By Mark Greisiger, NetDiligence, and Jon Neiditz, Locke Lord Bissell & Liddell LLP
Imagine this nightmare:
Criminals from across the globe, armed with the most sophisticated weaponry, are converging on your bank. Inside the bank, the guards are fast asleep. Panicked tellers sound alarms. Nothing happens. (No one knew they didn't work; they were never tested.) The bad guys know precisely where the vault is and it's wide open. Bad guy after bad guy marches out with your customers' wealth. The crime's swiftness is mind-boggling. What should have taken hours was over in seconds.Unfortunately, this dream isn't all that farfetched in cyberspace. Especially if you haven't enlisted the crime-fighting power of the dynamic duo-legal and information technology (IT). Together, those charged with overseeing your legal and IT can provide the protection you so desperately need in the face of today's exponentially evolving technology and increasingly litigious business environment.
But the worst is yet to come: customers, outraged that you didn't have better safeguards, are closing their accounts and suing you for negligence. Before you jolt awake, one last image flashes through your mind: the words "CEASE AND DESIST" scrawled in blood-red paint across your bank's front door and a letter emblazoned with "CLASS ACTION LAWSUIT" in your mailbox.
You see, while technology has revolutionized the industry, it has also left financial institutions, and their customers, more vulnerable than ever. In cyberspace, there are, indeed, legions of bad guys developing technologies to break into your systems and steal your customers' identities. And they can do it from Eastern Europe or the Middle East or Asia-in cyberspace, there are no geographic barriers.
We get multiple calls about security breaches every week. Fortunately, most issues are resolved before it's necessary to notify authorities, but their ever-increasing frequency is alarming.
If your IT and legal teams aren't joining forces to establish safeguards against these escalating threats, it's the equivalent of leaving your vault wide open and putting your guards to sleep.
It's no wonder financial institutions are required to adhere to a multitude of cybersecurity regulations that were unheard of just a half-decade ago. For instance, the Gramm-Leach-Bliley Act (GLBA) and its state progeny require banks to take prudent and reasonable precautions to protect identity. Often clashing with those laws are breach notification statutes in 39 states. Most require banks to notify customers if their systems have been breached and customers' personal information potentially exposed. Here's just a sampling of issues that make adherence challenging: • Definitions of what is considered personal information vary with each statute.
• Regulations shift from state to state; applying where each customer resides. What's required in one state may be prohibited in another. You need a sound national response strategy that can easily be adjusted to address every shift in regulation.
• Notice-triggering breaches are costly. One study estimated that if you send customers a breach notice you'll lose 20 percent of them. Send out a second notice, and many more will bolt. Even though breaches will occur in the best security systems, the fires have been fanned for claiming negligence and instigating class action lawsuits.
• Both the law and your market position make you responsible for the security breaches of your customers' data residing at vendors and third-party suppliers, such as core processors. For some banks, the ripple effect can morph into a tidal wave. For instance, if credit cards are involved, you must pay for reissuing them. At $10 to $16 or more per card for thousands of customers, that's costly. What's more, the organization that delivers the bad news is generally the one blamed by the customers and the media.
It's too easy to install new technologies without understanding the legal impact. For instance, IT may forge ahead with a paperless record-keeping system while unaware of:
• Compliance with privacy and security requirements, • Managing the costs and risks of electronic discovery, and • Ensuring that all electronic documents will be enforceable and admissible in court. Therein lies the conflict that separates this dynamic crime-fighting duo. Legal and IT have traditionally operated in different realms-IT is operations-focused, accustomed to charging ahead without consulting legal. Legal oftentimes doesn't understand the dynamics of IT.
All of that is changing, however, due to information security issues and electronic discovery. For the safety of your customers and the well-being of your financial institution, it's critical IT and legal work closely at all times. Here are some suggestions to make that happen: 1. Don't wait for a security issue to introduce your IT and your legal departments. We've witnessed that more times than we care to recount. Be highly proactive. Use electronic discovery to get a jump on information security issues. Consider hiring an Electronically Stored Information (ESI) Coordinator to help you bridge IT and legal, as now recommended by a number of judicial districts. 2. Enlist outside, objective experts to handle tasks such as conducting a security assessment, preparing a crisis communications plan and reviewing the customer notification requirements in states where your accountholders reside. Experts who do this work constantly can provide valuable perspective. What's more, their input will help you respond quickly to any breaches, and will help prove you did your best to provide reasonable and prudent safeguards. Their expertise could ultimately save millions of dollars.
3. Don't get caught up in security theater, i.e., countermeasures that provide the feeling of security while doing little or nothing to actually improve it. For example, many breaches are related to poor patch management-the ease of getting into the system through security holes in Internet-facing operating systems or business applications. Bad guys often rely on human weaknesses and may count on a bank being understaffed in information security. Scan test your systems and servers at least quarterly to see how well they can defeat and deflect the thousands of known hacker exploits.
4. Establish a security council that would be responsible for: • Orchestrating the relationship between IT and legal. • Overseeing outside cybersecurity and legal experts. • Ensuring third-party vendor compliance. • Developing strategies and tactics to manage risk. • Establishing privacy policies to advise clients and vendors on how data will be protected. • Creating a response plan in the event of a security breach. Unite the powerful crime-fighting forces of legal and IT so this dynamic duo can ensure that bad dreams won't come true for your financial institution.
Mark Greisiger is president of NetDeligence, a cybersecurity assurance organization. Greisiger is an authority on cybersecurity and network risk for computer-dependent businesses, government agencies and financial institutions.
Jon Neiditz leads the Information Management & Privacy Practice for Locke Lord Bissell & Liddell LLP's Business Technology Group. In recent years, his practice has focused on assisting clients to meet the legal and technological challenges of electronically stored information.
Jon Neiditz leads the Information Management & Privacy Practice for Locke Lord Bissell & Liddell LLP's Business Technology Group. In recent years, his practice has focused on assisting clients to meet the legal and technological challenges of electronically stored information.A tight alliance between legal and IT teams can better enhance banks' security efforts.