COVID-19 has put us even more at the mercy of the Internet and the “Internet of Things” (IoT) those Internet-connected home and business devices, from Siri and Alexa to refrigerators, stoves, hot water heaters, HVAC printers and copiers, etc.—that are logged on without one being conscious of the fact. Stories abound about how we are responding to the COVID-19 crisis with increased use of the Internet for socializing at a distance, working remotely, communicating in new ways, and living and working in an entirely wired yet isolated environment. In this environment, it is all the more important to mitigate electronic risk.
Risk management is one of the things lawyers do. Up to now, the law has lagged behind technological change, significantly challenging lawyers seeking to provide the best legal advice. The national emergency, which gives the President, governors, and mayors significant statutory authorities, including an ability to dispense with cumbersome regulations that they otherwise would not enjoy, may change the legal-technological environment in enduring ways. Meanwhile, lawyers and their clients should consider how to mitigate risk.
Inadequate cybersecurity security against unwanted intrusions is central to the existing reality. Tens of millions U.S. employees are working online away from offices where IT systems have better protections than household WiFi systems (at least in theory). Devices and the servers they access are vulnerable to malicious penetration, manipulation, and worse—theft, assault, defamation to name just three. The data collected by devices and saved on servers are subject to misuse, commercial sale, and malicious, criminal activity. In most cases, users lack control over their personal data and what is done with them.
Today’s Internet context has a number of dimensions and sources. Product developers take advantage of low-cost devices with extraordinarily powerful computer chips to create and market products of all kinds, from automobiles to medical devices of all types, that are connected to the Internet. New communication technologies provide low-cost or free bandwidth and connectivity to the Internet. Device users often are unaware of the connection, and the devices and servers they currently access have inadequate security. Inadvertent error adds to the problem. The urge to develop new products to meet needs revealed by the COVID-19 Coronavirus or to exploit the pandemic in other, less public-spirited ways, exacerbates the security challenge.
Examples of insecurity abound: “Zoom bombing,” hacking into video conferences that are not secure, either because of faults in the conferencing protocol or the way users set up the meeting, is the latest hacking fad. The 2018 Worldwide Threat Assessment of the U.S. Intelligence Community proved prescient. It stated that “The potential for surprise in the cyber realm will increase in the next year and beyond as billions more digital devices are connected—with relatively little built-in security—and both nation states and malign actors become more emboldened and better equipped in the use of increasingly widespread cyber toolkits.” That is contemporary reality.
Simple steps can help manage risk. First, one must understand the nature of the problem. It doesn’t mean becoming a computer scientist, but it does mean acquiring a certain minimal understanding about the systems on which one relies. With the advent of the personal computer, the development of nanotechnology, and the transition from what started as a U.S. Defense Department research agency’s means of communication among scientists to the ubiquitous living organism we know as the Internet, billions of people acquired the ability to access data and to communicate in ways never before seen. COVID-19 has vastly increased the number and the use.
Today’s smartphone, a powerful, hand-held compute in its own right, has become central to people’s lives all over the world. Recent accounts suggest that more than half the U.S. population over the age of 8 owns a smartphone and most have laptops, tablets, and other computers as well. In addition, a growing number of digitized appliances—TVs, speakers, refrigerators, stoves, home security systems, HVAC systems, automobiles, medical devices, almost anything that can be home to a computer chip—has brought new forms of risks for individuals and companies. These range from spying on behavior using cameras one may not intend to work, listening in on a conversation by means of a mobile phone acting as a transmitter even though not in use but also not secured in a lead-lined box, and accessing a computer unbeknownst to the owner to theft of personal and financial data, intentional harm to reputations, manipulation of medical devices and records, and almost ubiquitous invasions of what might have been thought to be privacy. Who now really is king or queen in his or her own castle?
In the United States as elsewhere, companies hold data on the personal habits and identifying information of millions of people. They therefore risk litigation if they are negligent in the way they protect such information. In the banking/financial sector the need for vigilant protection of a company’s digital systems is obvious. The point applies equally to the health care industry. A pacemaker can be hacked. COVID-19 test results almost certainly are stored on vulnerable computers and servers, and even HIPPA protections cannot keep them safe. One can imagine hackers disrupting surgery conducted using robots.
The fundamental reality to understand is that the cyber landscape began with legacy 1960s technologies. It expanded by orders of magnitude in the following years as chip and communications technologies evolved, and the costs of devices plummeted. As a result, structural vulnerabilities exist at the foundation of cyber activity. Users need to take this fact into account as they develop, acquire, and use new software. Constant vigilance and updating of security protocols and patches are essential to minimize risk. These measures demand seriousness of purpose, knowledge, and willingness to devote the resources necessary. Without them, it is difficult rationally to manage risk. At the same time, users need to be aware that the available security protocols and patches are inadequate and flawed, particularly against sophisticated threats that now come from criminal organizations, foreign states, and their armed forces and other agents.
One way to address the problem is to have your legal team conduct a technology-dependence and security audit for legal risks your institution or company faces. This audit will include a review of the appropriate information technology processes in place to keep up to date on threats, available patches, and system improvements, and by conducting a thorough review of legal risks associated with technological dependence. Americans, perhaps more than other groups but certainly as much as citizens of most European and some Asian countries, present an enormous “attack surface”—vulnerabilities resulting from the extensive use of, and dependence on, cyber technologies. COVID-19 has expanded that attack surface. As a result, Americans need to take security seriously as a cost of doing business.
Tools are being developed that help measure cyber-related risk. When developed and deployed, these tools would enable a company, for example, to know what its entire Internet exposure looks like and what value to place on risks to it. Lawyers can help integrate that kind of information with evaluation of legal liability to enable a client to adopt an informed and robust cybersecurity position. But remember: one cannot eliminate risk, only manage it. To do so requires time, money, and knowledge.
Past notorious cases involving loss of personal data resulted in lawsuits, which usually were settled. Companies should make prevention the highest technology issue. Zumpano Patricios & Popok’s senior partners have the in-house expertise and ability to access some of the best cybersecurity experts in the country. Together, we can help companies identify legal obligations, manage liability by helping establish best practice training programs and conduct ongoing testing for vulnerabilities, and respond to breaches if and when they occur.