Legal teams have increasing responsibility to protect consumers
In America’s famously litigious business culture, it’s no surprise that every Fortune 500 company has a formidable legal team backing them. The job of a legal team does not begin when the judge rises, nor does it end when the gavel falls: for years, the responsibility of a corporate lawyer has consisted in the creation of contracts and non-liability agreements that clearly distinguish an organization from its partners.
In the past, such proactive safeguards could be expected to insulate clients from the misdeeds of contractors and other third parties. But as emerging data privacy legislation shifts more and more responsibility onto any brand with a digital footprint lawyers must rethink their approach to liability in the context of cybersecurity. When it comes to data breaches and malware attacks, who should they be trying to protect? The answer is “everyone,” and that includes consumers.
The Internet has been the untamed Wild West of the 21st century as governments try, with varying degrees of success, to establish clear rules of jurisdiction. It’s not easy: online, everything is connected, and each website depends on hundreds of other websites and dependencies. The reality is that third-party code (3PC) constitutes 80 – 95% of the average digital domain—including Alexa 500 websites—and that begs the question, “Who is responsible when it harms the end user?”
The General Data Protection Regulation (GDPR) signified an attempt by the E.U. to answer that question in a fair-minded way, laying down protections for online publishers, brands, third parties, and end-users alike. Together with subsequent data privacy legislation, this approach to liability establishes a trend that is quickly becoming the international standard: in digital, everyone is to blame for bad or compromised code; third parties because they provided it, and organizations because they did nothing to stop it.
Ideally, legal teams would align with CISOs and other operational executives by working to secure their company against digital vulnerabilities—by making security a priority, lawyers could prove before a judge that their clients did more to prevent disaster than sign on the dotted line. On the other hand, blame-shifting and insulating tactics undermine the best defense a client has: a culture of responsibility.
If corporations feel that emerging legislation is biased against them, that’s because the legal system has been biased in their favor. Consumers have paid the highest price for that, with no recourse for retaliation outside of class action suits or withdrawal from online activities.
In 2019, 4 billion personal records were stolen through data breaches; these records were then listed on the Dark Web or used for identity theft. The biggest driver of data breaches is malware, and the biggest driver of malware is third-party code executing across social media platforms, online news publications, and entertainment sites.
The failure of publishers to protect their online presence against vulnerable or malicious third parties not only contributes to declining revenue, but also feeds a loss in consumer trust. In the long-term, these failures enable billions of dollars in credit card fraud and help foster fake news and invasive user tracking.
In a world where the digital economy stands between voters and elections, businesses and consumers, friends and family, it is not reductive to say that lawyers now stand at a crossroad: from here they can either protect their clients at the expense of humanity or protect both.
In the near future, lawyers representing clients with a digital presence will have little choice but to embrace a wider view of who they are trying to protect. Thanks to emerging legislation, the responsibility of businesses towards users is no longer a debatable issue in many parts of the world.
After news outlets reported that Cambridge Analytica had been using Facebook to harvest data from users, the U.K’s Information Commissioner's Office fined the company for $663,000 (the maximum legal penalty at that time) in 2018. More recently, Ireland and Germany have tried to limit the way Facebook collects and uses data, directly undermining its ad-supported revenue model.
While all of this is happening, the company’s legal team can do little more than argue that it hasn’t violated GDPR in the first place. But while that’s the defense, it proves that the balance of power has shifted towards consumer privacy. Without defending that first, lawyers also cannot defend their clients.
The way forward for legal professionals cannot be boiled down to a series of rules; it begins with a culture of responsibility: corporations must self-regulate or, be regulated even more than they anticipate. Inspiration may be drawn from the credit card industry, which requires payment processors to follow the PCI DSS protocol.
In many jurisdictions—including Washington—application of PCI is taken to indicate “reasonable care” on the part of businesses handling credit cards, reducing their liability in the case of a breach. However, it is the “reasonable care”—and not PCI application itself—which the courts assess to determine fault.
When it comes to digital security, businesses must adopt a standard of “reasonable care,” first by taking inventory of their third-party assets; second by vetting their upstream partners; third, by maintaining a dynamic environment that is continuously scanned and assessed for malware threatening the end user.
Finally—as long as it is their job to protect organizations from legal action—lawyers must familiarize themselves with the technology their clients are trying to defend, and what constitutes a “reasonable care” in protecting it. In the future, what’s good for the customer will be good for the business, and securing digital properties is the first step towards realizing their mutual best interest.
by CHRIS OLSON
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.