By Jason Smith
Whether offering products and services over the Internet, telecommuting employees or just communications on mobile devices, today, every company, large or small conducts business online. While the security around online-based businesses and telecommuting employees is quite mature, the mobile ecosystems remains a virtual wild west.
Mobile devices can be defined as cell phones, tablet computers, portable hard drives, USB flash drives, laptops, etc. The obvious benefits of portability, flexibility and accessibility have driven the growth in use of such devices in corporate America. For instance, an 8GB flash drive that is smaller than a business card can hold the equivalent of 640,000 boxes of paper. A portable hard drive which is a little larger than a cell phone can store more than 40 million boxes of paper. Unfortunately, portability provides opportunities for loss of important data on a much larger scale than simply misplacing a confidential file folder. Here are the risks of the mobile ecosystem that should be keeping CEOs awake at night.
In 2010, almost 600 corporate data breaches were reported, each affecting an average of more than 31,000 records. At an average cost of $204 per record, the estimated hard cost of these breaches was more than $6.5 million, and only for those breaches that were reported. Of course, the potential soft cost of these breaches is immeasurable. It was hard enough to defend these attacks in a central location, but with the growth of the mobile ecosystem, the company walls are dissolving into a borderless virtual world.
While a company’s responsibility for protecting data is governed by general business principles and the financial implications, there are also laws governing the level of security a company must implement as well as actions that must be taken in the event of a data breach. Texas is among 46 other states which impose a duty to notify any person who conducts business in the state in the case of an unauthorized disclosure of personal information. Chapter 521 of the Texas Business and Commerce Code establishes a reasonableness requirement for the procedures that companies must take to avoid disclosure of sensitive personal information of customers and clients. Initially, notification was required to be given to any “resident of the state” but effective last September, the statute was changed to require notification to “any individual” affected – regardless of jurisdiction. So far, Texas has not yet followed the five New England states that have added a duty to notify the state’s Attorney General during law enforcement investigations. Texas’ breach/notification law affords the Attorney General injunctive relief and painful fines for companies that lose sensitive personal information.
Developing a comprehensive data security policy must include every electronic system, including mobile devices, to be effective and executives must understand that the laws require certain data breaches to be thrust into the public spotlight. Data security is only as good as the weakest link.
Risk 2: Hackers Targeting the Law Firms
On November 1, 2009, the FBI issued an advisory warning to law firms that they were being singled out by hackers with 2011 seeing an increase in law firm breaches reported by more than 80 firms. In addition to the cases of identity theft from family law, probate and tax firms, the biggest threat appears to be corporate espionage targeting firms representing companies on securities, intellectual property and mergers and acquisitions deals. Firms are being specifically targeted because hackers realize law firm computers typically house the most high-value data of its client companies – and not in a corporate-secure data center. Worse, today’s hackers are usually professionals sponsored by sovereign states. While lawyers are additionally governed by ethical rules, consider extending technology and privacy policies to the next version of Outside Counsel Guidelines.
Risk 3: Employees and the Destruction of Company Files
Not all of the threats to corporate information are inbound. The strongest firewalls and toughest encryption techniques are no match for loss of sensitive corporate data by an employee. With mobile devices, this threat is growing exponentially.
The use of portable mass storage devices to easily carry work product while traveling have given employees the flexibility to take the entire office filing cabinet with them on a plane on a device as big as a house key. And like your house keys, these portable mass storage devices can be easily lost or damaged, taking with it mountains of critical corporate data. Sometimes destruction of the information can do as much damage to a company as disclosure or theft. Many companies already have backup routines built into their Information Technology policies, but the growth of the mobile ecosystem, and the expanding space required to house data that’s so easily created, is impacting the timing and method for these backups.
Risk 4: Employees and the Disclosure of Company Files
Bring your own device (“BYOD”) policies are gaining traction to balance the ease of allowing employees to connect personal mobile devices to corporate systems with the IT policies governing company-owned devices. But these policies may still be vulnerable if that mobile device becomes entangled in a lawsuit or investigation. In one of the most cited cases on the subject, the United States Court of Appeals for the Ninth Circuit held that the Fourth Amendment to the United States Constitution does not require government agents to have reasonable suspicion before searching laptops or other digital devices at the border, including international airports.
It has also been reported that the Department of Homeland Security policies now allow federal agents to, “take a traveler’s laptop computer or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing.” Further, “officials may share copies of the laptop’s contents with other agencies and private entities for language translation, data decryption or other reasons.”
As more cases like these arise, the balance between flexibility and protection will shift more towards company IT policies becoming more conservative to hedge against the many unforeseen opportunities for destruction or disclosure of sensitive information.
Risk 5: Lack of Visibility
Not all of the risks lie in the disclosure or destruction of the data. With the proliferation of mobile devices storing and transmitting corporate information to and from anywhere on the planet, the field of view becomes much broader for leadership. How can CEOs and others in the executive suite, who are required to sign certifications on internal financial controls, be completely certain of their certification if executed contracts are scattered across smartphones and tablets of global sales staff? How can they be aware of the risks and obligations facing the company if critical proposals are stored on flash drives under an employee’s car seat? What about the important documents related to a pending merger housed on a laptop at a lawyer’s vacation house? Implementing a strategic information lifecycle management program, including systems that focus on workflow and storage of business information will help narrow the field of vision for executives looking to maintain visibility into the affairs of the corporation.
To compete in the fast-paced, plugged-in global marketplace, companies have to embrace the mobile ecosystem while recognizing that the threats are growing as fast, if not faster, than the technology world itself. Executives must maintain vigilance while keeping pace with the brave new world. Sure, there are a growing number of dangers in an always-connected world, but when harnessed properly, the advantage can mean exponential growth to the business. The companies that succeed won’t necessarily be the ones who outpaced their competitors in the marketplace, but those who outpaced the threats in the mobile ecosystem.
Jason Smith is Director of Legal Management Consulting for Duff & Phelps, LLC in Houston focusing on technology strategy and implementations for corporate legal departments. He is the Chair of the Computer & Technology Section and is on the Website Committee for the Corporate Counsel Section. He can be reached at Jason.Smith@DuffandPhelps.com.
Feb 14, 2015 Comments Off on Cyber Risk & the CEO
#TexasCEO's 10 Most Read Articles Of 2017 #2 The Changing Of The Guard: San Antonio’s #Economic #Development Future texasceomagazine.com/features… @SanAntonioEDF #1 Deep Roots In The Heart Of #Texas: The Kaspar Family’s #Holistic Approach To #Ranching texasceomagazine.com/features…
#TexasCEO's 10 Most Read Articles Of 2017 #4 @Jim_nyquist: At The Inflection Point Of #IIoT texasceomagazine.com/features… #3 Building #Innovation: @turner_talk Builds On Empowering Individuals texasceomagazine.com/features… @Turner_DAL @TurnerSouthTX #MiddleMarket #entrepreneurs
#TexasCEO's 10 Most Read Articles Of 2017 #6 The Cilantro Diaries: #Business Lessons From The Most Unlikely Places texasceomagazine.com/book-rev… @lgomez123 #5 From #Franchisee To #Franchisor: How Gordon Logan Built @SportClips texasceomagazine.com/features… #MiddleMarket #entrepreneurs
#TexasCEO's 10 Most Read Articles Of 2017 #8 #Mexico Is The New #China by @DrPippaM texasceomagazine.com/departme… #7 Growing The Next Generation Of Texas #CEOs: #CEO-to-CEO #Mentoring texasceomagazine.com/features… #Texas #MiddleMarket #business #entrepreneurs
#TexasCEO's 10 Most Read Articles Of 2017 #10 7 Top Trends That Will Shape #Texas In The Coming Decade by @KenGronbach texasceomagazine.com/departme… #9 Peter Huff Of @BlueSageCapital: A Generalist In The Specialized World Of #PrivateEquity texasceomagazine.com/features… #Texas #MiddleMarket