Legal View of RSA Breach

Attorney David Navetta on Risks and Potential Ramifications
"Persistent" is the operative word about the advanced persistent threat that has struck RSA and its SecurID products. "If the bad guys out there want to get to someone ... they can," says David Navetta of the Information Law Group.

In fact, the RSA incident is indicative of a current trend, Navetta says.

"If there is a target that is desired by the hacker community, and they go for it and they're persistent about it, there's a good chance of a potential breach," he says. "A lot of companies might be thinking it's not a matter of if, but a matter of when.

"When you see stories like this," he adds, "I think it kind of shakes the foundation of what security means and how secure you can actually be in this day and age."

In an exclusive interview on the RSA hack, Navetta discusses:

  • What the news means to customers and to the security industry;
  • Potential legal ramifications;
  • What RSA SecurID customers can do now.

Prior to co-founding the Information Law Group, Navetta established InfoSecCompliance LLC, a law firm focusing on IT-related law. ISC successfully served a wide assortment of U.S. and foreign clients from Fortune 500 companies to small start-ups and service providers. He previously worked for over three years in New York as assistant general counsel for a major insurer's eBusiness Risk Solutions Group. While there he analyzed and forecasted information security, privacy and technology risks, drafted policies to cover such risks, and worked on sophisticated technology transfer transactions. Navetta engaged in commercial litigation for several years prior to going in-house, including working at the Chicago office of Sedgwick, Detert, Moran and Arnold, a large international law firm.

Navetta also serves as a co-chairman of the American Bar Association's Information Security Committee and is co-chairman of the PCI Legal Risk and Liability Working Group.

TOM FIELD: From what we've seen, what do we think that we know about RSA's announcement?

DAVID NAVETTA: Just as a starting matter, we need to be very careful about speculation in this context. We don't know that much at this point. We do know that there appears to have been some sort of breach, described as an advanced persistent threat by RSA, that on some level has exposed or been targeted at their SecurID services and product. According to the RSA, there wasn't any personally identifiable information at issue, and they don't believe that this would impact on some level of their customers' security at this point. It appears that they believe they have it taken care of or at least addressed on some level, but I'm sure there's still a lot going on in the background that we're not aware of, and I'm sure that will be for some time in addressing this breach. Right now, we need to just deal with the information we have and not to get into speculation too far.

Message to Customers

FIELD: So. I'm sure customers globally are asking themselves the same question, which is, 'What's the message to RSA's customers from this announcement?'

NAVETTA: Well, and I think that this is going to be the main task of RSA over the next short term period of time here, helping their customers understand exactly to what extent they may be exposed and what risk is involved here. I'm sure that there is a frantic communication effort that's being developed in the background to help their customers understand what the potential threat is. So I would say for customers now, if I was going to provide a message, I would be telling them, first of all, there's no need to panic on any level, and on some level it should be business as usual. However, they may want to more closely monitor the activities around the use of their SecurID products and tokens. And also, I would also say one of the things I would do as a customer, I would be engaging RSA and asking for additional information to better understand exactly what happened here and what it means to the ability to use SecurID going forward.

FIELD: David, perhaps you can help put the situation in perspective. We know that the RSA SecurID is a common solution. What does this announcement mean to the global information security industry?

NAVETTA: Well, I think what it means on some level is that if the bad guys out there want to get to someone, even the most highly reputable organizations in the industry, they can. And this is the kind of a situation that I think is arising not only with respect to the security industry, but in general. If there's a target that is obtained or desired by the hacker community�a certain group of hackers, at least�and they go forward and they're persistent about it, there's a good chance of a potential breach. And perhaps it's because I help with breach response on a regular basis, but to me a lot of companies might be thinking that breach is not a matter of if, but a matter of when, and that if you are a high enough profile type of target and someone really wants to get after you, they might have a good chance of actually succeeding. And where you see stories like this, companies who you would be the least likely to be�they might be a high target, but they're the least likely to actually potentially suffer a breach -- I think it shakes the foundation of what security means and how secure you can actually be in this day and age.

The Legal Issues

FIELD: I know we're early in the story cycle here, but what do you see as potential legal ramifications from what we've learned?

NAVETTA: Well, first off, if there was no personal information involved, then the breach notice laws that would typically apply when personal information is breached wouldn't apply, so that wouldn't be an issue. I see the legal ramifications being on the contractual level, potentially, between RSA and its customers. I'm sure RSA has a robust contract to help protect itself. It will depend exactly on what duties and obligations are in that contract, but if this were the type of attack to render the SecurID system and product insecure or unreliable, there could be potential contract obligations that someone might allege were violated, and so that, I think, needs to be looked at. If, further down the line, let's say there is some sort of breach, and that breach of a customer was caused on some level by a token that had been exposed or breached, it's possible that the security breach suffered by a client could blow back to RSA on some level, again, depending on whether or not the breach could be tied to a problem with the token arising out of RSA's own breach.

So there's kind of two levels of this. I would say the first level is just the general whether or not the token can be used and is reliable and secure currently and whether that implicates contract issues. And then, to the extent that an RSA client were to suffer a breach because of something going wrong with the token, then whether or not RSA might have some liability because of that type of security breach.

FIELD: I've got to employ a legal term here, and I've got to ask David, is there any precedent for a situation such as we're seeing unfold?

NAVETTA: No, at this point, I think this is a rare circumstance where we have a security product itself that may be weakened as far as whether it can be used reliably, and we don't know exactly what's going to happen at this point, whether the breach was a serious enough breach that it would undermine the reliability of the token or not. We'll have to wait and see what happens here. Hopefully nothing occurs, and hopefully this is something that can be remedied and everyone can move forward, and hopefully it won't happen again. So at this point, it's too early to tell whether this is going to cause additional issues and whether it could create a precedent on its own level.


FIELD: Final question for you, David. What advice would you offer to RSA's SecurID customers who are wondering about how secure their own systems are?

NAVETTA: Well, I think that the first question is, if you're wondering how secure your systems are, I would analyze and get the information from RSA as to what happened here on some level and to better understand what the exposure may be. And then, like all security professionals are normally engaged in, I would do basically a risk assessment to see whether or not, based on the information you could obtain, this poses a risk to the organization. I wouldn't panic. I still think, based on what we've heard from RSA and the press, that there's no reason to panic yet, but there is definitely a reason just to be aware of the issue and try to get as much information as possible about the issue so you can figure out how it might impact your organization. So that's my advice at this point.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.