World Wrestling Entertainment, Dow Jones, and a data analytics firm working for the Republican National Committee are three entities with seemingly little in common. Yet all three store data in the cloud and all three recently suffered data breaches. These data breaches were not conducted by malicious hackers seeking to sell or otherwise exploit users’ personal information, however. To the contrary, each was approached by a so-called “white hat” hacker, a security researcher seeking to identify and correct vulnerabilities in others’ IT infrastructure.
White hats typically work to identify vulnerabilities in website or cloud storage configurations and then contact the owners to notify them of what they’ve found. White hats generally publicize their findings, thus enhancing their reputations as hackers, but only after giving the host organization an opportunity to patch the vulnerability to avoid exposure of sensitive data. A true white hat tries not to harm consumers or to expose sensitive information. But white hats will often access sensitive consumer data for the purposes of showing to the host that the data is unprotected. Moreover, some white hats actually download the data as proof in case the host organization denies that data was ever accessible.
White hats and their “target” companies are therefore in a relationship that blends the friendly and the adversarial. On the one hand, the white hat is helping the company by bringing a vulnerability to its attention and allowing the company to patch it before anyone is harmed. On the other hand, the white hat may publish what she has found, often in highly critical terms, embarrassing the company and raising reputational and legal risk. White hats will typically want to engage with the company as they prepare to publish, placing companies and their counsel in a delicate position.
So what is the minefield that companies and their counsel must navigate when they are approached by a white hat hacker?
Playbook when a white hat emerges
When a company is contacted by a white hat claiming to have accessed sensitive information, the two sides begin an uncomfortable sequence of arms-length negotiations. The company must keep its key objectives defined and always in mind: (1) mitigate security vulnerabilities; (2) protect data; (3) minimize harm to corporate reputation, including through external messaging; and (4) comply with any legal and regulatory requirements that the breach may trigger. All actions should be for the purpose of achieving one or more of these objectives.
Consider the following steps:
- Understand as much as possible about the scope of what the hacker has discovered. What did she access, and what did she download? Companies need this information to determine the magnitude of the vulnerability and their corresponding legal obligations.
- Retain an outside cyber forensics firm and counsel to investigate and to determine whether there is forensic validation for the white hat’s statements regarding the scope of her access. It is also important to examine whether there is forensic evidence that anyone else may have exploited the vulnerability. This can be accomplished through review of network logs and other forensic evidence, as well as dark web searches to see if the information has been posted for sale.
- Conduct diligence on the hacker. Do they have an acknowledged public reputation as a bona fide white hat? If so, that should provide some comfort that the target can work with them collaboratively, albeit at arms’ length. If not, consider calling law enforcement and proceed with extreme caution.
- Close the vulnerability immediately. Hire an outside cybersecurity company to close the vulnerability or, at a minimum, validate that the vulnerability was mitigated.
- White hats will often want to announce the discovery of the vulnerability once the company has fixed it. This is how they promote their work. The white hat may ask the target to review proposed press statements/blogs for accuracy, and may offer to include a quote from the company. A hacked firm should feel comfortable doing so if it has confidence that the white hat is operating in good faith, and if doing so will make the white hat likely to commend the company for a responsible response to the incident (which is helpful from a reputational perspective). Circumstances will differ from incident to incident, but the right kind of quote for the company should generally: Acknowledge that the company was contacted and note that the company immediately fixed the vulnerability; affirm that the company has retained independent forensic experts and has identified no evidence that anyone else exploited the vulnerability; express appreciation for the white hat’s collaboration; and express the company’s strong commitment to cybersecurity and the privacy of its customers.
- Ahead of publication of any press statement or blog related to the security incident, consider giving a courtesy notification to key regulators so they do not first become aware of the incident by reading about it in the news. Explain to the regulators the proactive approach the company has taken.
- Request and obtain a signed Certificate of Destruction (CoD) from the hacker demonstrating that all accessed data has been destroyed once the white hat has gone public with the discovery. The CoD should include the details of the procedures used to destroy data, whether documents and data drives were destroyed, and in what quantity. Tell regulators and others as appropriate that the company has received this CoD.
- Have a communications plan and press statement ready, explaining the company’s diligent approach to investigation and remediation, and including notification to key customers or investors.
Does white hat hacking trigger state breach notification requirements?
After making a forensic determination about the scope of the breach, companies will need to evaluate their compliance obligations under state data breach notification laws. Breach notification statutes are not uniform and notification obligations often vary across states depending on the particular facts surrounding the breach. That means that in some white hat scenarios, notifications will be required in some states but not others.
The white hat’s acquisition of or access to data — albeit briefly and without harmful intention — likely qualifies as a “security breach” under some state laws. This is generally the case in states with statutes that do not require any showing of risk of misuse or harm to consumers as a predicate to triggering the notice obligation. In other states, however, notification requirements are triggered only where the unauthorized acquisition of data creates a “risk of harm to a consumer.” Still other state notification requirements are triggered only where the company believes that the breach has resulted or will likely result in identity theft or fraud.[3] For states in which notification requirements are triggered by the risk of misuse of customer information or risk of harm to the consumer, companies may not be required to initiate consumer and regulatory notifications because bona fide white hat hacking arguably poses no risk of misuse or harm to the consumer.
Ways to get ahead and avoid a costly multi-state consumer-notification process
While being prepared to respond to white hat hacking is essential, there are also ways to prevent these types of breaches from occurring in the first place. Companies handling sensitive information should consider the following:
- Bug bounties: More and more companies are adopting bug bounty programs, which invite unaffiliated hackers to identify vulnerabilities, bring them to the company’s attention for remediation, and be paid for doing so as corporate service providers. Bug bounties and other vulnerability disclosure programs are an excellent way for companies to crowdsource their security, identify bugs they never would have otherwise, and harness the energy and talent of the white hat community into a mutually beneficial and structured program that has pre-established ground rules to protect sensitive data. Moreover, by defining a bug bounty program in advance, companies may prospectively designate white hat hackers as their agents, thus qualifying for a number of states’ “good faith acquisition” exceptions to data breach notification statutes.[4] It is much more difficult—if not impossible—to retroactively appoint a white hat as a company agent in the absence of a pre-established program.
- Check cloud configurations: Companies should ensure their data repositories have appropriate access protections. A number of recent security breaches have been the result of companies mistakenly leaving their Amazon Simple Storage Service (S3) buckets unlocked, meaning that anyone in the public can access what the company is storing in the cloud. Companies should routinely test that their cloud access protections are appropriately configured and secured. White hat hackers have made a cottage industry of exploring cloud servers for unsecured sensitive data; they will move on if the cloud storage is correctly configured and a targeted firm will never even know they were there.
They have good intentions and perform a valuable public service, but white hats can still cause headaches for companies that are unprepared. This playbook will help counsel navigate the experience. And by employing our protective recommendations, companies may be able to avoid the white hat experience all together.