Unknown hackers recently used tens of thousands of Internet devices – many residential and plenty of the DIY-variety – to launch a series of DNS attacks on an Internet hub that controls domain traffic for many of the web’s largest players, including Netflix and the New York Times.
The DNS campaign created serious problems on the East Coast on a Friday afternoon. It occurred just before the election in a nation increasingly aware of web-based hacks through this summer’s Wiki-Leaks saga and the Obama administration’s conclusions that the leaks were the product of a Russian government-led spy effort on U.S.-based political organizations.
Likewise, just a few short years ago, an HVAC contractor – for these purposes, similar to a security contractor – was involved in another headline-grabbing hack that enabled outsiders to access a trove of consumer credit card information, generated tens of thousands of headlines and resulted in several pieces of litigation that ended in a number of multi-million dollar settlements.
I worry this is a movie headed for a theater in the electronic security industry.
Part of the problem is probability – we are in the business of adding millions of devices to the Internet each year, and you can debate the effectiveness of the security for plenty of devices sold in our industry. To compound matters, the potential damages that may result from a successful web-based attack using security devices could be catastrophic. Equally problematic is finding insurance that will respond to a third-party damages claim involving cybersecurity and then being able to buy sufficient coverage limits.
Protect Yourself
What’s a security provider to do? Perhaps the most immediate and responsible step is to update your subscriber agreement – which involves what lawyers call “issue spotting.”
For example, does you subscriber agreement address your obligation to protect your subscriber’s “personally identifiable information,” or PII? PII is data that can be used to identify someone and generally consists of a name and at least one other piece of data from which a third party – a bad hombre, to coin a phrase – can discover someone’s identity. Every security provider has at least the name and address of a subscriber.
PII gets the highest level of legal protection under the current patchwork of state privacy laws. If your database is hacked and PII is accessed, there will be legal hell to pay, I can assure you. Does your contract protect you? Are those attempted protections enforceable?
All this leads to even more issue spotting. Here are a few more questions you should be asking: Exactly where is your subscriber data? If its outsourced to the cloud, how secure is it out there? Is the data located in the United States? Does that matter? How do you know the data is securely stored? What obligations does your cloud provider undertake (in my experience negotiating these sorts or agreements, there are virtually none...and you thought we were the only one who limited liability). What recourse are you likely to have it things going wrong (not much, I can assure you). At a minimum, you need to make sure your subscriber agreement provides protection on this issue.
Are you selling mobile apps as part of your service offering? If so, does your subscriber agreement call out an end-user license agreement (or EULA)? If not, your EULA may not be enforceable. Do you even have a EULA? If not, you are asking to get punched in the nose. And, by the way, do the terms in your EULA differ from the terms in your subscriber agreement? That could spell trouble.
What about location-based data? If any of your technology incorporates GPS or any similar sort of tracking technology, you have to comply with certain FTC requirements.
Good contracts remain the best way to limit your liability. Make sure your contracts are up to date. You’ll sleep better at night. I guarantee it.
Eric Pritchard is a Philadelphia Lawyer who spends his workday making the world safe for electronic security providers. Reach him at [email protected]. This column does not constitute legal advice; contact an attorney with questions.
