A number of retail establishments have been the “target” (the irony is not lost on this author) of hackers who have decided to attack a part of the business that isn’t normally thought of as a risk vector – the cash register. In the past we have seen most of the activity in hacking pointed to the network resources that sit behind the firewall. What makes the Target-style hack so interesting is two fold. First, it is the technique used to exploit the machine itself (of which Brian Krebs does an excellent job of writing up), but more importantly, it is the way the network was compromised and the potential liability which may be attached to management, personally.
Air Conditioning – The New Trojan Horse
Most lawyers know to counsel their clients on managing vendors from a contract management and service delivery perspective. However, we now need to include information security in that list of topics necessary for vendor management. Target got hacked because the HVAC vendor was compromised. Normally one doesn’t think that the air-conditioning in a store is an attack vector to compromise a network – I mean, it’s the heating and cooling. However, with the “internet of things” being a reality, one has to realize that HVAC and climate control systems are often managed remotely. It is more efficient for a HVAC vendor to manage the heating and air without having to send a technician out to the physical location. And with retail chains who have large numbers of locations to manage, this is even more apparent. This means the HVAC vendor needs to have remote access to the location – which means that the vendor has network access to the location.
Vendors – Think of them more often than just when you pay them
Consequently, just like when one brings a new IT resource into the network, when the vendor has network access to a local facility, security measures need to be implemented. This is not to say that these types of services can’t be used. It just requires the security posture to include vendors and their computing resources. Think of the janitor, who is paid $5/hour, but has a smartphone. If that smartphone is compromised, and it connects to the network while the janitor is cleaning, it is the same thing as the firewall being opened.
Liability Risk – Where does it really come from?
All of this begs the question of “why do we care?” It’s the vendor’s mistake – we aren’t at fault. Or even: “we can get indemnification from the vendor” (this assumes that you has a smart enough contracts lawyer to make sure such a provision got into your agreement with the vendor). the problem with these excuses is that the Plaintiff’s bar knows about the concept of the derivative lawsuit. Target just got hit with one of these shareholder suits which alleges the individual officers and directors failed at their fiduciary duty to protect Target.
Fiduciary Duties – It exposes you individually Mr. CEO.
The fiduciary duty of care requires Officers and Boards of Directors to make sure that management implements systems and controls necessary to be aware of risks to the business, and address those risks in a reasonable manner. Now, this does not require every single risk to a business to be overseen by the board. However, significant risks to a company’s operations were stock-price do require at least board awareness, if not direct oversight. The courts have extended this obligation beyond mere failure to implement reporting or information system or controls.
Management and the board have to consciously and consistently monitor the operations put in place to mitigate identified risks (like your HVAC guy being the source of a cyber-attack). Therefore, if a board or management has implemented such a system or control, and consciously fails to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring the board or management’s attention, officers and directors may be personally liable.
Management should consider this carefully, and have counsel that understand how to bake security and privacy into vendor management programs. It’s not just about keeping cool anymore.