed as falling below the accepted standard of care. In In re: Sony Gaming Networks and Customer Data Security Breach Litigation, a federal court recently ruled that companies have a legal obligation to provide “reasonable network security” to protect users’ personal data. It is believed that the NIST framework provides a working definition of what courts will find reasonable.
FTC Flexing Its Muscle: Power to Regulate Cybersecurity?
Congress’s failure to pass significant legislation concerning cybersecurity (or even a comprehensive bill concerning its threats) has resulted in a lack of clear regulations and no designated enforcement body responsible for cybersecurity. The FTC is seeking to fill this void and serve as the nation’s top security cop. Over the past few years, the FTC has initiated enforcement actions against companies following cyber attacks. When the FTC brandishes its sword, the result is companies paying tens of millions of dollars in penalties, private settlements and agreeing to adopt expensive compliance obligations. When private settlements fail, the FTC has initiated litigation to hold corporations accountable for cyber breaches involving consumer data.
The FTC argues that it has authority to initiate actions challenging cybersecurity practices under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” The FTC believes this section covers deceptive data security practices, and that Congress deliberately delegated broad powers to the FTC to address unanticipated developments in the economy, including cybersecurity. So far, two companies have mounted serious challenges to the FTC’s authority. Those companies have argued that Congress, not the FTC, is the proper body to regulate cybersecurity and data security standards, as evidenced by the fact that Congress is grappling with cybersecurity issues. Moreover, they contend that the FTC does not have the expertise to establish data security standards for the private sector, especially when it was hacked itself. In response, the FTC maintains that its broad consumer protection authorizes it to regulate all facets of the United States economy and that it has the right to protect consumers from known, evolving and unanticipated threats, without the need for a specific delegation from Congress. Moreover, the FTC argues that cybersecurity law is like tort law, in that it is up to the court to determine whether a particular company was acting reasonably with respect to its data security measures.
The outcome of the challenge to the FTC will be significant, for if the FTC prevails, it will be further empowered to regulate cyber breaches and seek to expand its influence over the critically important economic issue. In the meantime, companies should maintain cybersecurity professionals to review their cybersecurity practices, compare practices against peer companies and evaluate their cyber protocols in light of all relevant FTC rulings and statements.
The issues encompassing cybersecurity are vast, complex and constantly evolving. To meet this threat head on, companies must evaluate the vulnerability of their systems, invest in cybersecurity defenses and constantly be looking to the horizon to identify the next threat. Similarly, companies must keep a vigilant eye on new laws, regulations and court decisions that will shape the parameters of their cybersecurity obligations throughout 2014.
Michael Iannucci is an associate at Blank Rome LLP. He concentrates his practice in complex commercial litigation matters nationwide with a focus on unfair and deceptive trade practices and business litigation. He can be reached at Iannucci@BlankRome.com.
About the Author
Steven L. Caponi is a partner at Blank Rome LLP. His national litigation practice covers all facets of business litigation, including corporate and IP matters, cybersecurity, M&A litigation, and securities litigation. He can be reached at Caponi@BlankRome.com.