Many private companies are aware of this but are left vulnerable for a range of reasons—some are in denial, while others have a false sense of confidence and are proactive but lacking in governance or structure. Some studies question whether these results are due to the lack of engagement from the CEO and the C-suite level, or the lack of board and board committee governance.
This article explores through legal analysis, comparative research, corporate surveys, and actual case studies the attributes of what constitutes a good cyber policy in private companies, and specifically law firms, and the reasons behind failures and the means of improvement and proactivity.
It also examines the gaps in cyber laws and its impact on efficient execution of cyber policies for various regions of the world with a particular focus on Kingdom of Saudi Arabia, United Arab Emirates, and the United States of America.
Finally, this article recommends policy guidelines and a compliance framework that all private companies and law firms must consider to ensure that cyber risks are properly addressed in all aspects of the companies’ responsibilities.
Introduction
Many private organizations are experiencing significant cyber-attacks perpetrated locally and/or by foreign criminals on a regular basis. In 2016, the UK National Crime Agency and other similar entities found that cybercrime has overtaken traditional crime for the first time in history.Footnote 4 Despite the dangers posed by these attacks little has been done when it comes to implementing cyber policies to reduce these risks.
Law firms are particularly vulnerable to cyber intrusion, as they hold sensitive client data. Moreover, law firms are witnessing an evolution in policy development for preventing, detecting, mitigating, and responding to cyber-attacks, despite this apparent high level of awareness law firms are still very vulnerable to attack.
In an effort to understand the risks to which private companies and legal firms are currently exposed, and where the responsibility lies in meeting the cyber security challenge, this article examines the cyber risk regulatory compliance framework in three countries—the United Arab Emirates, the Kingdom of Saudi Arabia, and the United States of America; the response and liability of private and legal corporations in those countries; and lastly a possible cyber policy and compliance response.
Accordingly, the article is in three parts: Part I examines cyber risk regulatory and compliance framework in private companies with an emphasis on the UAE, the KSA, and the USA; Part II looks at cyber risk response and liability in legal and private corporations; and Part III describes possible cyber policy and compliance response.
This article raises a number of questions for consideration by senior executives with a responsibility of cyber security, such as where does the liability lie; are they following sufficient reasonable mitigating measures as requested by the law and court decisions; why, despite having a relatively good cyber-policy in place, do breaches continue to occur? Are senior executives living in denial or are they over confident about their cyber policy? On paper the policy may be sound, but does it lack detail and proper oversight in its implementation? Or is it simply a lack of enforcement?
Overview
The Quest for Common Standards and Definitions
As recognized by the NATO Cooperative Cyber Defense Center of Excellence (CCDCOE) there is a lack of standard definitions for cyber terms—commonly used terms may have different meanings in different organizations and countries despite the extensive use of these terms in the mainstream media and in national and international organizational statements. This lack of standardization of terms will impact on communication on the subject and can therefore impede policy development, so it's important to establish commonalities.
Standards
The National Institute of Standards and Technology (NIST) glossaryFootnote 5 aims to provide a picture on how nations/states and different institutions interpret and approach “cyber-attacks.” NIST released an update to the framework in January 2017.Footnote 6
The European Union Agency for Network and Information Security (ENISA) sets out a cybersecurity strategy of the European Union, which strives for consistency across Europe, across the various international borders, within national borders, and industries. ENISA works towards harmonized standards to ensure EU businesses are able to meet their commitments to cybersecurity and regulatory compliance.Footnote 7 Homeland Security also supply a NIST cybersecurity framework crosswalks, which provide a detailed checklist that helps identification of terms.Footnote 8
Definitions
As defined in the Tallinn Manual on the International Law Applicable to Cyber Operations, the Australian government defines cybercrime as those computer offenses under the Commonwealth Criminal Code Act 1995 which involve the unauthorized access to, modification, or impairment of electronic communications.
Austria provides a broad definitionFootnote 9 of cybercrime as “illegal attacks from cyber space on or through ICT systems, which are defined in penal or administrative laws,” therefore covering all criminal offences committed with the aid of information technologies and communications networks, as well as encompassing Internet crime. The United States and Russia have similar definitions: the use of cyberspace for criminal purposes as defined by national or international law.Footnote 10
While there is no single universal definition of cybercrime, law enforcement, including Interpol, generally makes a distinction between two main types of Internet-related crime: advanced cybercrime (or high-tech crime) like sophisticated attacks against computer hardware and software; and cyber-enabled crime where many ‘traditional’ crimes have taken a new turn with the advent of the Internet, such as crimes against children, financial crimes and even terrorism.
Summary of Cyber-Attacks
A review of recent cyber-attacks of a significant scale helps to provide an understanding of the complexity and various layers of problem. The cross-border nature of many of the operations and the ability of hackers to hide their identities using digital wizardry makes the task of holding people accountable incredibly challenging.
In the recent past, we have experienced several complex attacks such as Yahoo's massive data breach in August 2013 which affected every user on its service—all three billion user accounts, a number that far exceeded the one billion figure Yahoo initially reported. The hack exposed user account information, which includes name, email address, hashed passwords, birthdays, phone numbers, and, in some cases, “encrypted or unencrypted security questions and answers.”Footnote 11 Despite the breach, Yahoo confirmed that passwords were not stolen, and hackers did not obtain bank or credit card information tied to the Yahoo accounts. Some months later the U.S. Department of Justice charged Russian officials for “state-sponsored” crime relating to a separate Yahoo hack in 2014, with more lawsuits approved by a US District judge in San Jose, CA.Footnote 12 Yahoo was acquired by Verizon Communications for $4.48 billion—a drop of $350 million from the initial offer due to the severity of the hack.Footnote 13
The hacking of hundreds of thousands of clients’ details belonging to Morgan Stanley Smith Barney LLC. In June 2016, Morgan Stanley Smith Barney agreed to pay $1 million to settle Securities and Exchange Commission (SEC) charges that it failed to adequately protect customer information. The SEC's order found that the company did not adopt reasonable written policies and procedures designed to protect customer data. That failure, along with certain technical deficiencies, led to an employee transferring customer data for 730,000 accounts to his personal server. The SEC found that the personal server was then hacked and customer information was posted on the Internet.
The settlement resolves allegations related to employee Galen Marsh's unauthorized transfers from 2011 to 2014 of data from about 730,000 accounts to his home computer in New Jersey, some of which was hacked by third parties and offered for sale online. Marsh was sentenced in December to three years’ probation and ordered to pay $600,000 in restitution after pleading guilty to one felony count of unauthorized access to a computer.Footnote 14 Prosecutors had sought prison time. According to the SEC, Morgan Stanley violated a federal regulation known as the Safeguards Rule by failing to properly protect customer data, allowing Marsh to access names, addresses, phone numbers, and account holdings and balances. “Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection,” said Andrew Ceresney, director of the SEC enforcement division, in a statement at the time.
The hit on Saudi Arabia's aviation agency in November 2016 by an aggressive computer virus intended to disrupt high-profile government targets. The attack used a version of Shamoon, malware used to target the Saudi energy sector four years ago. Similar kinds of data-clearing software were used in 2014 against the Las Vegas Sands and Sony.
The Saudi government confirmed the latest breaches on Thursday, after several cybersecurity firms noted them. Bloomberg News reported that thousands of computers were damaged at the headquarters of the General Authority of Civil Aviation starting in mid-November, “erasing critical data and bringing operations there to a halt for several days,”Footnote 15 although operations at Saudi airports did not appear to be affected. In 2017 the Shamoon Virus attacked Saudi Arabia for the third time. Regarding the latest incident, Saudi Government said that Trend Micro “had not seen any traces pointing to a particular country or group.”Footnote 16
A hack that targeted NASDAQ and Citibank/Heartland, stealing 160 million credit and debit card numbers over a number of years. From 2005 to 2012, a sophisticated gang of international hackers stole and sold 160 million credit card numbers from more than a dozen companies, including the NASDAQ stock exchange, Citibank and Heartland Payment Systems. Prosecutors conservatively estimate that the group of five men from Russia and Ukraine helped steal at least 160 million payment card numbers, resulting in losses in excess of $300 million.Footnote 17
According to authorities, each of the defendants had specialized tasks and were able to hide their activities using anonymous web-hosting services. By disabling anti-virus software, they were able to store data on multiple hacking platforms. They sold payment card numbers to resellers, who then sold them on online forums or to “cashers” who encode the numbers onto blank plastic cards.
“This type of crime is the cutting edge,” said New Jersey U.S. ATTORNEY Paul J. Fishman. “Those who have the expertise and the inclination to break into our computer networks threaten our economic wellbeing, our privacy and our national security.”
Tom Kellermann, a vice president with well-known security software maker Trend Micro, believes that there is little chance that any member of the group will be brought to justice because authorities in some countries turn a blind eye to cyber criminals. “There is an enormous shadow economy that exists in Eastern Europe. (You appear to be missing several footnotes in the sentences above particularly where you have quotes). In some countries, sophisticated hackers are seen as national assets,” he said.
Part I: The Cyber Risk Regulatory and Compliance Framework
Cyber regulations are so diverse across the regions, and this is due to many factors including environment, the economy, and cultural characteristics. To gain an understanding of how regulations differ, this section will focus on cyber laws in three countries: United States of America, Kingdom of Saudi Arabia, and United Arab Emirates, as well as provide a detailed analysis on cyber risk for private corporations including law firms.
The United States Regulatory Framework
Currently, The United States privacy system is arguably the oldest, most robust and effective in the world, although in terms of robustness it may soon take second place to the EU's privacy regulation once the General Data Protection Regulation is implemented. Their privacy system relies more on post hoc government enforcement and private litigation. Currently, cyber security regulation comprises of directives from the Executive Branch and legislation from Congress that safeguards information technology and computer systems. The USA cybercrime laws are either substantive or procedural laws.Footnote 18
There are three main federal government cybersecurity regulations: the 1996 Health Insurance Portability and Accountability Act (HIPAA); the 1999 Gramm-Leach-Bliley Act, and the 2002 Homeland Security Act, which includes the Federal Information Security Management Act (FISMA).
One of these Acts has been updated in the interim and the other two are soon to receive updates. The HIPAA was amended in January 2013 to expand its requirements to include business associates.Footnote 19 Gramm-Leach-Bliley will be amended by the National Association of Registered Agents and Brokers Reform Act of 2013, which is a bill meant to reduce the regulatory costs of complying with multiple states' requirements for insurance companies.Footnote 20 Homeland Security will receive two updates.Footnote 21 The National Cybersecurity and Critical Infrastructure Protection Act of 2013, which will require the Secretary of the Department of Homeland Security (DHS) to conduct cybersecurity activities on behalf of the federal government; and the Department of Homeland Security Interoperable Communications Act, which aims to strengthen the governance of the DHS by making responsible the Under Secretary for Management of the DHS responsible for policies and directives to achieve and maintain interoperable communications among DHS components.
These three regulations mandate that healthcare organizations, financial institutions, and federal agencies should protect their systems and information. However, these rules are not foolproof in securing the data and require only a “reasonable” level of security. For example, FISMA, which applies to every government agency, “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security.” However, these regulations do not address numerous computer-related industries, such as Internet Service Providers (ISPs) and software companies. Furthermore, the vague language of these regulations leaves much room for interpretation.
In a recent effort to strengthen its laws, the federal government is introducing several new cyber security laws as well as amending the older ones for a better security ecosystem. The objective of the Cybersecurity Information Sharing Act (CISA) is to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The bill was introduced in the U.S. Senate on July 10, 2014, and passed in the Senate October 27, 2015.
The Cybersecurity Enhancement Act of 2014 was signed into law December 18, 2014. It provides an ongoing, voluntary public-private partnership to improve cybersecurity and strengthen cybersecurity research and development, workforce development and education and public awareness and preparedness.
The Federal Exchange Data Breach Notification Act of 2015 requires a health insurance exchange to notify anyone whose personal information is known to have been acquired or accessed as a result of a breach of security of any system maintained by the exchange as soon as possible but not later than 60 days after discovery of the breach.
The National Cybersecurity Protection Advancement Act of 2015 amends the Homeland Security Act of 2002 to allow the Department of Homeland Security's (DHS) national cyber security and communications integration center (NCCIC) to include tribal governments, information sharing, and analysis centers, and private entities among its non-federal representatives.
State governments also have taken measures to improve cyber security by increasing public visibility of firms with weak security. In 2003, California passed the Notice of Security Breach Act, which requires that any company that maintains personal information of California citizens and has a security breach must disclose the details of the event.Footnote 22 The security breach regulation regulations punish firms for their cyber security failures while giving them the freedom to choose how to secure their systems. This regulation creates an incentive for companies to proactively invest in cyber security to avoid potential loss of reputation and economic loss. This worked well for California and later several other states have implemented a similar security breach notification regulation.
Cybercrime Classification in the United States
The USA has different sources of cybercrime regulations, some of which are specific and some part of a wider scope regulation.Footnote 23 The Computer Fraud and Abuse Act (CFAA), for example, of 1986 has a wide scope. Amended several times, including by the USA PATRIOT Act in 2001 and by the Identity Theft Enforcement and Restitution Act in 2008, the CFAA criminalizes the act of accessing a computer without authorization and then using any information illicitly obtained to defraud or extort.Footnote 24 The U.S. is also a signatory to the Convention on Cybercrime, also known as the Budapest Convention on Cybercrime or the Budapest Convention, an international treaty aimed at harmonizing national laws that deal with Internet and computer crime, improving investigative techniques, and increasing cooperation among nations.Footnote 25
The US Department of Justice has three classifications of cybercrime.Footnote 26 Criminals target computers, such as theft of data, viruses, or hardware theft; computers act as weapons to commit crimes; and computers also act as legal accessories, storing incriminating information.
The Kingdom of Saudi Arabia Regulatory Framework
The Anti-Cybercrime Law of KSA was promulgated by Royal decree no. M/17 on March 26, 2007.Footnote 27 The governing text of the law is in Arabic. Like all laws in the Kingdom, the basis of this law is Shariah. KSA divides the cybercrimes in three categories: Gaining illegal access to any data or system or computer to blackmail or coerce; defamation of any legal or natural person; and invading the privacy of an individual. Any person who commits a crime that falls into one of these categories shall be liable to payment of fine up to 500,000 Saudi Riyals or face imprisonment for up to one year, or both.
The second category covers unauthorized access or hacking of social media accounts and persons found guilty shall be punishable with imprisonment of up to four years or a fine of 3,000,000 Saudi Riyals.
The third category covers crimes related to publication, transmission, or storage of any material that is inconsistent with public policy, morality, religious value of the nation, publishing pornography and promotion or distribution of narcotics or hallucinatory materials. Any person who commits above mentioned crimes shall be liable to pay a fine up to 3,000,000 Saudi Riyals or imprisonment for up to five year or both.
In May 2017, a Cyber Security Framework was issued to ensure banking, insurance, and financing companies manage security threats,Footnote 28 . The Framework defines principles and objectives for initiating, implementing, maintaining, monitoring and improving cyber security controls in Member Organizations. The Framework provides cyber security controls which are applicable to the information assets of the Member Organization, including electronic information, physical information (hardcopy), applications, software, electronic services and databases, computers and electronic machines (e.g., ATM), information storage devices (e.g., hard disk, USB stick). Premises, equipment and communication networks (technical infrastructure).
The Framework provides direction for cyber security requirements for Member Organizations and its subsidiaries, staff, third parties and customers. It links with other corporate policies for related areas, such as physical security and fraud management, but does not address the non-cyber security requirements for those areas. The Framework is applicable to all Member Organizations regulated by SAMA Saudi Arabia Monetary Agency, which include all banks, insurance and/or reinsurance, financing companies, Credit Bureaus operating in Saudi Arabia, in addition to the Financial Market Infrastructure and all domains are applicable for the banking sector.
The United Arab Emirates Regulatory Framework
Cyber security in Dubai is impacted by both federal laws of the UAE and local Dubai laws. This includes Federal Law No. 5 of 2012Footnote 29 concerning Combating Information Technology Crimes (the Cyber Crimes Law) and Federal Law No. 3 of 1987Footnote 30 concerning the Penal Code (the Penal Code). The Penal Code contains general provisions prohibiting crimes that will apply to cybercrime, for example, those prohibiting the misuse of confidential information.
In the DIFC free zone, DIFC Law No. 1 of 2007 (the Data Protection Law) and other associated DIFC laws and regulations will apply in addition to the UAE federal criminal law. The National Electronic Security Authority (NESA),Footnote 31 an agency that is responsible for devising cybersecurity for communication and information networks across the UAE and with oversight for protecting the UAE's critical information infrastructure and improving national cybersecurity, has also introduced a framework for tackling cybersecurity issues in a number of papers, including: The National Cyber Security Strategy (NCSS); he Critical Information Infrastructure Policy (CIIP); and the UAE Information Assurance Standards (UAE IAS). While this is an independent framework from recognized international standards, it incorporates certain elements of ISO 27001, a standard with specifications for information security management systems.
The Telecommunications Regulatory Authority (TRA), represented by its subsidiary, the UAE Computer Emergency Response Team (aeCERT), aims to support and ensure a safer cyberspace for the UAE. The general themes of the provisions of the Cyber Crimes Law includes unauthorized access to an IT system to obtain government or commercial information, accessing a website without permission to damage, delete or change its content, disabling access to an IT system, circumventing an IP address for the purpose of committing or concealing a crime, introducing virus programs to an IT system; and spam emails, obtaining, without authorization, passwords to an IT system, unauthorized interception of communications via an IT system and unauthorized disclosure of confidential information. Besides providing for significant financial penalties and custodial sentences, and the deportation of foreigners convicted of any offense under the law, the cybercrimes law empowers the authorities to seize and destroy equipment used in the commission of the offense.
The Economy of Cyber Crime
Cyber-attacks are no longer the actions of a few individuals or groups, they are now massive businesses with a profitable growth industry. The recent massive cyber-attacks on Github, Sony, Target, and other large organizations were committed by substantial cyber businesses and not individual hackers. Cybercrime now has its own sizeable underground economy which is essentially a shadow version of our legal economy. Organized criminals, online gangs and even foreign governments participate, with online forums acting as marketplaces for the buying and selling of stolen data, including credit-card numbers and CVV codes, social security numbers, even mothers’ maiden names, and other related services.
According to the international criminal police organization, Interpol, cybercriminal networks are highly complex and bring together individuals from around the world to commit crimes “on an unprecedented scale.” Today, we are seeing criminal organizations working with criminally minded technology professionals to commit cybercrime, often to fund other illegal activities.Footnote 32 Interpol has identified three broad areas of cyber-attack which include: hardware/software attacks, including bots and malware; financial crime, including online fraud and phishing; and abuse, which includes sexploitation and crimes against children.
Similarly, the widely reported attacks in 2016 on large, well-known organizations were hardly the work of isolated amateurs. Instead, they were committed by professional criminals able to break into and violate systems run by organizations that include Domino's Pizza, eBay, Healthcare.gov, Home Depot, JP Morgan Chase, Neiman Marcus, Sony, Target, and Staples. This rash of cyber-attacks are alarming enough to elicit action from the U.S. government. The CIA recently announced plans to conduct a major overhaul aimed in part at sharpening its focus on cyber operations.Footnote 33 President Obama in early April 2016 issued an executive order stating that the U.S. government can now freeze the assets and bar transactions of entities, including national governments that are engaged in cyber-attacks.
INTERPOL is committed to the global fight against cybercrime, as well as tackling cyber-enabled crimes. Most cybercrimes are transnational in nature; therefore, INTERPOL is the natural partner for any law enforcement agency looking to investigate these crimes on a cooperative level.Footnote 34 By working with private industry, INTERPOL is able to provide local law enforcement with focused cyber intelligence, derived from combining inputs on a global scale. Its main initiatives in cybercrime focus on operational and investigative support, cyber intelligence and analysis, digital forensics, innovation and research, capacity building, and national cyber reviews.
Part II: Cyber Risk Response in Private and Legal Corporations
Hackers differ widely in their motivations and in the tools, techniques and procedures they use to carry out their attacks, making it “very difficult to secure an entire company's eco system of data and assets,” says Kiran Mantha, a Deloitte Risk and Financial Advisory principal of Deloitte & Touche LLP,Footnote 35 and the lead for cyber risk services for the retail and distribution sector. While some hackers are after personal information, such as social security or credit card numbers, others seek to steal intellectual property. Others engage in “hacktivism” to discredit a company or propagate a particular ideology. Trying to anticipate hackers’ varied motives and prevent theft of digital property is a Herculean effort, says Mantha, which is likely to fail on occasion.
The National Security of Standards and Technology (NIST) has a cyber security framework that provides guidance for U.S. private sector organizations. This framework guides them on how to assess and improve their ability to prevent, detect, and respond to cyber-attacks, to set cybersecurity outcomes as well as security controls.
To mitigate cyber risks, there are several measures and standards that can be implemented,Footnote 36 such as: developing the organizational understanding to manage cybersecurity risk and the development of systems, assets, data, and capabilities; developing and implementing the appropriate safeguards to ensure delivery of critical infrastructure services; detecting by “developing and implementing the appropriate activities to identify the occurrence of a cybersecurity event”; responding by “developing and implementing the appropriate activities to take action regarding a detected cybersecurity event; and finally by developing and implementing the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.”Footnote 37
To identify potential cyber risk, every organization should be aware of the required policies, procedures, and frameworks to ensure that date information and assets can be easily located within the organizational's digital operations.
The Anti-Cyber Risk Eco-System
The literature always talks about the cyber risk ecosystem as if the source of risk and the means of mitigation are part of two different ecosystems. Why not merge them into a single ecosystem called the “Anti Cyber Risk Ecosystem.” Of the more than 400 global business and security executives that participated in the 2017 state of cybersecurity metrics annual report,Footnote 38 more than half of respondents scored an “F” or “D” grade when evaluating their efforts to measure their cybersecurity investments and performance against best practices.
Based on internationally accepted standards for security embodied in ISO 27001, as well as best practices from industry experts and professional associations, the Security Measurement Index benchmark survey provides a comprehensive method of defining the effectiveness of an organization's IT security. Highlights of the report reveal many weaknesses, including that more than half of respondents (58%) scored a failing grade when evaluating their efforts to measure their cybersecurity investments and performance against best practices. Many of the case studies show the confusion in defining the ecosystem and the means of risk mitigation. For example:
Home Depot
Trojan malware attacked 2,200 Home Depot cash registers in 2014. The cyber-attack compromised the payment data of 56 million customers. Home Depot notified its clients in a public letter, offering them assistance dealing with repercussions of the attack. A class action lawsuit against Home Depot followed its public disclosure of the attack.
Proactive mitigation: Home Depot failed to have proactive risk mitigation. The three main preventive measures that should have been in place were P2P encryption, proper network segregation, and managing third party vendor credentials appropriately.
Sony Play Station
A 2011 breach of the Sony PlayStation Network affected data of 75 million customers. Hackers compromised login and password data. Investigations further revealed that a separate database containing payment information for 25 million European customers also suffered a hacking incident. Continuing news coverage of these events further harmed Sony's reputation.
Lexis Nexis and TJX
LexisNexis breach resulted in the theft of information belonging to over 300,000 customers. The TJX security breach resulted in the theft of at least 45.7 million customers’ credit and debit card information. The FTC settled actions against both TJX and the parent company of LexisNexis for their failure to use reasonable measures to prevent the security breaches. The FTC has determined that its Section 5 authority applies to businesses’ privacy practices, such as how businesses protect consumer information in their possession. The FTC has filed complaints for Section 5 violations related to consumer information where the business: (1) intentionally violated its privacy policy; (2) failed to employ reasonable security measures as implied or promised by its privacy policy; or (3) had no privacy policy but failed to employ reasonable security measures.
The FTC has filed complaints for Section 5 violations related to consumer information where the business: (1) intentionally violated its privacy policy; (2) failed to employ reasonable security measures as implied or promised by its privacy policy; or (3) had no privacy policy but failed to employ reasonable security measures.
Petco
Petco, a pet supply retail chain, allowed customers to make credit card purchases through its website. The website promised that the customers’ information was “safe” and “strictly shielded from unauthorized access.” The FTC alleged that a hacker successfully accessed customer records, including credit card information, using a commonly known web attack called an SQL attack. The FTC noted that the credit card information was not maintained in an encrypted format. The FTC complaint alleged Petco “failed to implement procedures that were reasonable and appropriate to: (1) detect reasonably foreseeable application vulnerabilities, and (2) prevent visitors from exploiting such vulnerabilities and obtaining unauthorized access to sensitive consumer information.”
The FTC complaint alleged Petco “failed to implement procedures that were reasonable and appropriate to: (1) detect reasonably foreseeable application vulnerabilities, and (2) prevent visitors from exploiting such vulnerabilities and obtaining unauthorized access to sensitive consumer information.”
NASDAQ and Citibank
From 2005 to 2012, a sophisticated gang of international hackers stole and sold 160 million credit card numbers from more than a dozen companies, including the NASDAQ stock exchange, Citibank, and Heartland Payment Systems. The firms and customers involved suffered hundreds of millions of dollars in losses.
JPMorgan Chase
In 2014, JPMorgan Chase announced that cyber criminals hacked their servers, compromising the names, street addresses, and email addresses for 76 million households and 7 million businesses. An internal investigation revealed that the bank's IT security department neglected to patch a network server with a standard security measure, giving the hackers an entry point into the bank's systems. Since the breach, JPMorgan has invested approximately USD 250 million per year to upgrade its security standards.
A review of these case studies raises a number of questions that require interrogation, for example: if organizations have a ‘best practice on paper' policy yet failures still happen, what is their liability? And once aware of a data breach, what procedure should be followed? Is remedial action only for affected databases or does it need to extend to future data? If there is a promise to protect sensitive data included in a privacy statement or policy, and the organization states that it has implemented reasonable measures to protect personal information, but fails to follow through, is this an automatic violation of Section 5; and in the case of data breaches over several years, what kind of program failures have to happen that such crimes go undetected?
Cyber Attack Liability
Recently the Federal Trade Commission (FTC) took legal action against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information. In many of these cases, the FTC has charged the defendants with violating Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce. In addition to the FTC Act, the agency also enforces other federal laws relating to consumers’ privacy and security.Footnote 39
In February 2016 California Attorney General's Data Breach Report Sets a Standard for “Reasonable Security”, businesses operating under numerous regulatory regimes must provide “reasonable” data security for customers’ personal information. Many states' laws, including those of California and Texas, require businesses to use “reasonable security procedures” to protect personal information.
Federal statutes like the Gramm-Leach-Biley Act and HIPAA impose similar requirements. Even putting aside such laws, a failure to use reasonable security practices resulting in a data breach may subject a business to agency enforcement and tort liability and its executives to shareholder lawsuits.Footnote 40
To understand the type of liability we have to understand the various data breach activities, the different types of information breached, security measures, objectives, company approaches, the various regulations, laws, acts, real cases, and precedents. The widespread implementation of networked information systems has provided companies with tremendous economic benefits, including significantly reduced costs and increased productivity. But the resulting dependence on a computer infrastructure also creates significant potential vulnerabilities that can result in major harm to the business and its stakeholders. Thus, concerns regarding corporate governance, ensuring individual privacy, protecting sensitive business data, accountability for financial information, and the authenticity and integrity of transaction data are driving the enactment of laws and regulations, both in the U.S. and globally, that are imposing obligations on businesses to implement information security measures to protect their own data.
The ultimate concern is electronic corporate information. Protecting electronic information also requires addressing the means by which such information is created, stored, and communicated. Thus, statutes and regulations governing information security typically focus on the protection of both information systems—i.e., computer systems, networks, and software—as well as the data, messages, and information that is typically recorded on, processed by, communicated via, stored in, shared by, transmitted, or received from such information systems. Massive damages were caused as a result of data security breaches, different forms, ways, and impact. The breach is always a result of trusting companies to keep information safe.
Tort Liability
Cyber torts, a cybercrime that targets and harms a particular person or persons,Footnote 41 are increasingly on the rise and having serious effects on society. Many challenges face courts in determining liability especially when laws are not fully up to speed with evolving technology such as the Internet of Things (IoT), where everyday objects will be connected to the Internet and will be able to provide data on usage. Tort laws need to be continually updated to address the felt necessities of risk arising out of emergent technological and social changes.Footnote 42 Cyber law and tort liability are a new concept in U.S. law and the determination of who is liable in a tort case for when a cyber breach occurs is a very recent litigation issue. It is important to remember that the companies who possess databases that contain Personal Identifiable Information (PII) (i.e. universities, financial institutions, and credit card companies) can be held liable in a tort case when a data breach does occur. This liability is for any harm caused to the individuals who have data on those databases (students, employees, consumers etc.). Whenever a computer network attack (CAN) destroys, manipulates or disrupts the data that their information there is a responsibility to the owner of the database to protect the PII and reveal any evidence of a security breach.Footnote 43
The Duty of Care Obligation
Corporate legal obligations to implement security measures are set forth in an ever-expanding patchwork of federal and state laws, regulations, and government enforcement actions, as well as common law fiduciary duties and other implied obligations to provide “reasonable care.” Many of the requirements are industry specific (e.g., focused on the financial industry or the healthcare industry) or data-specific (e.g., focused on personal information or financial data).
But in all cases they have been steadily expanding over the past several years, and that trend has been greatly accelerated by the series of high-profile security breaches in early 2005. Examples of some of the key sources of the duty to provide security that have been in place for several years include the scenarios outlined here:
Corporate governance legislation and case law designed to protect the company and its shareholders, investors, and business partners. Sarbanes-Oxley, for example, requires public companies to ensure that they have implemented appropriate information security controls with respect to their financial information. Similarly, several SEC regulations impose a variety of requirements for internal controls over information systems.
Laws focused on the personal interests of individual employees, customers, or prospects. Many privacy laws and regulations, particularly in the financial and healthcare sectors, require companies to implement information security measures to protect certain personal data they maintain about employees, customers, and prospects. Laws addressing governmental regulatory interests or evidentiary requirements: Both the federal and state electronic transaction statutes (ESIGN and UETA) require all companies to provide security for storage of electronic records relating to online transactions. Many regulations do likewise. For example, IRS regulations require companies to implement information security to protect electronic tax records, and as a condition to engaging in certain electronic transactions, SEC regulations address security in a variety of contexts, and FDA regulations require security for certain records.
Laws governing federal government agencies, the comprehensive Federal Information Security Management Act of 2002 (“FISMA”) addresses government security and requires security measures to protect all information collected or maintained by a federal agency, and all information systems used or operated by or for the agency.
In addition, several commentators have also argued that there may exist a common law duty to provide security, the breach of which constitutes a tort. While these statutes and regulations impose significant obligations on certain companies with respect to certain types of data, they are part of a growing trend to require all companies to provide appropriate security for all data, at least where the compromise of such data may damage the interests of corporate stakeholders. Several key developments support this expansion of coverage of security obligations.
Data Protection liability
The liability to turn over data stored on foreign servers was always a challenge due to the legal enforcement limitations and outdated related regulatory scope. In Microsoft Corp. v. United States, the Second Circuit held that the government cannot compel Internet Service Providers (ISPs) to turn over data stored overseas, even with a warrant. The court did not acknowledge the unique “un-territorial” nature of data, instead proceeding as if it were considering a physical object. Currently, the case is heading to the Supreme Court which will review it and decide sometime next year. A Supreme Court ruling could overturn the ruling or affirm it. The company voiced support for the International Communications Privacy Act of 2017 (ICPA), a bill introduced in July that would provide “sensible ways for cross-border data access”—processes that are not clearly addressed by existing law.
The current state of the law does not mean that U.S. law enforcement has no access to data stored on foreign servers. If domestic disclosure warrants cannot be served on the foreign servers of U.S. companies, U.S. law enforcement can lean on treaties with the country that the servers are based in. While oral argument has not yet been scheduled, the Supreme Court will hear the case sometime in the next year.
In this case Microsoft should provide the information as opposed to the final court decision. This article supports the lower courts’ decision. If the higher court decision is to be revised, Microsoft should be asked to reveal the information which is based in Dublin for various reasons, whether the subject of the crime, drug trafficking which is a global concern for global security. When privacy issue comes face to face with global security issues like narcotics crimes, global security should take priority.
Microsoft is subject to U.S. jurisdiction, so according to the U.S. Stored Communications Act (SCA), a law that addresses voluntary and compelled disclosure of “stored wire and electronic communications and transactional records” held by third-party internet service providers (ISPs), the company is obliged to turn over data it controls regardless of where the data is stored. Due to the fact that the data is held on servers located in Ireland, Microsoft is currently disputing this. Retrieving the information should be conducted sensitively and professionally, with only the suspect's information retrieved in terms of email communication requested at a very specific interval of time. If going to Dublin with a warrant to check this information is a problem, Microsoft servers in the U.S. can retrieve the information and make it available at their U.S. premises. The Microsoft case may set a precedent in the way that data is managed.Footnote 44
Regardless that the SCA was written in 1986 and is therefore inadequate for today's technology, retrieving information for this drug crime is crucial for the investigation. Another important point to note is that the data is saved under the control of an American company which passes it to the server in Dublin. The suspect may have used Microsoft to facilitate the crime related communication, hence it might have been a process to execute the crime in one way or another.
Private Companies’ Internal & Regulatory Enforcement
On September 9, 2016, the U.S. Chamber of Commerce in its “information on Current and Future States of Cybersecurity in the Digital Economy Businesses Report” addressed the importance of sound cyber risk management practices which can make it harder for bad actors to succeed. In addition to this, it stressed the fact that Governments’ cybersecurity policies and laws should be aligned with the approach underpinning the joint industry-NIST Framework for Improving Critical Infrastructure Cybersecurity (the Framework).Footnote 45
In terms of cyber security, organizations should aim to protect themselves against liability. Protecting the integrity of the organization should be the starting point, research shows that they need to be aware and challenge themselves to identify what the immediate impact would be on them before others. Their reputation would take a knock and depending on national regulations, firms may have to publish the incident in a formal breach notification to customers. A cyber-attack would result in an erosion of trust by customers and regulators in the firm's reliability, even if there is evidence of a cyber security policy and preparation. There may also be a financial loss, if the cost of enhancing information and cyber security capabilities is considered as well as the cost of rebuilding trust and reputation.
As for regulators, the research shows that they should define clearly the basis on which companies should be liable especially when there is confusion due to the fact that the company took all reasonable actions to avoid and control data breaches.
The answer lies in the type of information that was exposed. Confidential information needs to be protected, and this refers to any nonpublic information that employees or customers of a firm reasonably expect will be held in confidence. It is expected that access to such information will be restricted. This information could include details of business plans, products, contracts, or customer details. Customer details are also referred to as personal information and may include names, addresses (physical and email), credit card numbers, birth dates, and other data that can identify an individual.
Sometimes, the confidential information will include sensitive business information, for example data relating to mergers and acquisitions. In these situations, divulging such information to anyone not on a pre-approved list may constitute a criminal offense. The U.S. Chamber of Commerce report on cyber security of September 2016 highlighted the fact the States should help the private sector detect, contain, respond to, and recover from events in cyberspace. A new legal architecture—one that allows private organizations to assertively defend their networks and systems—needs to be considered by policymakers.Footnote 46 Hence the liability can be before, during or after the breach, or even at the three stages.
Law Firms’ Cyber Risk
Cost of Cyber Risks and Attacks
Cybersecurity is evolving and is now more than just a technology issue or an added clause in the retainer agreement. In 2017, for example, it was the single biggest risk faced by law firms. Cravath, Swaine & Moore and Weil Gotshal & Manges, two of the largest law firms in the U.S., suffered a major cybersecurity breach that was later linked to a $4 million-plus insider-trading scheme. In July 2016, the computer system for their small 12-person Philadelphia firm—Greseng Law—was infected with malware.Footnote 47 They contacted Integrated Micro Systems, their outsourced information technology provider. “We caught it almost immediately,” says Jessica L. Mazzeo, Chief Operating Officer at Griesing Law. “We took down our network and ran virus software on every computer in the firm. Once we located where the virus originated, we wiped the hard drive.”
That incident changed the way the law firm dealt with websites, emails, and mobile devices. As a small firm, Griesing Law depends on outsourced providers for help. A new policy was implemented last year on internal email: If the source is unknown or if you're not expecting the email, don't open it. “We look at the issue of cybersecurity not just from the client perspective but from a reverse standpoint,” Mazzeo says. “We want to make sure that we are covered internally. If we are protected, then our client information is protected.” Similarly, the Panama papers case which was exposed with an unprecedented leak in April 2016 of 11.5 million files from the database of the world's fourth biggest offshore law firm, Mossack Fonseca.Footnote 48
More recently, we witnessed the case of the Paradise Papers, a massive global leak of 13.4 million offshore financial documents and activities of the world's most powerful people and companies. There are complex and seemingly artificial ways the wealthiest corporations can legally protect their wealth, the offshore holdings of political leaders and their financiers as well as household-name companies that slash taxes through transactions conducted in secret. Some 6.8 million of the data revealed come from the offshore legal service provider Bermuda-based Appleby and corporate services provider Estera. The two companies operated together under the Appleby name until Estera became independent in 2016. Appleby is a member of the “Offshore Magic Circle,” an informal clique of the planet's leading offshore law practices. Another six million documents come from corporate registries in some 19 jurisdictions, mostly in the Caribbean. A smaller amount comes from the Singapore-based international trust and corporate services provider, Asiaciti Trust.Footnote 49 In both the Panama and Paradise papers’ leaks, two major gaps were highlighted: the lack of solid due diligence on beneficial ownership and the lack of cyber security measures
Challenges for Law Firms in Achieving Cyber Compliance
Law firms, like any other business, are subject to breach notification laws, and many of them have pre-breach security program requirements.Footnote 50 A firm will be in a far superior position with its clients, its state bar and any regulators or enforcement agencies, should an issue arise, if it can show that (1) its security program is aligned with best practices, (2) its management is engaged, (3) it is complying with its policies and procedures, and (4) tools are deployed to detect malware and criminal behavior.
One of the main problems is the lack of investment in cyber security. Many lawyers define cost as a major factor for why law firms are lagging in preparing for cyber-attacks. To have an effective cyber risk program requires, at minimum, up-to-date software, which—for all sizes of law firms—can be very expensive. Law firms have never been very good with technology and now they are under pressure to keep their systems up-to-date as breaches in firms make headlines and clients increasingly ask questions about security.
The FBI has issued warnings to firms and in early 2012 held a meeting with about 200 firms in New York to discuss the risk of breaches and theft of client data. Around the same time, Alan Paller, director of research for the SANS Institute, a cyber-training organization, revealed an amazing conversation that he had with partners from a New York firm who had been told—and shown—by the FBI that all their client files had been stolen.Footnote 51
These warnings and many other instances of law firm data breaches have come squarely in the crosshairs of the American Bar Association (ABA). Laurel Bellows, president of the ABA, has raised awareness within the legal community about cyber risks by launching a special Cybersecurity Legal Task Force to analyze a wide range of issues, including risks to law firms. “We are a self-governing profession, and there hasn't been an environment to do cybersecurity,” says Daniel Garrie, founder of Law and Forensics, a tech firm that specializes in forensic investigations for law firms and others. “The economics of the practice of law doesn't allow for investment. … Even in the biggest firms, there are only three or four people [working] on cybersecurity. There's not much investment in people, resources, and they can't pass the cost on to clients.” Some firms are involved in the biggest deals in the world, and now companies are demanding a level of security,” Garrie adds.
But pressure from clients is causing firms to invest and focus on cyber risk. According to the 2016 ABA Legal Technology Survey Report, 30.7 percent of all law firms and 62.8 percent of firms of 500 lawyers or more reported that current or potential clients provided them with security requirements. At Griesing Law, the corporate clients demand that the firm has detailed cyber-security plans and prevention tools. “We review data guidelines and protocols on how to use, store and protect their data,” Mazzeo says. “Many of our corporate clients evaluate cybersecurity performance for all outside vendors and notify if expectations have been exceeded or require improvement.”
The pressure from clients is a major factor that is causing law firms to jump into the expanding world of cybersecurity. According to the 2016 ABA technology survey, only 17.1 percent of all law firms had an incident cyber policy and program in place to address a security breach, and only 50 percent of firms of 500 lawyers or more had such a plan in place.Footnote 52
Hackers are increasingly turning to ransomware to profit off stolen data. Ransomware is a combination of stealing data and blackmailing law firms, blocking access to a computer system's data until a ransom is paid. If firms decide not to pay, they could lose their data permanently. After the hacking revelations from the 2016 presidential campaign, it's no surprise that different nation-states continue to attack private businesses, as well. Last year, Crain's Chicago Business reported that the Ukraine-based hacker group Oleras targeted 46 U.S. and two U.K. law firms.
Because cybersecurity is a rapidly evolving field, services geared specifically towards the legal industry can be difficult to find and major players in cybersecurity are attempting to fill the gap. In November 2016, Thomson Reuters, megafirm Pillsbury Winthrop Shaw Pittman, and the growing cybersecurity firm FireEye announced their collaboration to become a one-stop shop for law firms in cyber risk.Footnote 53 “This collaboration originated from a discussion between Pillsbury and Thomson Reuters about the legal services we were already providing for our clients related to cybersecurity,” says Christy Weisner, director of Thomson Reuters Legal Managed Services.
Trent Teyema, the FBI assistant special agent in charge of cybercrimes in the Washington field office said that they had noted an increase of targeting of law firms over the last three years. “As client companies become targets, their security becomes stronger. Softer targets to go after are law firms.”
Part III: Recommendations for Cyber Compliance
This section analyzes and recommends the regulatory areas of improvement in the United States of America, Kingdom of Saudi Arabia and United Arab Emirates. It also emphasizes and analyzes the required steps for the legal and private corporations to adopt for ensuring an efficient cyber policy and compliance framework is in place.
General Overview on the Middle East
PricewaterhouseCoopers (PwC) conducted its Global State of Information Security survey, covering 10,000 companies across 127 countries.Footnote 54 In its Middle East report, PWC analyzed responses from 300 companies from 20 countries. The report shows companies are investing in security technology and associated processes such as cyber insurance, but they are often not supported by the people, processes and governance required and this often results in a ‘false sense of security.’
It's also clear from the responses that the impact of the issue of cyber security is broader than ever before, and requires careful management. And as if the imperative to act wasn't enough, the results of the survey show that in the Middle East a large proportion of the companies tend to suffer bigger losses due to cybercrime than their global counterparts.Footnote 55 Such findings are a cause for concern, but all the more so because many companies in the region have invested significant sums in cybersecurity measures. And while they clearly lag their international peers in some respects, they do have many of the same measures in place. For example, 85 percent have established a globally recognized security framework, compared with 88 percent globally, and 24 percent have an information security strategy, compared with 25 percent globally. That being the case, the question remains why are there still so many incidents in the region. The answer, according to the analysis, relates to two main areas:
Technology
Middle Eastern companies have a greater tendency to believe they can fix cyber issues by buying a technological ‘fix.’ Any software solution, however, regardless of its sophistication, requires support through a parallel investment in awareness and training, yet less than 20 percent have a strong awareness program. The board need to get involved and until this happens it is unlikely that we will see real progress. So, while only 24 percent have security strategies, less than 15 percent of boards are aware and supportive, and many of those strategies are too narrowly defined, relating only to IT and not to the wider impact of digital.
Holistic Response
For a cyber policy to be successful, it needs to be addressed on an end-to-end basis. This is related to the previous point: a lot of firms in the region still see cyber as solely an audit or IT issue, but it needs to be integrated into the company's overall approach to security, which also includes HR. Companies in the Middle East are in the top ten in the world in terms of their investment in cybersecurity technology, but in the bottom 50 for education and training in this area and this is where companies in the region perhaps should be focussing their efforts.
In 2017, Thomson Reuters jointly with Deloitte conducted a survey of MENA companies.Footnote 56 Close to half of the respondents identified themselves in a risk, compliance or investigative role; 17.6 percent were board members; 14.7 percent were senior management or a member of the C-suite. It is notable that more than 60 percent of respondents, who are predominately located in either the UAE or KSA, reported that they had no cybercrime policy in place, despite the sensitivities involved when managing KYC data. Cybercrime has escalated and will continue to do so, with a number of prominent companies suffering a data breach this year.
According to a 2015 Deloitte report entitled “Are You Safe?” the financial services industry was the most common target of cybercrime attacks in 2014 and the total cost of cybercrime was estimated at $444 billion. When asked where they were spending their compliance budgets, more than a quarter of respondents pointed to technology as the main focus of investment, the second most popular choice behind the updating and reorganization of processes.
Faced with the increasing pressure of monitoring regulatory updates and the escalating threat of cybercrime, companies are turning to technology for salvation, and it seems they are choosing increasingly sophisticated technology to help them meet their regulatory obligations. The survey also shows that money laundering remains their most pressing financial crime issue. While there is a growing awareness around the issue of cybercrime, it is a subject that appears to have been neglected in previous years’ studies, but this has changed, with 86 percent of respondents reporting concern about cybercrime: “We see a growing awareness of the need for increased cyber security, with the number of cybercrime programs spiking by 10% in comparison to last year's results.”
Areas of Consideration for the Kingdom of Saudi Arabia, the United Arab Emirates and the United States of America
An interesting study conducted by The Global Cybersecurity Index (GCI) this yearFootnote 57 measures the commitment of Member States to cybersecurity in order to raise awareness—which followed five pillars (legal, technical, organizational, capacity building, and cooperation). For each of these pillars, questions were developed to assess commitment. Through consultation with a group of experts, these questions were weighted in order to arrive at an overall GCI score.
The survey was administered through an online platform through which supporting evidence was also collected. Member States were classified into three categories by their GCI score, which included the Initiating stage referring to the 96 countries (i.e., GCI score less than the 50th percentile) that have started to make commitments in cybersecurity; the Maturing stage referring to the 77 countries (i.e., GCI score between the 50th and 89th percentile) that have developed complex commitments, and engage in cybersecurity programs and initiatives e.g., KSA and UAE; and the Leading stage refers to the 21 countries (i.e., GCI score in the 90th percentile) that demonstrate high commitment in all five pillars of the index, i.e., the United States of America.
Areas of Improvement for the United Arab Emirates
It is recommended that the United Arab Emirates amend and update its laws to cover the cyber world of crimes and illegal activities. In addition to this enhanced enforcement and Anti Cyber awareness, there are other areas of potential improvement.
The most severe penalty—five years in jail and a Dh3 million fine—is reserved for those who run malicious software that causes a network or IT system to stop functioning ‘or results in crashing, deletion, omission, destruction and alteration of the program, system, website, data or information,’ but officials from the Ministry of Justice have called for more stringent laws to tackle cybercrimes. The UAE should have laws imposing penalties on all kind of crimes and not only the massive ones. The UAE must also rely on international laws—which tend to be more comprehensive—to bring offenders to justice no matter their location.
The UAE should fill the gaps internally by issuing new legislations that can continuously regulate the UAE's modernizing and update of laws. The UAE currently has no federal legislation imposing obligations on organizations relating specifically to cybersecurity in relation to data protection. In addition to this, cyber law is not linked directly to data protection law. Intellectual property rights are protected through various pieces of federal legislation and not combined in one section in the cyber law.Footnote 58
As there is limited taxation in the UAE, such an incentive is not available to the authorities to the extent that it is elsewhere. Instead, the UAE authorities are keen to emphasize the benefits of a safe cyber-technology infrastructure, pointing to regional and international cooperation, and cooperation between the UAE government and private sector, as essential elements of achieving successful cybersecurity. Regulatory encouragement can take several approaches as the following paragraphs detail.
There are no UAE-specific or government-endorsed best practices. However, a sensible starting point for an organization would be to establish a committee or department responsible for the oversight of cybersecurity, to be responsible for regularly reviewing and implementing the organization's business processes, and assessing the risks involved with these. Internal policies should be developed for encouraging cybersecurity, regular reporting, and monitoring of cybersecurity breaches should be encouraged. Clear and established reporting lines and response measures are important. They should also develop a practice for educating and training employees on cybersecurity risks and consequences. HR policies on the vetting of employees would also minimize any potential risks posed by an organization's employees.
Post-breach response strategies should be implemented. These should include guidelines for the organization's interactions with the media, customers and regulatory or enforcement authorities, and the retention of third-party forensic firms to assist with any investigations that may result from a breach.
There is no guidance or available procedures to support the voluntary sharing of information about cyber threats. However, the UAE authorities have in the past issued press releases through local newspapers encouraging organizations to share information about cybercrimes and potential foreseeable cyber threats. Additionally, the fact that a failure to report a crime in the UAE could attract severe criminal penalties under the Penal Code acts as an incentive for organizations to share information on cyber threats. In June 2016, the DFSA and TRA signed a memorandum of understanding setting out the means of cooperation between the DFSA and TRA in the field of cybersecurity to facilitate the detection, prevention, education, awareness, and response to cyber threats and incidents.Footnote 59
Areas for Improvement for the Kingdom of Saudi Arabia
In 2015, Saudi Arabia recorded over 160,000 offensive cyber actions a day, making it the most targeted country in the Middle East. Although the Saudi's cyber security is improving, clear national strategies, policies, and legal frameworks are not present. The Kingdom needs full-bodied, vigorous cyber security initiatives.
Predictably, most of the targets were the Saudi's oil and gas, banking, and telecommunications sectors. E-commerce's growth has been accompanied by a similar increase in cyber-criminal activity—particularly through fraudulent financial transactions in online banking and retail. Some advanced operations employ multiple cyber criminals to hack bank accounts from fake transactions, transfer, and disperse money to their own accounts, and change names and credentials of original account owners.
There are a number of substantial gaps in the Saudi Arabia cyber security law.Footnote 60 First, the absence of specific provisions on data protection leave Saudi Arabian courts and adjudicatory bodies with considerable discretion to deal with data privacy violation claims under general Sharia principles. In addition, the absence of a central place where adjudicator bodies’ decisions are consistently indexed and collected and made publicly available and the lack of binding precedent system only make the situation more complex. This lack of centrally held intelligence is a missed opportunity for the legal campaign against cybercrime and can lead to a lack of consistency. Second, provisions relating to the sanctity and safety of individuals’ personal data are spread out over a number of legislative instruments. Third, the term ‘personal data’ is not defined in any law or regulation. Similarly, there are no formal notification or registration requirements before the processing of data. A ‘data controller’ is not defined in any law or regulation in Saudi Arabia. The Electronic Transactions Law merely imposes certain obligations on an ISP stating that the ISP and its staff must maintain confidentiality of information obtained in the course of business. Fourth, although Sharia law is supplemented by regulations issued by royal decrees covering modern issues such as intellectual property, corporate law, and cyber law, the absence of specific data protection legislation is perplexing. Fifth, the absence of a National Data Protector means that personal data security breaches are not notified to any individual or entity in Saudi Arabia.
There is no regulation currently dealing with the transfer of data outside Saudi Arabia, though approval of the relevant regulatory authority in specific sectors might be required in areas such as the health sector. Sixth, data transfer agreements are not governed by any laws or regulations. However, in view of applicable Sharia principles and anticipating the enactment of a proposed data protection law in the future, employers in Saudi Arabia often include provisions in employment contracts to record employees’ consent to the use or disclosure of their data to third parties to the extent that such disclosures are required or anticipated. Seventh, Saudi Arabia's regulatory approach toward cybercrime is grounded in Shari'a principles codified in the nation's constitution. These principles broadly protect the right to individual privacy, which encompasses property, capital, and labor. Supplementing the Shari'a are the 2001 Telecommunications Act and 2007 Anti-Cybercrime Law, which prohibit breaches of privacy in the telecommunications sector and interception of private data on an information network. The latter law further imposes penalties on cyber criminals of up to five years in prison and an $800,000 fine. Eight, specific government rules and regulations guiding e-commerce security are lacking.
Comprehensive cyber security measures and actions that go beyond technological investment may be increasingly necessary. If KSA authorities address these cyber policy weaknesses, it will indicate to the international investment community that there is a commitment to tackling cybercrime.
Areas of Improvement for the United States of America
While the U.S. has one of the most robust cyber security frameworks in the world, there are areas of weakness that require examination. The IGC highlighted gaps in building capacity at a strategy level whether in multi-lateral agreements or public private partnerships. The U.S. Government of Accountability (USA GAO) office has consistently identified shortcomings in the federal government's approach to ensuring the security of federal information systems and cyber critical infrastructure as well as its approach to protecting the privacy of personally identifiable information (PII).
While previous administrations and agencies have acted to improve the protections over federal and critical infrastructure information and information systems, there are actions that the federal government is advised to take to strengthen U.S. cybersecurity.
First, the government can implement risk-based entity-wide information security programs consistently over time. Among other things, agencies need to implement sustainable processes for securely configuring operating systems, applications, workstations, servers, and network devices; patch vulnerable systems and replace unsupported software; develop comprehensive security test and evaluation procedures and conduct examinations on a regular and recurring basis; and strengthen oversight of contractors providing IT services. Second, improve its cyber incident detection, response, and mitigation capabilities. The Department of Homeland Security needs to expand the capabilities and support wider adoption of its government-wide intrusion detection and prevention system. In addition, the federal government needs to improve cyber incident response practices, update guidance on reporting data breaches, and develop consistent responses to breaches of PII. Third, expand its cyber workforce planning and training efforts by enhancing efforts for recruiting and retaining a qualified cybersecurity workforce and improving cybersecurity workforce planning activities.
Strengthen cybersecurity of the nation's critical infrastructures by developing metrics to assess the effectiveness of efforts promoting the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity and measure and report on effectiveness of cyber risk mitigation activities and the cybersecurity posture of critical infrastructure sectors.
Increase the quality of supervision of personally identifiable information. The federal government needs to protect the security and privacy of electronic health information; ensure privacy when face recognition systems are used; and protect the privacy of users' data on state-based health insurance marketplaces.
Several recommendations made by the Commission on Enhancing National Cybersecurity (Cybersecurity Commission) and the Center for Strategic & International Studies (CSIS) are generally consistent with or similar to GAO's recommendationsFootnote 61 in several areas including: establishing an international cybersecurity strategy, protecting cyber critical infrastructure, promoting use of the NIST cybersecurity framework, prioritizing cybersecurity research, and expanding cybersecurity workforces.
Recommendations for Legal and Private Corporations
Most of the cyber, information security and privacy laws around the world do not prescribe the security controls that must be in place. Instead, they require “reasonable” controls to be put in place.
The nature and scope of that obligation is not always clear. Often unanswered is a key question: in terms of protecting data, what are the precise obligations for an organization? What is the scope of its legal obligations to implement cyber, privacy and information security measures?
Laws and regulations rarely specify what specific security measures a business should implement to satisfy its legal obligations. Most simply obligate the company to establish and maintain internal security procedures, controls, safeguards, or measures directed toward achieving the goals or objectives identified above, but often without any further direction or guidance.
A critical problem, then, is assessing how far a company is “legally” obligated to go. When are the security measures it implements sufficient, from a legal perspective, to comply with its obligations? For example, does installing a firewall and using virus detection software satisfy a company's legal obligations? Is it necessary for an organization to encrypt all of its electronic records? How does a business know when it is legally compliant? Is there a safe harbor? Since there is no such thing as perfect security (i.e., there is always more that you can do), resolving these questions can significantly affect cost.
The Federal Trade Commission (FTC) acknowledges that the mere fact that a breach of security occurs does not necessarily mean that there has been a violation of law. But it also notes that an organization can fail to meet its security obligations, even in the absence of a breach of that security.Footnote 62
Companies are required to engage in an ongoing and repetitive process that is designed to assess risks, to identify and implement responsive security measures, to verify that they are effectively implemented, and to ensure that they are continually updated in response to new developments.
This research and analysis show some facts which should be taken into consideration, such as there is no single cyber security solution that exists that suits all situations. An effective solution will never be achieved by designing the cyber policy and program only, by adopting high tech cyber security systems only, nor by having the correct cyber laws in place. The solution is in the orchestration of a holistic cyber security approach. Cyber security solutions require careful management by competent and aware stakeholders, along with an appropriate culture and commitment from the board of directors.
It requires customization to fit the context, which entails the defining of all risks and safeguards, supervised implementation followed up with systematic testing, monitoring, and replacing when necessary, along with internal enforcement mandated by company policy that aligns with the external regulatory enforcement.
Practical Steps Before Designing the Policy and Program
Senior executives are advised to take the following steps to minimize the possibility of cyber threat and to contain the impact of an attack:
Insurance
Target Chief Financial Officer John Mulligan disclosed that the high-profile 2013 data breach of the retail giant cost Target $61 million in out-of-pocket expenses during the fourth quarter, of which $44 million was covered by insurance.Footnote 63 Thus, although costly, an insurance policy alleviated much of the devastating costs of the cyber breach. Both first-party and third-party coverage is generally available in the marketplace—first-party coverage relates to costs resulting from the insured's actions as a result of the breach (i.e. costs for hiring professionals to assist in the investigation and response; attorney fees to advise on notification and other legal requirements; crisis management firms; computer forensics firms, etc.); and third-party coverage helps to indemnify liability to third parties allegedly resulting from a covered claim.
Best Practice Whistle Blower Protection Policy
A solid whistle blower protection scheme can save a lot of harm in the long run. For this scheme in particular, senior management commitment is essential, and the safety and privacy of anyone who chooses to come forward with information has to be emphasized for it to work.
Education
Training is not enough, when employees become aware of a cyber breach, they need to know what procedure to follow without hesitation. This requires an understanding of the procedure and regular practice. Training should be educational to all stakeholders whether board, c-level, management, tactical teams, operations, customer service, clerks, including the most junior employee and new joiners.
Culture
Culture of compliance should be spread across the organization, senior management and board commitment is a key to reaching this culture and lead behavioral change.
Enforcement
Related to culture, if behavior is not patrolled and strictly enforced, there is very little chance of mitigating cyber risk. As before, it is important that senior management demonstrate a commitment to enforcement of certain behaviors if they are to have any hope of containing those behaviors. Consequences of non-cyber compliance can include salary reduction, suspension, firing, all the way to imprisonment depending on the level of severity. Some countries have minimal cyber security regulation which means that the organization should have a mitigating regulatory plan which usually involves adopting international strict best practices.
Communication
Regular communication to employees, customers, and other stakeholders helps enhance awareness and acts as a constant reminder of cyber breaches and its consequences, and can also enhance reputation.
Program Design
Based on research conducted for this article as well as global business, legal, and scholar research, every company requires a comprehensive written cyber security program based on a clear foundation of scoping, risk assessment, and setting mitigating plans. This policy and program will not be efficient, however, without a strong ‘tone from the top’.
Scoping
To identify the systems and information that requires protection, the first step is to define the scope of the effort—what information, communications, and processes are to be protected? What information systems are involved? Where are they located? What laws potentially apply to them? As is often the case, sensitive data files are often found in a variety of places within the company.
Threat Analysis and Risk Assessment
The goal is to understand the risks the business faces, and determine what level of risk is acceptable, in order to identify appropriate and cost-effective safeguards to combat that risk. This process will be the baseline against which security measures can be selected, implemented, measured, and validated. This involves identifying all reasonably foreseeable internal and external threats to the information assets to be protected. Threats should be considered in each area of relevant operation, including information systems, network and software design, information processing, storage and disposal, prevention, detection, and response to attacks, intrusions, and other system failures, as well as employee training and management.
Security Risk Mitigation
Design and implement a security program based on the results of the risk assessment. The program should include reasonable physical, technical, and administrative security measures to manage and control the risks identified during the risk assessment.
Program Components and Execution Strategy
Laws in the U.S. do not require companies to implement specific security measures or employ a particular technology. As expressly stated in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations, for example, companies “may use any security measures” reasonably designed to achieve the objectives specified in the regulations.Footnote 64
This focus on flexibility means that, like the obligation to use “reasonable care” under tort law, determining compliance may become more difficult. As one commentator has pointed out with respect to the HIPAA security regulations: “The new security rules offer no safe harbor to covered entities, business associates, or the people who make security decisions for them. Rather, whether security countermeasures are good enough to ‘ensure’ the confidentiality, integrity, and availability of [protected health information], and protect it from ‘any’ hazard one could reasonably anticipate, is likely to be judged retroactively.”Footnote 65
In addition, there are several more specific categories of security measures that regulations often require companies to consider. Many are clearly expressed by the Cloud Standards Customer Council and include.Footnote 66
Physical Facility and Device Security Controls
Procedures to safeguard the facility, measures to protect against destruction, loss, or damage of information due to potential environmental hazards, such as fire and water damage or technological failures, procedures that govern the receipt and removal of hardware and electronic media into and out of a facility, and procedures that govern the use and security of physical workstations.
Oversight of Third Parties
Overseeing third party service provider arrangements, ensuring that they are aware of their responsibilities and obligations under the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”).
Physical Access Controls
Access restrictions at buildings, computer facilities, and records storage facilities to permit access only to authorized individuals.
Technical Access Controls
Policies and procedures to ensure that authorized persons who need access to the system have appropriate access, and that those who should not have access are prevented from obtaining access, including procedures to determine access authorization, procedures for granting and controlling access, authentication procedures to verify that a person or entity seeking access is the one claimed, and procedures for terminating access.
Intrusion Detection Procedures
System monitoring and intrusion detection systems and procedures to detect actual and attempted attacks on or intrusions into company information systems; and procedures for preventing, detecting, and reporting malicious software (e.g., virus software, Trojan horses, etc.).
Employee Procedures
Job control procedures, segregation of duties, and background checks for employees with responsibility for or access to information to be protected, and controls to prevent employees from providing information to unauthorized individuals who may seek to obtain this information through fraudulent means.
System Modification Procedures
Procedures designed to ensure that system modifications are consistent with the company's security program
Data Integrity, Confidentiality, and Storage
Procedures to protect information from unauthorized access, alteration, disclosure, or destruction during storage or transmission, including storage of data in a format that cannot be meaningfully interpreted if opened as a flat, plain-text file, or in a location that is inaccessible to unauthorized persons and/or protected by a firewall.
Data Destruction and Hardware and Media Disposal
Procedures regarding final disposition of information and/or hardware on which it resides, and procedures for removal from media before re-use of the media.
Audit Controls
Maintenance of records to document repairs and modifications to the physical components to the facility related to security (e.g., walls, doors, locks, etc.); and hardware, software, and/or procedural audit control mechanisms that record and examine activity in the systems.
Contingency Plan
Procedures designed to ensure the ability to continue operations in the event of an emergency, such as a data backup plan, disaster recovery plan, and emergency mode operation plan.
Incident Response Plan
A plan for taking responsive actions in the event the company suspects or detects that a security breach has occurred, including ensuring that appropriate persons within the organization are promptly notified of security breaches, and that prompt action is taken both in terms of responding to the breach (e.g. to stop further information being compromised and to work with law enforcement), and in terms of notifying appropriate persons who may be potentially injured by the breach.
Third Party Agreements
According to third party risk studies by Thomson Reuters Risk Business in 2015–17,Footnote 67 there are three basic requirements when organizations outsource: they must exercise due diligence in selecting service providers; they must contractually require outsource providers to implement appropriate security measures, and they must monitor the performance of the outsource providers. It's important to note that the breach at Target Corp. that exposed credit card and PII data on more than 70MM consumers began with a malware-laced phishing attack sent to a third-party vendor.
Awareness & Education
Education and awareness are an ongoing process which should exist in all cyber security mitigation phases. Security education begins with communication to employees of applicable security policies, procedures, standards, and guidelines. It also includes implementing a security awareness program, periodic security reminders, and developing and maintaining relevant employee training materials, such as user education concerning virus protection, password management, and how to report discrepancies. Applying appropriate sanctions against employees who fail to comply with security policies and procedures is also important.
Monitoring and Testing
Companies must ensure that the security measures have been properly put in place and are effective. This includes assessing the sufficiency of the security measures in place to control the identified risks and conducting regular testing or monitoring of the effectiveness of those measures.
Reviewing and Adjusting
To revise the program in light of ongoing changes. As a consequence, businesses must conduct periodic internal reviews to evaluate and adjust the information security program in light of the results of the testing and monitoring, any material changes to the business or arrangements, any changes in technology, any changes in internal or external threats, any environmental or operational changes and finally any other circumstances that may have a material impact.
Practical Measures Post Cyber Breach
Disclosure/Notification
In the U.S., as a direct response to the large number of high-profile security breaches involving sensitive personal information, most states, and Congress, introduced legislation to require notification of persons affected by such breaches, even where there is no duty to provide security, there may well be a duty to disclose a breach of security.Footnote 68 After a breach has been detected, the first action is to provide notice.
This notice should be given to the following entities, depending on applicable state and federal law: 1) State and federal regulators or agencies responsible for monitoring applicable cyber material and breaches; 2) the customers and consumers whose information is subject to the breach; and lastly 3) the insurers.
Prompt Action
Having a clear process on how a company prepares for and responds to security breaches when they occur is a key issue. Prompt action on a variety of fronts is critical, both from a legal and a public relations perspective.
Digital Evidence
Digital evidence plays an important role in various phases of cybercrime investigations. A thorough WESTLAW study conducted by Thomson Reuters this yearFootnote 69 on this topic emphasizes how every company should have an Incident Response Plan (IRP) which directs appropriate internal or external resources to capture and preserve evidence related to security incidents during investigation, analysis, and response activities. The incident response team shall seek counsel's advice as required to establish appropriate evidence handling and preservation procedures and reasonably identify and protect evidence for specific information security incidents.
The first phase of digital evidence is linked to computer forensics. The second phase relates to the presentation of digital evidence in court. In order to carry out the investigations they need to undertake—in addition to training and equipment—procedural instruments that enable them to take the measures that are necessary to identify the offender and collect the evidence required for the criminal proceedings.
To ensure we have the right digital evidence tools in place, we need to follow a process which ensures certain specifics are in place: first, scientific research and training; second, legal standards: some countries started to update their relevant legislation to enable courts to deal directly with digital evidence; third, Expert Support: Analyzing and evaluating digital evidence requires special skills and technical understanding which is not necessarily covered in the education received by judges, prosecutors and lawyers. Fourth, Creating Trust and Legitimacy: This principle requires that digital evidence has been collected, analyzed, preserved, and finally presented in court in accordance with the appropriate procedures and without violating the fundamental rights of the suspect. Fifth, Disclosure: Unlike traditional search and seizure operations, which are carried out openly and therefore guarantee that the suspect is aware that an investigation is being carried out, sophisticated investigation tools such as the real-time interception of communications do not require such disclosure. Sixth, Investigation: There are mainly two investigation phases; phase 1, which includes the identification of relevant evidence, collection and preservation of evidence, analysis of computer technology and digital evidence; and phase 2, which involves the presentation and use of evidence in court proceedings.
Conclusion
After a review of the impact and liabilities of all the different forms of data security breaches in the three case study countries, it appears that the most important lesson to be learned from past breaches in companies is the lack of coherent, effective cyber policies, and compliance frameworks.
This reinforces the need for a holistic cyber security approach, and confirms that a tailored response to each context is desirable. Companies should not only satisfy the regulatory checklist but wholeheartedly embrace it and go further than what is required by regulators in order to safeguard not only their own data, but their clients’ data too. At the same time, in order to make the Internet safer and to protect its users, it is time for authorities to revise and enforce the laws as analyzed in this research.
A successful response will require collaboration between private and public entities, a building of trust to enable a sharing of information across jurisdictions and between organizations. Cyber attacks have the potential to be incredibly harmful to many people, and given that technology is an enabler of economic growth, creating a coordinated approach to reducing cyber risk is integral to the development of our societies.
