"It also illustrates that if such a breach happens, the impact can really be significant - and it can be significant in many different and far-reaching ways," says Tom Smedinghoff, partner with the Chicago-based law firm of Wildman Harrold. "When we talk about security in a corporate environment; we're not just talking about protecting personal data. We're talking about all forms of corporate data that need to be protected."
In an exclusive interview about the WikiLeaks incidents and their potential impact on all public and private organizations, Smedinghoff discusses:
- The legal, security and privacy issues at stake;
- The implications of the new insider threat;
- What security leaders can do to better protect their own organizations.
Smedinghoff is a partner at Wildman Harrold, where his practice focuses on the new legal issues relating to the developing field of information law and electronic business activities. He is internationally recognized for his leadership in addressing emerging legal issues regarding electronic transactions, information security and digital signature authentication issues from both a transactional and public policy perspective. He has been retained to structure and implement e-commerce, identity management and information security legal infrastructures for the federal government, and national and international businesses including banks, insurance companies, investment companies and certification authorities. He also frequently counsels clients on the law relating to first-of-their-kind electronic transactions, privacy, information security legal matters and e-commerce initiatives. At the same time, he has been actively involved in developing legislation and public policy in the area of electronic business at the state, national and international levels.
TOM FIELD: We're all hearing about and talking about the government documents that have been released and the threat of corporate documents that could be released. My question to you is regarding WikiLeaks: Why should business and security leaders care about what we've seen and heard so far?
TOM SMEDINGHOFF: Well, I think first and foremost, it's a major wake-up call. It's an example of a major security breach, and based on what we've been seeing and hearing, I think it is also clear that this is the type of thing that can happen to anyone. No company is immune from this kind of risk, and so it's definitely something that needs to be considered. I think it also illustrates the fact that if such a breach happens, the impact can really be significant and it can be significant in many different and I think far reaching ways. Finally, I guess I would also add it also illustrates the fact that when we talk about security in a corporate environment; we're not just talking about protecting personal data. We're talking about all forms of corporate data that need to be protected, and I think what we've been seeing in the existing documents that have been released and the rumors about what is coming -- that certainly illustrates that point.
Legal IssuesFIELD: Now we have lots of people talking about what should and should not be considered private, what should or should not be released publicly. What do you see as the legal issues that are at stake here?
SMEDINGHOFF: First and foremost, there is a legal duty to provide security for corporate data, and it's a duty that is obviously there to help protect the company and its business, but it really goes beyond that. It applies to all of the other stakeholders in the company -- the shareholders, the employees, the customers, vendors, even business partners. As we can see by the examples that are out there in the news now, a lot of different people can be affected by a security breach of this type. So, in the first instance, we're looking at a legal duty to provide security to prevent that from happening. That legal duty comes from a variety of different sources and a variety of different laws, and it applies to different companies differently. But leaving aside those details, I think we've got that basic duty. There is also a legal duty at some level to notify various people when security breaches happen. We've seen that in the personal information space quite a bit over the past few years, but there are other laws that require disclosures, for example to the SEC, to the IRS, to different government agencies and regulators for a variety of different kinds of security breaches. And I would also add, if we look at just sort the practical impact of these kinds of breaches, you can see that they can have a significant impact in terms of compromising business deals and ongoing negotiations. To the extent that a breach discloses information that evidence of wrongdoing or arguably evidence of wrongdoing, it of course provides potential basis for new litigation or for government enforcement action.
FIELD: I know that you are someone that has a deep abiding issue in security and privacy issues. What do you see as being the top issues in this case?
SMEDINGHOFF: Well, it's interesting. From a legal perspective, you could say that one of the key issues is the adequacy of the security that was provided. Was it legally compliant, for example? That is an issue that is ultimately very important when you get down to the lawsuits and the liability and whether there is liability. At another level, whether the security that was provided was adequate or was legally compliant, at least in the first instance it is almost irrelevant. As we've seen from the recent news reports, if a company has a breach, it has a major problem on its hands. In effect, it pays the penalty even if it is compliant with its legal obligations. And the same thing is true on the privacy side. That there is a duty to notify there is potential PR fallout even if the company wasn't at fault.
Business ImpactFIELD: Tom, one of the things that struck me was we've seen just rumors really of a possible document that could be released on Bank of America. And just on the strengths of those rumors, we saw that the bank's market value changed. What are the ramifications here of these potential WikiLeaks in the private sector?
SMEDINGHOFF: It's a great illustration of the impact that a breach can have on the reputation of a business. Even if the business is not at fault with respect to the breach, and in this case for example even if it's just a rumor, the impact of a breach or a potential breach or a rumor of a breach in this case is significant. And again, I think it's a real wake-up call that businesses cannot afford to ignore the whole security issue. They really need to focus on that because the impact of a security breach goes way beyond just the lawsuits and the legal compliance issue as we saw in that recent case.
The Insider ThreatFIELD: Now, what we've seen with WikiLeaks here is really low-level people are getting access to high-level information. What does this tell us about the insider threat?
SMEDINGHOFF: In many respects it reinforces what the statistics have been telling us. You see estimates of upwards of 70-80 percent of security breaches are caused by insiders. This certainly seems to bear that out, at least based on the information that we've seen. But I think it also indicates, and again this is what the law requires, that security needs to be risk-based, and if a major component of a company's risk is that insider, then the security really needs to focus on making sure that insiders can't pick on their advantage of the access that they are otherwise entitled to have. And I guess related to that, too, there is sort of an identity management component to this, and that is who should be getting access, and are we giving access to people that really don't need it or shouldn't have it? But it really, I think, requires some serious focus on the insider, the people who are given access by the company. They don't have to break in, yet they're the ones in many cases that are causing the major damages.
FIELD: Now it strikes me that a lot of people could look at this as sort of a noble thing, making private information public supposedly for a greater good. Are you concerned that we will see copycat cases for want of another term?
SMEDINGHOFF: I think that even if you take WikiLeaks out of the equation, there is a lot of incentive for a lot of people to do this kind of thing for a variety of reasons -- to disclose the data to a variety of different people or different organizations. They may think they are doing a good thing. They may be criminal in their intent. It could vary all over the ballpark, but from the businesses perspective I think this is a very real threat, and I don't see it going away. I see it getting worse, and I do think that it's a threat and a problem that everybody really needs to take seriously and really needs to recognize the ramifications can be really potentially very, very significant.
Advice to LeadersFIELD: What advice you'd give to security leaders? What do they need to be doing better to protect their organizations from breeches such as this?
SMEDINGHOFF: I would focus on two things: 1) What is commonly referred to as the comprehensive written information security program. Increasingly, laws are requiring companies to have that kind of security program in place, and I think that is critical to provide the protection that businesses need to guard against that security breach and to be legally compliant. This isn't just a security policy; this is a risk-based comprehensive program that really needs to be put in place to do what can reasonably be done given the current risk to guard against these threats. 2) Companies need to recognize that no matter what they do, bad things can still happen, and breaches can still occur. So the second thing would be an incident response plan. Companies need to think through in advance before the problem occurs. How they are going to respond? How they are going react? How they are going to put in place the people the processes to respond quickly to deal with everything from dealing with the regulators and law enforcement and forensic people and the media, the stakeholders and everybody else that this kind of breach has an impact on in order to respond to it in the most effective way possible? So that even if a breach occurs, they can at least try to minimize the damage. So the bottom line is: It's a process of combining obviously good security. You have to have good security to start with, but combining that with legal compliance and with the ability to quickly and adequately respond to a breach in any given case.