Cybersecurity is an overwhelming problem – so overwhelming that it seems impossible to address. From the legal and compliance perspective, the problem is compounded by a lack of clear regulatory rules or judicial precedent about what kinds of measures might be sufficient to mitigate the risk of liability for a data breach or other cybersecurity incident. One important step every business can take, however, is to implement a cybersecurity compliance training program.
Training as a Component of Legal Compliance
The “gold standard” for managing cybersecurity risk is the NIST Cybersecurity Framework. The NIST Framework identifies four “tiers” of cybersecurity compliance, with Tier 1 representing the lowest degree of compliance and Tier 4 the highest. A principle driver of how an organization can move up from Tier 1 through Tier 4 is organizational knowledge. In Tier 1, according to the Framework,
There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization.
Id. at 10. In contrast, at Tier 4,
There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks.
Id. at 11. In order to move up through the Tiers, an organization must ensure that “[a]pplicable information from organizational privacy policies is included in cybersecurity workforce training and awareness activities.” Id. at 16.
The FTC also emphasizes the importance of cybersecurity training. In the Opinion of the Commision in In the Matter of LabMD, Inc., FTC Docket No. 9357 (July 29, 2016), the Commission found that
LabMD did not employ basic risk management techniques or safeguards such as automated intrusion detection systems, file integrity monitoring software, or penetration testing. It also failed to monitor traffic coming across its firewalls. In addition, LabMD failed to provide its employees with data security training. And it failed to adequately limit or monitor employees’ access to patients’ sensitive information or restrict employee downloads to safeguard the network.
Id. at 11-12 (emphasis in original). Concerning training, the FTC noted, “[e]ven where basic hardware and software data security mechanisms are in place, there is an increased likelihood of exposing consumers’ personal information if employees are not adequately trained.” Id. at 14. The Eleventh Circuit recently stayed the FTC’s Order in LabMD over concerns about the Commission’s statutory authority over general cybersecurity issues. See LabMD v. Federal Trade Commission, No. 16-16270-D, Slip Op., (11th Cir. Nov. 11, 2016). Meanwhile, the FTC continues aggressively to pursue cybersecurity enforcement actions. However the Eleventh Circuit litigation turns out, the FTC’s emphasis on cybersecurity training will continue to inform standards of legal liability, both before the FTC and other authorities.
The emphasis on training is also evident in the recently proposed New York State Department of Financial Services Cybersecurity Regulations. See New York State Department of Financial Services Proposed 23 NYCRR 500 (Dec. 28, 2016). The NYDFS regulations created national headlines because they will cover a wide array of entities, including most of the U.S. and multinational banking sector, with any connection to financial service business in New York. The regulations state that every covered organization must “provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks” and “verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.” Id., § 500.10 The proposed NYDFS Regulation further states that all covered entities must “provide for regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.” Id., § 500.14.
The NIST, FTC, and NYDFS sources cited above are only a few recent prominent examples of why cybersecurity training is important. The importance of adequate cybersecurity training will continue to resonate through statutory, regulatory and case law developments concerning cybersecurity liability for many years to come.
Training About What, For Whom, By Whom?
This discussion of “training” raises the obvious question of what kind of content the training should include, who should receive training, and who should perform the training. There is no one-size-fits-all answer to these questions. Obviously, Information Technology and Security professionals will need highly specialized technical training, which may come in the form of advanced degrees or industry certifications in the details of network configuration, digital forensics and the like. But perhaps less obviously, all members of the organization, from the C-Suite to operations to sales, should receive cybersecurity training appropriate to their functions.
General cybersecurity training should cover concepts such as organizational risks from cyber threats, basic principles of cyber risk measurement, common types of cyber attacks, good cyber hygiene, procedures for reporting cybersecurity incidents, and awareness of the organization’s legal and regulatory environment relating to cybersecurity risks. The LabMD case supplies one cautionary tale about how training could have helped: the breach in that case resulted from LabMD’s billing manager using Peer-to-Peer software to download music while at work, and the resulting costs of the FTC action helped bankrupt the company. See LabMD v. Federal Trade Commission, No. 16-16270-D, Slip Op., (11th Cir. Nov. 11, 2016) (noting that “[t]he costs of complying with the FTC’s Order would cause LabMD irreparable harm in light of its current financial situation.”). Perhaps if that billing manager had known about the enormous vulnerabilities presented by P2P software she would not have used it at work and the company would still be in business. Another good example relates to a common kind of “social engineering” attack. Cyber criminals sometimes leave USB memory sticks containing malware in open areas such as parking lots and reception areas. Employees who find these “lost” memory sticks are often compelled by curiosity to plug them in – after all, perhaps they contain racy photos from the boss’s party last weekend, or secret documents worth millions! – but once plugged in they unleash havoc on the company network. A good training program will highlight this kind of risk and will connect the risk to a compliance program that provides clear procedures for the handling and disposal of orphaned USB sticks.
The final question is who should perform the training. The first requirement, of course, is that the trainers are thoroughly knowledgeable about cybersecurity risks, compliance procedures, and the organization’s legal and regulatory environment. Technical professionals need technical training, but for most people in an organization, the training required is more policy oriented. This means that not only IT, but also the organization’s risk management, human resources, and legal functions should become involved in crafting and delivering the training. Since cybersecurity training should be connected to an organization’s comprehensive cybersecurity policy, and since a proper cybersecurity policy should flow from the Board of Directors, inside and/or outside counsel should play a key role in this process. Legal counsel can ensure that the organization’s cybersecurity program is consistent with the organization’s legal and regulatory environment, and can also, if appropriate, seek to protect elements of the program within the attorney-client and work product privileges in the event of an investigation or dispute.
Cybersecurity risks cannot be ignored. This is true not only as a practical matter, but also as a legal and compliance issue. The need for cybersecurity training at all levels of an organization is embedded in the emerging regulatory consensus about what is required to satisfy an organization’s basic legal obligations. Legal counsel can play an important role in helping shape and deliver an organization’s cybersecurity training program.