Security, Here's When You Should Call Legal

Did you know litigation can emerge over vulnerabilities – before a security breach occurs? That’s why it’s essential for security to work with legal when a vulnerability is discovered. 

So far, I’ve explored the legal aspects of cybersecurity as they relate to vulnerability management. See previous posts in this series:

• Why Security and Legal Need to Work Together
• 5 Questions to Ask Legal About Vulnerability Disclosure

For the third and final part of the series, I’ll discuss recent litigation that has emerged over vulnerabilities – even before a security breach occurred. 

Let’s look at recent legal trends, which can inform your vulnerability management plans.

Vulnerability litigation in the news

Before a security breach even occurs, organizations can be held liable for vulnerabilities in their products or systems. In 2016, Samsung was sued by the Dutch Consumers’ Association (DCA) for failure to provide timely software updates for their smartphones after the discovery of the Stagefright bug. In the same year, in the first class action suit of its kind, a Chicago law firm was sued for malpractice and negligence after security vulnerabilities created risk for clients’ personal data. Law firms, in particular, with their access to confidential client information, are often scrutinized for their security practices. Although the court eventually ruled in favor of the firm, this lawsuit resulted in reputational damage and triggered an in-depth examination of law firm security across the board. In 2017, litigation was brought against ADT for failing to disclose system vulnerabilities to their customers. 

Lawsuits related to Meltdown and Spectre

More recently, Intel found themselves facing at least 30 class action lawsuits and two securities class action lawsuits following the disclosure of Meltdown and Spectre. These two vulnerabilities were found in the company’s microchips and received sensational news coverage. Three major cases that provide insight into the legal aspects of these vulnerabilities emerged out of California, Oregon and Indiana. These lawsuits accuse Intel of breach of implied warranty, negligence, unfair competition and deceptive practices. In their factual allegations, these cases cited that Intel knew about the vulnerabilities, yet intentionally continued to advertise their microchips without disclosing the flaws. 

The cases mentioned here are some of the first of their kind. But, as vulnerabilities grow year after year, it’s likely this type of litigation will continue. So, remember to evaluate your vulnerability management plans through the lens of legal and regulatory compliance. 

The ripple effect of headline-making vulnerabilities

One possible explanation for the rise in litigation over vulnerabilities is the increasing media coverage that vulnerabilities receive once disclosed. When top media outlets report on vulnerabilities, people outside cybersecurity become aware of the potential risks and are more likely to take legal action. Meltdown and Spectre were two of the most publicized vulnerabilities, garnering coverage from The New York Times, CNN, The Washington Post and other top media outlets. 

The growth of IoT

Meanwhile, as IoT adoption continues to spread, we can likely expect to see litigation emerging over IoT vulnerabilities, too. IoT devices have exploded into the market over the past few years, and are just as susceptible to vulnerabilities and hacking. It has been estimated that by next year, there will be 200 billion objects in the IoT. This complicates things, with many third parties potentially having access to more data than ever before, thanks to IoT data storage. In fact, OWASP released the ten top vulnerabilities IoT devices are susceptible to. The list includes weak passwords, insecure network services, insecure data transfer and other simple vulnerabilities – many of which could be found and exploited by a novice hacker. 

IoT vulnerabilities are also being reported by the mainstream and tech media. In 2017, vulnerabilities were discovered on implantable cardiac devices that, if exploited, would allow a hacker to access the device, monitor patient heart rates and even administer shocks. Smart TVs have also made headlines for insufficient security. In 2018, Roku devices were found to have a vulnerability that would allow hackers to stream content and obtain user data. Additionally, Tenable has disclosed vulnerabilities in IoT devices like Arlo and other cameras. 

Following these trends, it’s imperative to involve legal in the vulnerability disclosure process early. The way an organization handles the vulnerability disclosure process may limit its risk exposure and influences whether a suit is even filed.

What happens when a vulnerability leads to a security breach?

When a vulnerability is exploited and leads to a security breach, the scenario gets a lot more complicated. Following a breach, IT should immediately involve legal, so the parties can determine:

• What data was breached?
• Who needs to be notified?

Federal, state and international laws may apply, along with contractual obligations an organization may have made to its customers or vendors. 

While this post will not delve into the complexities of breach notification law, it’s imperative to learn from some of the more notorious breaches – such as the 2017 Equifax breach. 

The Equifax breach: What not to do

Involving the data of almost half of the U.S. population, the Equifax breach is widely thought to be one of the most egregious breaches of all time. And while Equifax’s response to the security breach was deemed highly inadequate, it can be used as a lesson as to what not to do in the case of a security breach. Equifax had known about the stolen information weeks before the breach was disclosed, pointing to one of the most important legal lessons to learn about security breaches: notification. 

Notification is key

The notification requirement is also one of the most prominent aspects of recent legislation. Under Europe’s GDPR, organizations have only 72 hours to notify individuals about stolen data. In the U.S., the state-by-state breach laws often include the condition of timely notification without unreasonable delay. 

When developing and updating your vulnerability management plan:

• Consider the minimum requirements of various laws
• Incorporate lessons learned from other organizations’ incidents 

Security and privacy law is complex. This post does not intend to serve as legal advice, nor to explain the law in any in-depth measure. Rather, it seeks to point out how important it is to keep your legal team closely involved with your security program in this era of vulnerabilities and security breaches. 

As recent trends in litigation demonstrate, the law will continue to adapt to the changing tech environment. While security and law may operate from different perspectives, both have similar goals of maintaining a space where data is safely stored and consumer privacy is protected.