Data Breaches and NSA Backdoors: A Legal Primer
Thanks to Edward Snowden, it is now common knowledge that the NSA and the UK's GCHQ managed to get their own backdoors and other workarounds into various systems internationally, from US tech goliaths like Google and Yahoo to overseas telecoms like Belgacom. Consequently, concern rages worldwide over data center and cloud security. It seems that companies' data have been compromised even without being specifically targeted, given reports that the NSA inserted a backdoor in a NIST-endorsed encryption method, Dual_EC_DRBG, an encryption method that has been used by cybersecurity firm RSA Security and others and is included in the libraries of networking vendors like Cisco, Juniper, Riverbed, and Lancope, among many others.
And it isn't just the government that enterprises must worry about. Government-implanted vulnerabilities can open the door for hackers, too. (This has happened before, with serious consequences.) With an estimated 20 percent of routers having some kind of backdoor, Internet of Things security seriously lagging, and other weaknesses frequently cropping up in other networking equipment and hardware, a data compromise may be just waiting to happen at your organization.
There are, of course, technological security steps companies can take to try to stay ahead of hackers and government surveillance. Still, as Murphy's Law says, if something can go wrong, it will. Thus, enterprises must consider how to reduce and mitigate legal liability in the event of data compromises.
What to Do If Something Goes Wrong
In the event of a breach, you'll first need to understand what happened. "[G]et an audit by a security firm to conclusively establish the extent of the breach[,] where it occurred (i.e., on your system, in transit between your system and another system, or through an access code provided to a customer or vendor), [and] a list of users impacted," advises Alia Luria, former software engineer and current associate attorney with Miami-based law firm Akerman LLP, in an interview with Enterprise Networking Planet.
At that point, there may be things you must do as a matter of regulatory compliance. For starters, you may need to notify users. This is an exceedingly intricate area of law. In addition to federal requirements, 46 states and the District of Columbia, Puerto Rico, Guam, and the US Virgin Islands have enacted their own data breach notification laws (the only state holdouts are Alabama, Kentucky, New Mexico, and South Dakota). Further complicating matters, each of these jurisdictions adopt their own definitions of such key terms as "data," "breach," and "personally identifiable information." Additionally, in some cases it is necessary to notify government agencies as well as users and other data breach victims.
"[A]n extensive data breach of personally identifiable information…would require notification of each user affected[,]" Luria said. "The notification must be in compliance with the state of residence of the affected person."
Notification laws provide "safe harbor" when data is properly encrypted, variously mitigating the duty to notify. A breach involving a backdoor that circumvents encryption, however, changes this. "If a backdoor circumvents that encryption, you have blown coverage under the safe harbor and the affirmative duty to [give] notice…is activated," says Luria. "The FTC would also get involved at this point, likely to investigate whether your treatment of the data was reasonable."
Indeed, regardless of these notification laws, a company may have to notify those affected by a data breach and take other mitigating actions to comply with consumer protection laws. Data breach victims may also have potential claims under traditional theories of negligence and/or product liability in some cases.
Data-breached enterprises may also face additional liabilities and regulations under other state and federal laws that carry altogether different requirements and duties. Nancy Kelly, a partner at Governo Law Firm in Boston, told Enterprise Networking Planet the applicability of these liabilities "really depends on which statute we're talking about, whether we're talking about financial information, or health information, or children's online privacy[.]" These examples, of course, are non-exhaustive.
Some of these laws have more to do with the type of data and less to do with the type of company or industry. HIPAA requirements, for example, "are more strictly regulated[,] but pertain only to health-related information transferred between systems (usually insurers and hospitals)," Luria pointed out. "However, if your company is self-insured and transferring sensitive medical information, you can be subject to HIPAA and the regulations that go along with that as well."
Furthermore, data breaches may trigger contractual obligations, either yours or those of your service providers. Carefully review your organization's service agreements for guidance. For example, if you are a B2B company and a breach of your data impacted your customers' customers, your contract may require you to pay the legal fees your customers incur related to notifying their customers. Similarly, if one of your vendors suffers a breach that impacts your customers, your service agreement may entitle you to indemnity.
"The upshot is that if it was your data that was compromised, you will ultimately be responsible for notice under state law, and you may or may not be able to get your costs paid for by a third party," said Luria. "If a third party's data was compromised, you are required to let them know and you may have to pay their expenses depending on your agreement, but you are not obligated to give direct user notification."
Of course, the context of NSA intrusions presents fairly new legal territory. Perhaps the closest legal analogue would stem from revelations in 2005 that telecoms such as AT&T and Verizon cooperated with the NSA to secretly compromise customer information. The telecoms were spared liability because Congress passed, and the Bush Administration signed, a law granting those companies (and any other companies who may engage in such behavior in the future, upon case-by-case certification by the US Attorney General) retroactive immunity specific to any claims arising from their complicity. Accordingly, when class action litigation was initiated against the government and the telecoms for these surveillance programs, the Ninth Circuit Court of Appeals upheld dismissing the eventual telecoms from the lawsuit. That litigation continues today against the government, however, still unresolved.
As they hit the news, the continuing revelations of government surveillance on citizens and companies create new network and data security concerns. Some of those concerns may seem outside the scope of an IT professional's duties, but an understanding of the law remains critical to staying on its good side. Is your organization equipped to both protect against threats and to reduce the damage when incidents occur? Let us know in the comments.
Joe Stanganelli is a writer, attorney, and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.
Photo courtesy of Shutterstock.