Cyber Security: A Management Imperative

What if terrorists could bring down your business with a cyber attack? Cyber security risks are increasing at an alarming, exponential rate. The frequency, sophistication, and severity of today’s cyber attacks can be attributed not only to a thriving domestic hacker community but also to overseas hackers.

These international attacks often originate in Asia, Europe, and the Middle East. Some seek to extort money from U.S. businesses. In other cases, a desire to harm U.S. political, economic, or military interests motivates the attack. Managing these unprecedented threats to the enterprise has become a vital risk-management concern that has captured the attention of the board of directors at many corporations. Top management understands that risk management keyed specifically to cyber security threats and vulnerabilities is now necessary to avoid potential legal liability.

Simply put, management has a legal obligation to protect its company against a long list of cyber threats and may have a growing legal obligation to account for the cyber security controls and countermeasures it implements - and fails to implement. Hacking, corporate espionage, computer viruses and worms, denial-of-service attacks, electronic equipment failures, sabotage by disgruntled employees, and terrorism are only some of the threats management now needs to take into account.

These cyber threats, and the resulting monetary losses they cause, are not imagined. The State of Information Security 2003 report prepared by PricewaterhouseCoopers and CIO Magazine surveyed approximately 6,000 respondents and reported that 64 percent of the respondents experienced one or more security breaches in the prior 12 months. Of these breaches, 59 percent involved malicious code, 40 percent involved unauthorized entry, 35 percent involved a denial-of-service attack, and 16 percent resulted in the alteration of software. BusinessWeek recently reported that 67 percent of senior tech executives said their organization had suffered a security breach in the past twelve months, but only 41 percent of those incidents were reported to authorities. The Slammer, Blaster, and Sobig families of worms, which paralyzed the Internet in 2003, are estimated to have caused $12 to $13 billion in damages.

Yet, unlike traditional crimes, cyber attacks often go unpunished. The ubiquity and anonymity of the Internet ensures that many attackers are never identified, let alone prosecuted or forced to pay restitution. The changing demands and requirements of technology, highlighted by efforts to develop the next generation of the Internet, make cyber security controls and countermeasures difficult to maintain, but increasingly important to implement. Failure to prevent or respond to a cyber security breach can result in legal liability to the enterprise. This liability can result from the company’s obligations to protect customer, employee, or third-party information. Liability can also result if the company’s operations are interrupted at a critical time, causing loss to third parties. Furthermore, the company itself may incur direct losses from alteration of financial documents, theft of trade secrets, or dissemination of confidential information.

What can be done to reduce these legal risks? While complete, fool-proof security is not possible, management must and can maintain security that is commensurate with risk. This includes continually updated cyber security measures to reduce the likelihood of unauthorized network access that could result in the destruction or theft of sensitive company information or the incapacitation of company networks and systems.

The cyber security standard of due care that management must meet is rising. Plaintiffs seeking to recover damages for a company’s failure to prevent or mitigate a cyber attack will almost certainly use these increasingly higher standards to demonstrate a company’s failure to achieve minimum care. Consequently, corporations that choose to ignore cyber security standards not only increase the likelihood of a cyber attack but also will suffer if forced to defend a cyber security-based lawsuit.

Piper Rudnick continued its Homeland Security Roundtable Luncheon series in the fourth quarter of 2003 with two dynamic speakers.

On October 8, 2003, Piper Rudnick hosted a luncheon featuring special guest and speaker Nuala O’Connor Kelly, Chief Privacy Officer for the Department of Homeland Security (DHS). Ms. O’Connor Kelly is responsible for overseeing privacy policy development and enforcement across all the department’s actions. She is at the center of the domestic and international privacy debate for DHS.

During the luncheon, Ms. O’Connor Kelly mentioned five goals of her office:

• Assess the privacy impact of new technologies;

• Act as arbiter of Privacy Act requirements;

• Take on an omnibus role of ensuring that the use of technology is within the framework of fair information practices;

• Evaluate all legislative and regulatory proposals; and

• Provide reports to Congress on specific issues. Ms. O’Connor Kelly also described DHS priorities, which are to:

• Embed privacy into the culture and structure of the organization;

• Leverage the quality and efficiency of technology from the private sector; and

• Conduct internal training and outreach, balancing transparency with the needs of national security.

Ms. O’Connor Kelly discussed the important and intricate issues raised by international privacy considerations. Addressing airline passenger screening and the status of screening negotiations with European governments, she noted that progress is being made and that a consensus is not far off. She said that some of the biggest issues that remain unresolved concern access and redress, data retention, and onward transfer. DHS is looking at a 10- year long-term strategy for passenger information.

Addressing the issue of airlines, such as JetBlue and Northwest, which have come under scrutiny for allegedly using passenger data inconsistent with representations in their privacy policies, she advised that companies should review their privacy policies. It is important for companies to determine what their current privacy policy allows in terms of data sharing and assess whether modifications need to be made with an eye toward future disclosures, Ms. O’Connor Kelly explained.

On December 3, 2003, Piper Rudnick hosted a luncheon with John C. Gannon, staff director for the U.S. House of Representatives Select Committee on Homeland Security. Gannon was a key leader of the Department of Homeland Security’s transition team, a former naval officer, vice-chairman of Intellibridge Corporation, chairman of the National Intelligence Council, assistant director of Central Intelligence for Analysis and Production, and deputy director for intelligence at the CIA.

Mr. Gannon discussed the work of the Select Committee over the past year, as well as the security issues and priorities likely to emerge in Congress in 2004. Key priorities for the committee in 2004 include the following:

• Assisting first responders and state and local communities;

• Infrastructure protection; and

• Intelligence and information analysis.

Following a series of reports, among them a General Accounting Office report which found serious security concerns at chemical facilities,¹ Congress is currently considering legislation to impose stricter security requirements on many facilities that manufacture or handle chemicals. S. 994, known as the Chemical Facilities Security Act of 2003 (CFSA), was introduced in 2003 by Senator James Inhofe (R-OK), chairman of the Senate Environment and Public Works Committee. The goal of the CFSA - improving chemical plant security - has broad political support from both parties, and some form of a chemical facilities security bill is likely to be enacted.

If signed into law, the CFSA would require all facilities subject to risk management plan (RMP) requirements under Section 112(r) of the Clean Air Act (CAA) to conduct site-wide security and vulnerability assessments and to develop security plans and related measures. These measures include employee training, background checks, physical access limitations, and installation of intrusion detection sensors and computer network security. Under the bill, these efforts must be designed to protect against potential terrorist acts, such as the theft or intentional release of a "substance of concern," which is defined in the bill to include those chemicals and thresholds listed pursuant to CAA § 112(r) or other chemicals designated by the DHS.

The bill requires chemical plants to submit security assessments and plans to DHS, which would be responsible for oversight and enforcement. Consistent with similar provisions of the Homeland Security Act of 2002, information submitted would not be subject to Freedom of Information Act requests or public disclosure at the federal or state level. Currently, RMPs developed under Section 112(r) may be obtained by the public, with the exception of most of the offsite consequence analysis information, which may be read, but not copied. The bill requires the security plans to be updated every five years; regulated facilities would be subject to civil and administrative penalties for noncompliance.

Seaport security is widely recognized as a critical homeland security goal. More than 350 U.S. seaports handle the majority of U.S. import tonnage, which includes more than seven million sea containers. Considering that approximately 2 percent or less of all sea containers are inspected by authorities, the possibility that terrorists might use a sea container to transport or detonate a weapon of mass destruction is a matter of concern. One study postulated that a "dirty bomb" at a container port could ultimately cost the U.S. economy $58 billion and require months of recovery.

Congress has made maritime security a top priority, as reflected in the adoption of the Maritime Transportation Security Act of 2002 (MTSA). Other recent legislation has expanded the monitoring of both imports and exports and provided federal grants to help industry and state and local governments meet the costs of new maritime security activities.

Under MTSA, the U.S. Coast Guard and the Bureau of Customs and Border Protection have issued a variety of new security regulations. These regulations affect not only traditional maritime businesses, like seaport, marine terminal, and vessel operators, but also many non-maritime businesses, such as those adjacent to the waterfront and even businesses that merely rely on marine shipments.

Supplementing the agencies’ longstanding presence at U.S. seaports, these regulations require operators of public and private port facilities, vessel operators, and importers and exporters to assume increased responsibility for security. Estimates suggest that the cost of the new security regulations will reach $7 billion over ten years.

The Coast Guard issued final security regulations in October 2003 that are consistent with the International Maritime Organization’s International Ship and Port Facility Security Code. These regulations require seaport "areas," certain facilities within seaports, and certain vessels to assess their vulnerabilities and develop plans to maintain and enhance security.

The facilities covered by the new regulations include terminals that handle petroleum and other hazardous bulk liquids and large passenger vessels, as well as most international large-vessel traffic and barge fleeting facilities. The Coast Guard believes that these operations, some 5,000 in number, are the most significant seaport targets for terrorism. By the end of 2003, these facilities should have completed security assessments, identified a trained Facility Security Officer (FSO), and submitted a plan for maintaining and augmenting security. Plans must be approved by the Coast Guard and implemented by July 1, 2004. The Coast Guard has begun imposing $10,000 fines on those covered entities that failed to meet the December 31, 2003 requirement deadline.

The Coast Guard’s security jurisdiction extends broadly to "vessels, structures, and facilities of any kind, located under, in, on, or adjacent to waters subject to the jurisdiction of the U.S." Thus, in the future, the Coast Guard may impose security requirements on port facilities not required to have Coast Guard-approved security plans, and even on non-maritime activities conducted at or near a seaport. The MTSA also requires that persons with unescorted access to secure seaport areas, undergo background checks and hold a biometric identity card. The Coast Guard is working with its fellow DHS agency, the Transportation Security Administration (TSA), to develop a Transportation Worker Identification Credential that will meet this requirement.

The Bureau of Customs and Border Protection has issued new regulations that will require detailed information on maritime imports to be submitted electronically to Customs 24 hours before loading at a foreign port, with information on exports also to be submitted before U.S. departure. This will allow Customs to identify high-risk cargo in advance and arrange for its inspection even before it arrives in the U.S. Congress has taken similar action in the realm of food security under the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (Pub. L. 107-188). That law imposes both food facility registration requirements and food importation reporting requirements.

Customs also relies on voluntary assistance from shippers, carriers, ports, and foreign governments to extend its surveillance beyond U.S. seaports to the entire supply chain. Three major voluntary programs are:

• C-TPAT, the Customs-Trade Partnership Against Terrorism. Many companies involved in U.S. imports are potentially eligible to benefit from C-TPAT, which now counts thousands of importers and carriers as participants. C-TPAT participants assess their supply chain security using joint Customs/industry guidelines, submit a security profile to Customs, and use the profile to improve their security and that of their suppliers and others in the supply chain. In return, successful participants benefit from favorable Customs treatment, such as reduced inspections and border crossing times.

• Operation Safe Commerce. This pilot program involves importers and terminals at, and the operators of, the three largest U.S. container ports: Seattle/Tacoma, Los Angeles/Long Beach, and New York/New Jersey. The pilot program, founded by Customs and the Department of Transportation and now managed by TSA, is reviewing technologies and processes to monitor the movement, and ensure the security and integrity, of containers throughout the supply chain. Technologies and processes that are validated may well become requirements for all container imports.

• Container Security Initiative. The Container Security Initiative is a Customs program designed to work with foreign port authorities to identify, target, and search high-risk cargo before it arrives in the U.S. DHS recently announced that the first phase of the initiative, covering the 20 foreign ports exporting the greatest number of containers to the U.S., is almost complete. The initiative will be expanded to additional ports.

Recognizing the financial burden of these requirements and initiatives, Congress has made limited federal resources available. "Critical national seaports or terminals" may apply to DHS for port security grants to help fund enhancements in facility and operational security. Two rounds of port security grants are complete, and a third is expected. Congress has provided $125 million for a fourth round of grants that is likely to be made available this year. Further, for fiscal year 2004 Congress has allocated $14 million for C-TPAT, $62 million for the Container Security Initiative, and $64 million for non-intrusive, overseas inspections. However, many believe that the federal government should underwrite a more significant portion of the staggering cost of seaport security.

Since 2001, Piper Rudnick lawyers have been involved in the development of maritime security legislation and regulation, and they routinely counsel and represent clients whose businesses are affected by maritime security issues. For more information, please contact Andrea Grant, 202.861.6456, or John Mietus, 202.861.6466, in our Washington, D.C., office.

The real estate industry continues to feel the impact of September 11, as numerous legal and policy developments are affecting owners and operators of commercial real estate. A sampling of recent developments is provided below.

Pursuant to the Air Transportation Safety and System Stabilization Act of 2001 (Pub. L. No. 107-42), victims and victims’ families who have opted to sue for damages arising out of the September 11 terrorist attacks may bring their claims in the United States District Court for the Southern District of New York. Presiding Judge Alvin K. Hellerstein’s Opinion and Order Denying Defendants’ Motions to Dismiss is the first substantial ruling in the case.² The significance of this September 2003 ruling, however, is not confined to the parties whose liability or recovery hang in the balance. This preliminary decision also affects American businesses that may be targets of future terrorist acts or who unknowingly aid a terrorist plot. Since the owners and operators of the World Trade Center (WTC) are defendants to the September 11th litigation, this question is particularly important for the real estate industry.³

The victims and the victims’ families allege, among other claims, that the "…owners and operators of the World Trade Center, World Trade Center Properties LLC and the Port Authority of New York and New Jersey, negligently designed, constructed, maintained, and operated the buildings, failing to provide adequate and effective evacuation routes and plans."⁴ Responding to the allegations, the WTC defendants argued that the complaints should be dismissed, primarily on grounds that the deliberate crash of jetliners into the Twin Towers was neither foreseeable nor the proximate cause of the injuries and loss of life. The judge disagreed and refused to release the owners and operators of the World Trade Center from liability at this time, allowing the case to go forward.

This raises a caution flag for similarly positioned real estate owners and operators. According to Judge Hellerstein’s preliminary reasoning, a real estate owner and operator may be liable for failing to foresee, plan for, and mitigate even the most extreme acts of terror. Arguably, therefore, must real estate owners and operators implement security measures specifically designed to thwart terrorism in order to avoid liability?⁵ Unfortunately, until the completion of litigation at the district court and appellate levels, this question will likely remain unanswered for some time to come. Until it is resolved, property owners and managers will be faced with uncomfortable uncertainty.

Effective October 1, 2003, Nevada statute 463.790 requires each resort hotel to adopt and maintain an emergency response plan. The law takes a broad approach to the concept of emergency management and requires that each resort hotel’s emergency response plan include, among other things:

• A drawing or map of the layout of all areas of the resort hotel;

• A drawing or description of internal and external access routes;

• The location and inventory of emergency response equipment and resources;

• The location of any unusually hazardous substances;

• An evacuation plan; and

• The name and telephone number of the hotel’s emergency response coordinator.

While only controlling in Nevada, this law could have national significance for tourist destinations around the country. Indeed, as legislatures increase the private sector’s homeland security duties and responsibilities, §463.790 may guide other states in the creation of similar laws affecting resort hotels, theme parks, and similar tourist attractions.

In January 2004, the Federal Emergency Management Agency (FEMA) released four comprehensive publications as part of its Multi-Hazard Risk Management Series.

Three of the four publications, Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings (FEMA 426), Primer for Design of Commercial Buildings to Mitigate Terrorist Attacks (FEMA 427), and Insurance, Finance, and Regulation Primer for Risk Management in Buildings (FEMA 429), are designed specifically to address many of the terrorism concerns facing the real estate industry.

Since homeland security standards and best practices have yet to be harmonized for the real estate industry, FEMA’s guidance is particularly important as a benchmarking tool. As property owners struggle to implement security measures, FEMA’s recommendations offer valuable, practical guidance – and insight into the future of real estate safety and security.

In order to fulfill their fiduciary obligation to protect corporate assets and avoid personal liability, it is important that directors and officers ensure that their corporation is following industry standards. In that regard, the activities of the Department of Homeland Security should be carefully monitored.

While not intending to create industry standards, DHS is in the process of rolling out a series of terrorism awareness training courses. The first of these sessions, held for the shopping center industry on December 14, 2003, in McLean, Virginia, was followed by a session on stadium and arena terrorism awareness that occurred on February 10, 2004, in San Diego. Additional terrorism awareness courses, customized for stadiums and arenas, are tentatively scheduled for Savannah (March 9, 2004), Miami (March 23, 2004), Boston (March 30, 2004), New York City (April 20, 2004), Chicago (May 4, 2004), Houston (May 18, 2004), Portland (June 22, 2004), Seattle (July 20, 2004), Tampa (August 17, 2004), and Newark (September 14, 2004). Visit http://www.iaam.org/ 2004_meetings/DHS/DHS.htm for more information.