Not a Member?  Become One Today!

 
The Heartbleed Bug: Data Breach and Liability Risks
 

By Mauricio F. Paez, Richard J. Johnson and Gregory P. Silberman  5/5/2014
 

It seems that every other day we learn about a new data security threat or compromise. The so-called “heartbleed bug,” or CVE-2014-0160 for those technically inclined, is the latest reported data security vulnerability, and it requires an immediate and swift response. The bug was recently discovered by a team of engineers and is described as potentially catastrophic to the security of information sent over the Internet. In layman’s terms, the bug is a threat to the software—namely, version 1.0.1 and 1.0.2-beta of the OpenSSL libraries—that is widely used to encrypt certain web traffic, including sensitive data. 
According to recent reports, the bug has, for more than two years, left exposed encryption keys and information sent over the Internet that previously was thought encrypted, including e-mail, usernames, passwords, financial account numbers and other confidential data. If a social media network, web-based e-mail provider, or other website or service has the vulnerability, there is a risk that attackers could have obtained confidential information without leaving a trace. After the bug was reported, the U.S. government warned that hackers were moving quickly to exploit the situation through website scans. The Canadian Revenue Agency also reported recently that hackers stole data pertaining to over 900 Canadians while the agency was patching the heartbleed bug vulnerability. 
Beyond the obvious implications inherent to the loss of such data, companies may now have an obligation to report past data breaches that were thought not to trigger reporting obligations because the lost data was encrypted and otherwise inaccessible by unauthorized people. The discovery of the heartbleed bug means that such data may have been accessible after all. 
Despite media prognostications of pending doom brought about by the bug, companies can take certain technical steps to mitigate any related harm and potential liabilities.
Art Ehuan, managing director of cyber protection services for Alvarez & Marsal Global Forensic and Dispute Services, LLC, a leading global professional services firm, advises that companies:
*Conduct an all-port vulnerability scan on publicly facing systems to determine whether services on those systems are using the vulnerable OpenSSL libraries. Install available patches for all affected systems and consider the timing of any installation, as patch installation likely will require a restart of affected systems that may disrupt operations.
*Obtain and utilize new SSL certificates after all appropriate fixes are in place, and ensure that old SSL certificates are revoked.
*Require password changes for all user accounts for which login credentials may exist in the memory of the affected systems. 
Additionally, we recommend that the company ask any of its service providers whose publicly facing systems rely on OpenSSL to confirm in writing (a) the service provider’s efforts to scan for the heartbleed bug vulnerability, (b) the steps taken to implement available patches and the status of the implementation, and (c) whether the provider believes the company’s data was compromised and the basis for its belief. 
It is also recommended that companies identify any prior data breach that implicates OpenSSL and was thought not to trigger reporting obligations because the lost data were believed encrypted. Companies should determine whether that assumption holds true in view of the discovery of the heartbleed bug, and they should reassess data breach notification obligations where appropriate. This review should be directed and supervised by legal counsel to ensure appropriate consideration of all applicable legal obligations. 
The discovery of the heartbleed bug is another in a recent spate of events bringing increased scrutiny to corporate privacy and data security practices. In addition to the recommendations outlined above, companies should reassess enterprise-wide privacy and data security policies and procedures to ensure that data are adequately protected and that privacy and data security compliance obligations are met.

Mauricio F. Paez is a partner in the New York office, Richard J. Johnson is counsel in the Dallas office and Gregory P. Silberman is a partner in the Silicon Valley office at global law firm Jones Day.  

Copyright 2014 © Jones Day. All rights reserved.

Quick Links:

SHRM Online Safety & Security page

Subscribe to SHRM’s Safety & Security HR e-newsletter


Sections