One of the many new realities of 2020 is that corporations are facing more stress than ever before. Whether it is due to a demand reduction resulting from a combination of stress from the requirement to rapidly shift to “work from home” operations and the increase of cyber-related crimes targeting businesses across industries, the chance that an incident will occur has increased. Cyber risks that have grown during the pandemic include ransomware attacks, business email compromises and intellectual property theft.
These challenges become more difficult to navigate thanks to an increasingly uncertain regulatory framework. The European Court of Justice, in the so-called “Schrems II” case, invalidated the Privacy Shield scheme which more than 5,000 companies depended on as the basis for data transfers between the European Union (EU) and U.S., and the Swiss government then agreed that the existing rules for U.S.-Swiss data transfers need to be revisited.
Many businesses are struggling to survive and be profitable. At some point they may need to explore restructuring options or take an impairment charge to recognize changed economic realities, all which can affect the information technology function as much, or even more than other aspects of a company’s operations.
Are you ready to deal with the possibility of restructuring or insolvency? If you are, you may be a tremendous resource to help your company work through the process.
A well-crafted restructuring technology plan will consider six key factors, with appropriate input and buy-in from other departments, like legal, compliance, finance, human resources (HR) and procurement:
- Continuing to protect intellectual property;
- Expected personnel disruptions;
- The need for coordination with corporate compliance;
- Ongoing financial difficulties;
- Readiness to make shifts necessitated by business changes; and
- Protection of confidential information.
Protecting Intellectual Property
Given recent decisions in several courts, a company cannot count on being able to use the U.S. federal Computer Fraud and Abuse Act as the basis for dealing with the misappropriation of intellectual property, whether it is committed by employees or others (like business partners or service personnel) who have authorized access to the data. In light of recent appellate court decisions, there is uncertainty as to the law’s application, if any, once an individual has been given access to data even though that individual may use the data in a manner that is not authorized by the company. The Supreme Court has agreed to review a case involving this question because seven federal circuit courts have differed (coming down with four circuits on one side of the issue, and three on the other) and organizations need consistent guidance on the application of the statutory language, “exceeds authorized access.” While it is impossible to know how the Supreme Court justices will rule, every company should consult with counsel on this issue, and there are straightforward steps that companies can take to manage this risk.
Companies can consider having specific internal rules defining the purposes for which access is authorized and unauthorized. Showing that an employee knew (and better yet, acknowledged knowing) what the rules for use are, provides a way of enforcing intellectual property rights regardless of how the Supreme Court rules. Additionally, intellectual property protection laws require an organization to demonstrate that it had reasonable controls and security in place to safeguard its intellectual property. Making certain that the rules surrounding access to systems are clearly spelled out and communicated to everyone who has been granted the right to access nonpublic data or valuable intellectual property becomes even more important.
Additionally, companies can put technical safeguards in place that can limit the unauthorized transfer of sensitive information. Restricting use of external storage devices, monitoring email for unauthorized attachments and restrictions on using unauthorized applications can help. Some applications provide encrypted messaging services that can enable data to be sent out in a form that cannot be successfully reviewed by the company. Personal, non-company use of such software can allow data to leave the company unmonitored, and companies should consider banning these applications.
Whatever rules are set up, there should be documentation that demonstrates that the rules were being followed. This can include internal or external audits, compliance reports and internal or external security reviews.
In a restructuring or insolvency situation, it is well known that personnel leave, either voluntarily or involuntarily. Sometimes in leaving, they do things that they should not, such as misappropriating company property, including computer-based intellectual property. They may take copies of programs that they worked on or wrote while employed. They may take software tools that they used which were paid for or licensed to the company. They may take trade secrets, customer lists, cost and estimation data, or anything they believe will help them in their future employment. History suggests that this can and does happen, and that a company should prepare for it, particularly when so many companies are experiencing unprecedented business stressors.
People leave organizations all the time. But when organizations hit hard times, they may have to furlough or terminate employees, including long-term workers. Even where this is not the case, some people will decide to leave to avoid potential future issues stemming from a restructuring, acquisition or business closure.
Can the technology unit function properly when people are leaving? If the organization has a small technology team, losing a limited number of people may have a very large impact. In this situation, there are a range of actions that a company, guided by counsel and its HR specialists, can take including offering a bonus for staying with the company for a specified period, or providing a guarantee of continued employment for a time period.
In addition, technology management should consider how they would deal with the sudden loss of key IT personnel:
- Is there a succession plan for each key position?
- Is there a plan to backfill openings with contractors?
- Are all the computer and network accounts associated with the individual known, and can they be immediately suspended if necessary?
- Would you have a list of what an individual has downloaded available when you might need it?
- How would departures affect your incident response plan and the access management scheme?
The absence of a plan covering these issues leaves the organization open to a disaster if a key IT person leaves and there is no way to replace them in the short term.
Finally, it is important to work with counsel and HR on out-processing. You need to make sure everyone who leaves understands their obligations regarding intellectual property, including software they worked on, and sensitive information, and retrieving company-owned equipment like computers, tablets and mobile phones. Consider making the exiting employee sign an acknowledgement, if possible.
Corporate Compliance Issues
Compliance prevents or mitigates the risk of fines, penalties and costly breach of contract litigation. In the IT world, this includes the risks posed by data breaches, data privacy issues and intellectual property licensing violations.
Compliance departments have not been immune to problems posed by the pandemic. Their personnel are often working from home, with limited access to the people, systems and data they used to perform compliance functions. They may have limited resources to figure out how to modify compliance tasks to match changes in operations related to COVID-19. For example, if sensitive information is printed by an employee at home, is there a plan to assure that the information is eventually destroyed? (Some companies have recognized this issue and provided some work-at-home employees with paper shredders).
During a restructuring or insolvency, compliance operations may be further disrupted and they may suffer personnel losses associated with cutbacks or resignations. The only reasonable conclusion is that there needs to be a plan for dealing with the necessities of compliance should a restructuring or other significant incident happen.
Just as insolvency transactions and restructuring can affect people wanting or having to leave a company, the financial consequences of restructuring—depending on the specific circumstances—can cause a business to require departments to undergo economic cutbacks, often across the board. Those transactions can trigger a need to modify cyber security controls, or to contract for assistance in the event of personnel cutbacks.
Management needs to recognize that they should at least have a procedure in place to hear “appeals” from some of the cutbacks they are planning to impose. Making cutbacks that increase risks—including cyber risks—may be required but are a false economy unless the risks are carefully assessed.
Remember, companies that are known to be going through restructuring tend to be targeted by hackers and intellectual property thieves on the assumption that they will not maintain effective security while they go through a challenging event.
The Need to be Nimble
In times of corporate stress such as restructuring and insolvency, IT professionals cannot simply carry on life as usual. There will be changes that must be responded to rapidly and effectively. Success will require organizations to be increasingly nimble to make and deal with a wide range of changes. Those who plan for these changes will do better than those who fail to plan and assume they can figure out what to do in real time.
Protection of Confidential and Privileged Information
An information security incident can be damaging to an organization’s brand and goodwill, especially when it is first identified, and misinformation may rapidly spread about its extent. Incidents can be sensationalized by personnel with limited knowledge of what actually happened. For this reason, an adequate incident response plan will not only identify the key legal and technology-related steps for containing, remediating and investigating an incident, it will also stress the importance of messaging discipline, controlled dissemination of information and the involvement of counsel in all communications to provide the protections of attorney-client privilege where possible.
A sound restructuring plan will account for the protection of privileged incident response information. Although it may not be possible to withhold such information entirely, access can be appropriately limited. Furthermore, the plan can document a process for the controlled production and dissemination of incident response information. Based on recent court decisions regarding privilege, counsel may determine that technical support for incident forensics and investigation must be carried out by a qualified consulting firm that has not been involved with the company’s IT team on an ongoing basis. Without a plan, an entity can face undue scrutiny of its information security practices, privacy practices and even its legal compliance.
In the current environment, more organizations than ever before will undergo restructuring, insolvency and business impairment. Those who recognize this and take steps to plan for how these transactions will affect their technology and take the time to develop plans for reacting to changes and challenges will fare better than those who react only when they are already in a crisis.
No two companies will have the same plan for getting through these difficult issues, but we hope that the principles that we have laid out will help in developing plans and being prepared for what may come.
Kroll Cyber Risk
Kroll's award-winning cyber experts can help clients in every step of the way toward cyber resilience.