Not yet a Member?
HR Magazine is highlighting the next generation of HR leaders.
Is your employee handbook ready for the New Year? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Get the HR education you need without travel expenses or time out of the office.
Join us in Chicago for the latest trends and technology in talent management, and what to expect in the future.
It seems that every other day we learn about a new data security threat or compromise. The so-called “heartbleed bug,” or CVE-2014-0160 for those technically inclined, is the latest reported data security vulnerability, and it requires an immediate and swift response. The bug was recently discovered by a team of engineers and is described as potentially catastrophic to the security of information sent over the Internet. In layman’s terms, the bug is a threat to the software—namely, version 1.0.1 and 1.0.2-beta of the OpenSSL libraries—that is widely used to encrypt certain web traffic, including sensitive data.
According to recent reports, the bug has, for more than two years, left exposed encryption keys and information sent over the Internet that previously was thought encrypted, including e-mail, usernames, passwords, financial account numbers and other confidential data. If a social media network, web-based e-mail provider, or other website or service has the vulnerability, there is a risk that attackers could have obtained confidential information without leaving a trace. After the bug was reported, the U.S. government warned that hackers were moving quickly to exploit the situation through website scans. The Canadian Revenue Agency also reported recently that hackers stole data pertaining to over 900 Canadians while the agency was patching the heartbleed bug vulnerability.
Beyond the obvious implications inherent to the loss of such data, companies may now have an obligation to report past data breaches that were thought not to trigger reporting obligations because the lost data was encrypted and otherwise inaccessible by unauthorized people. The discovery of the heartbleed bug means that such data may have been accessible after all.
Despite media prognostications of pending doom brought about by the bug, companies can take certain technical steps to mitigate any related harm and potential liabilities.
Art Ehuan, managing director of cyber protection services for Alvarez & Marsal Global Forensic and Dispute Services, LLC, a leading global professional services firm, advises that companies: *Conduct an all-port vulnerability scan on publicly facing systems to determine whether services on those systems are using the vulnerable OpenSSL libraries. Install available patches for all affected systems and consider the timing of any installation, as patch installation likely will require a restart of affected systems that may disrupt operations.
*Obtain and utilize new SSL certificates after all appropriate fixes are in place, and ensure that old SSL certificates are revoked.
*Require password changes for all user accounts for which login credentials may exist in the memory of the affected systems.
Additionally, we recommend that the company ask any of its service providers whose publicly facing systems rely on OpenSSL to confirm in writing (a) the service provider’s efforts to scan for the heartbleed bug vulnerability, (b) the steps taken to implement available patches and the status of the implementation, and (c) whether the provider believes the company’s data was compromised and the basis for its belief.
It is also recommended that companies identify any prior data breach that implicates OpenSSL and was thought not to trigger reporting obligations because the lost data were believed encrypted. Companies should determine whether that assumption holds true in view of the discovery of the heartbleed bug, and they should reassess data breach notification obligations where appropriate. This review should be directed and supervised by legal counsel to ensure appropriate consideration of all applicable legal obligations.
The discovery of the heartbleed bug is another in a recent spate of events bringing increased scrutiny to corporate privacy and data security practices. In addition to the recommendations outlined above, companies should reassess enterprise-wide privacy and data security policies and procedures to ensure that data are adequately protected and that privacy and data security compliance obligations are met.
Mauricio F. Paez is a partner in the New York office, Richard J. Johnson is counsel in the Dallas office and Gregory P. Silberman is a partner in the Silicon Valley office at
global law firm Jones Day.
Copyright 2014 © Jones Day. All rights reserved.
SHRM Online Safety & Security page
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Join SHRM's exclusive peer-to-peer social network
SHRM’s HR Vendor Directory contains over 3,200 companies