The Heartbleed Bug: Data Breach and Liability Risks
It seems that every other day we learn about a new data security threat or compromise. The so-called "heartbleed bug," or CVE-2014-0160 for those technically inclined, is the latest reported data security vulnerability, and it requires an immediate and swift response. The bug was recently discovered by a team of engineers and is described as potentially catastrophic to the security of information sent over the internet. In layman’s terms, the bug is a threat to the software — namely, version 1.0.1 and 1.0.2-beta of the OpenSSL libraries — that is widely used to encrypt certain web traffic, including sensitive data.
According to recent reports, the bug has, for more than two years, left exposed encryption keys and information sent over the internet that previously was thought encrypted, including email, usernames, passwords, financial account numbers, and other confidential data. If a social media network, web-based email provider, or other website or service has the vulnerability, there is a risk that attackers could have obtained confidential information without leaving a trace. After the bug was reported, the U.S. government warned that hackers were moving quickly to exploit the situation through web site scans. The Canadian Revenue Agency also reported recently that hackers stole data pertaining to over 900 Canadians while the agency was patching the heartbleed bug vulnerability.
Beyond the obvious implications inherent to the loss of such data, companies may now have an obligation to report past data breaches that were thought not to trigger reporting obligations because the lost data was encrypted and otherwise inaccessible by unauthorized people. The discovery of the heartbleed bug means that such data may have been accessible after all.
Despite media prognostications of pending doom brought about by the bug, companies can take certain technical steps to mitigate any related harm and potential liabilities. Alvarez & Marsal Global Forensic and Dispute Services, LLC, a leading global professional services firm, advises that companies:
- Conduct an all-port vulnerability scan on publicly facing systems to determine whether services on those systems are using the vulnerable OpenSSL libraries.
- Install available patches for all affected systems and consider the timing of any installation, as patch installation likely will require a restart of affected systems that may disrupt operations.
- Obtain and utilize new SSL certificates after all appropriate fixes are in place, and ensure that old SSL certificates are revoked.
- Require password changes for all user accounts for which login credentials may exist in the memory of the affected systems.
Additionally, we recommend that the company ask any of its service providers whose publicly facing systems rely on OpenSSL to confirm in writing (a) the service provider’s efforts to scan for the heartbleed bug vulnerability, (b) the steps taken to implement available patches and the status of the implementation, and (c) whether the provider believes the company’s data was compromised and the basis for its belief.
It is also recommended that companies identify any prior data breach that implicates OpenSSL and was thought not to trigger reporting obligations because the lost data were believed encrypted. Companies should determine whether that assumption holds true in view of the discovery of the heartbleed bug, and they should reassess data breach notification obligations where appropriate. This review should be directed and supervised by legal counsel to ensure appropriate consideration of all applicable legal obligations.
The discovery of the heartbleed bug is another in a recent spate of events bringing increased scrutiny to corporate privacy and data security practices. In addition to the recommendations outlined above, companies should reassess enterprise-wide privacy and data security policies and procedures to ensure that data are adequately protected and that privacy and data security compliance obligations are met.
Lawyer Contacts
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.
Mauricio F. Paez
New York
+1.212.326.7889
mfpaez@jonesday.com
Richard J. Johnson
Dallas
+1.214.969.3788
jjohnson@jonesday.com
Gregory P. Silberman
Silicon Valley
+1.650.739.3954
gpsilberman@jonesday.com
Art Ehuan, managing director of cyber protection services for Alvarez & Marsal Global Forensic and Dispute Services, LLC, contributed to this Alert. Art can be reached at (571) 331-7763 or at aehuan@alvarezandmarsal.com.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our web site at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.