Increasingly, C-Suite executives and board members have questions about their companies' cybersecurity practices—or lack thereof. This new monthly series in The Privacy Advisor is intended to provide high-level answers to some of those questions, specifically focusing on the development of cybersecurity policies, incident-response plans, liability of board members and executives for data breaches and the attorney-client privilege for cybersecurity investigations.
Part 1: What Is Cybersecurity?
Executives and board members increasingly realize that investments in cybersecurity can help their companies avoid significant expenses associated with data breaches and cyber-attacks. Increasingly, shareholders, stock analysts and regulators are asking executives about their cybersecurity plans.
But ... what is cybersecurity?
At first blush, this appears to be an overly basic question. However, there is not a single, clear answer as there are in more established areas of the law. Although the media, shareholders and regulators are increasingly focused on cybersecurity, there is not a clear consensus as to what the term means.
The Department of Homeland Security’s National Initiative for Cybersecurity Careers and Studies defines cybersecurity as the “activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification or exploitation.” This is a solid legal definition of cybersecurity, but we must concretely explore what it includes and doesn’t include.
To start, we need to distinguish cybersecurity from two concepts that are related but separate: privacy and data security.
Commentators and policy-makers often confuse cybersecurity with privacy. Although there is significant overlap, the two concepts are distinct. While there is not a single, settled definition of “privacy,” it typically refers to individuals’ ability to control the processing, sharing, disclosure and use of their personal information. Cybersecurity, in contrast, focuses on the measures that protect information, systems and networks. But cybersecurity may lead to increased privacy protections by reducing the likelihood of data breaches and other incidents that compromise privacy.
Likewise, the term “data security” often is mistakenly interchanged with cybersecurity. Data security is an integral component of cybersecurity. Indeed, the three main goals of data security—confidentiality, integrity and availability (discussed below)—apply with equal weight to cybersecurity. But data security focuses only on the security of the information, while cybersecurity more broadly encompasses the information, networks and systems.
Below is a brief overview of how the goals of confidentiality, integrity and availability, also known as the “CIA triad,” shape the definition of cybersecurity.
Confidentiality
Cybersecurity often is associated with data breaches. Indeed, one of the primary goals of cybersecurity is to protect the confidentiality of certain data, including the personal information of customers and employees and a company’s trade secrets. The exposure of this information could lead to legal liability, reputational damage and, in the case of trade secrets, a competitive disadvantage.
Accordingly, a key goal of cybersecurity is to protect the confidentiality of the data that resides on a system or travels a network. To increase confidentiality, cybersecurity professionals take a number of steps to ensure that only authorized individuals have access to systems and networks. Among the measures are requiring strong passwords; routinely auditing privileges; encryption, and training employees to avoid phishing and similar malicious activities.
Threats to confidentiality are most commonly associated with legal risks. For example, if a company’s unencrypted database of consumers’ personal and financial account information is disclosed, the company may face obligations to notify customers of the breach under state law. The company also may face regulatory action from state attorneys general or the Federal Trade Commission and class-action lawsuits from customers.
Integrity
Cybersecurity professionals also aim to ensure the “integrity” of data, meaning that all the information stored on the system is accurate. Although cybersecurity often is associated with protecting the confidentiality of data, threats to data integrity could be equally damaging to a company.
For example, imagine that a hacker accessed a publicly traded company’s not-yet-released quarterly financial report and changed a 15-percent net income to 15-percent net loss. If that falsified report was released to the public, it could cause a large dip in the company’s stock price. Although the company could issue a revised report that likely would correct the drop in the share price, I can think of few executives who are comfortable with unnecessarily volatile stock prices.
To help ensure integrity, companies take many of the same cybersecurity measures intended to promote confidentiality. They also focus on whether users should be authorized to modify or delete files and the processes for backing up files.
Availability
Data, systems and networks also must be available. As with integrity, a loss of availability presents significant business risks.
Imagine, for instance, a retailer whose website is offline for a few hours the day after Thanksgiving or an online tax preparer whose servers go dark on April 14. In either scenario, a company could face significant economic losses, and the executives likely will immediately come under scrutiny from the public, board members and shareholders.
Cybersecurity is directly tied to availability. For example, if a website is flooded with hits from a malicious actor—known as a denial of service attack—the site could be knocked offline and take many hours to recover.
In short, cybersecurity includes hardware, software, services and staffing that promote the confidentiality, integrity and availability of data, systems and networks. Companies are best served—from both a legal and an operational perspective—by broadly defining cybersecurity and protecting not only the data but the systems on which the data are stored and the network over which the data travels.
Look for the next installment of this series on the potential liability for companies—and their executives and board members—that arise from cybersecurity incidents.
photo credit: Dell Women's Entrepreneur Network 2014 - Austin via photopin