Abstract

This white paper explores a new way to approach the adoption of data breach prevention in businesses large and small – a business solution to a technical problem. Data breaches are considered a technical problem. Prevention of data breaches using a combination of technology, security policy, and operational implementation are widely known – ask your Chief Security Officer.

Our solution explores ways to accelerate the adoption of these preventive methods for data breaches. The lifeblood of a business is its agreements with customers, partners, suppliers, and employees. A change in one or more of these agreements would have a network-wide impact. We explore a change in agreements and the impact of such change in the adoption of data breach prevention.

Our solution is to include a covenant to prevent theft of digital information in all business agreements. This inclusion adds teeth and enforceability between businesses. It establishes a business need, creates a justification, and gets buy-in from the Board of Directors and the management team. Buy-In from your Board of Directors delivers a budget. This buy-in implies that prevention of theft of digital information is not a cost of doing business, but a way of doing business. In end-user agreements, internet and consumer-centered companies may include a covenant to prevent theft of personal information. This builds further trust in your brand. Such covenant shall survive termination and will have long-term enforceability. Mutual covenant to prevent the theft of digital information has a network effect. We can free the world of data breaches.

This white paper has the following sections:

  1. Abstract
  2. Background
  3. Solution
  4. Summary
  5. References

Make the world free of data breaches

The world free of data breaches feels like a tall order. But we must make it probable and free the world of data breaches. I was walking the RSA Expo 2018. Lots of traffic, in the aisles, but in 4 hours it became clear to me that it is still business as usual. Similar pitches, discussions, and one major exhibitor said “data breaches are inevitable, and so you need threat intelligence,” yadda, yadda. Few if any discussed preventing data breaches, or finding new ways to say – no more data breaches. Let’s make the world free of data breaches with a few simple but highly effective changes to how business agreements are written.

Background – Evolving consumer expectations

Data breaches are increasing each year. Over 9.8 billion data records were stolen or lost since 2013 as a result of data breaches. (Breach Level Index by Gemalto, n.d.) Breach data is unreliable for several reasons. Despite several laws, public reporting of data breaches is inconsistent. Additionally, breaches are likely under-reported. According to Business Insider Intelligence (Toplin, 2018), of businesses that are breached 22% lost customers, 29% revenue, or 23% business opportunities. Beyond customer expectations, a federal appeals court has ruled (Attias-v-Carefirst, 2017) that consumers may seek legal relief from companies that do not protect their personal data. Additionally, businesses are most concerned about disclosures, confidential information protection, intellectual property protection (LIEW, 2013), and protection of trade secrets.

IBM cybersecurity and privacy research (IBM, 2018) found that “75 percent of consumers will not buy products from companies that they don’t trust to properly secure their data. What’s more, 73 percent said they believe businesses prioritize profits over consumers’ security needs.”

Data breach reporting laws – fall short

In the U.S., the 50 states and several territories have enacted laws regarding data breaches. These laws require businesses to notify data breaches. Specifically, data breaches involving personally identifiable information. Please review these three references (Greenberg, 2018), (Davis Wright Tremaine, 2016), and (Foley & Lardner LLP, 2018) that detail each of the data breach notifications based on each state.

These data breach notification laws are mandates of notification to the customer upon breach of personally identifiable information of that customer. Personally identifiable information (PII) may include name, social security number, driver’s license information, account numbers, or other similar information. The timing of the notification, whom to notify, or which information needs to be provided, are different for each state. And more importantly, these laws offer exemptions. All these state laws fall substantially short of preventing data breaches.

EU GDPR has a network effect

The European Union (EU) enacted the General Data Privacy Regulation (GDPR). GDPR is in effect since May 25, 2018. This law is the first step towards better privacy for citizens and residents of the EU. It has a network effect on EU businesses and their suppliers to these EU businesses and as a result the entire supply chain. The network effect is clear in the definition of a GDPR data breach – “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Despite the penalties, the GDPR falls short of prescribing prevention.

Let’s explore article 33 of the GDPR regulation – “Notification of a personal data breach to the supervisory authority.”

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.” (Vollmer, 2017)

GDPR falls short

The GDPR has one big shortfall is these words in article 33, “after having become aware of it.” Additionally, if a business relies on a data processor, the burden is on the data processor to make the business aware of a breach. However, the data processors have no time specific burden as related in this clause of article 33: “The processor shall notify the controller without undue delay after becoming aware of a personal data breach.” The creators of this regulation rightly assume that lack of precedence is likely to place the burden on a business. However, this does not prevent a data breach.

This whitepaper does not explore how this article 33 may be amended to free the world of data breaches. Instead, it implores businesses to leverage compliance funding to prevent data breaches. This is achievable. Change the goal of compliance to that of data breach prevention. This delivers the compliance by design and default at no additional cost. This solution proposed in this whitepaper explores a new way of doing business there-in establishing an essential business need to prevent data breaches.

The solution

The solution we propose in this paper is to change the way business agreements get done. A solution to prevent data breaches must be inclusive of the supply chain, and their data processing partners. We explore a three-phase approach in modifying business agreements.

Phase 1: Execute a one-sided covenant to prevent theft of digital information with customers and in end-user agreements a covenant to prevent theft of personal information

Phase 2: Include a mutual covenant to prevent theft of digital information with suppliers and partners (including data processing partners)

Phase 3: Finally, write an enforceable mutual non-disclosure agreements with business partners

We detail these phases in the sections that follow.

One-sided covenant to prevent theft of digital information

The solution we propose begins with a one-sided covenant to prevent theft of digital information. This one-sided covenant shall be written by a business in favor of a strategic customer or a partner. It assures the strategic customer or partner that their digital information or specific confidential (or proprietary) information will be protected from theft by any means possible. This section of the whitepaper details out the covenant that provides such an assurance to the strategic customer or partner.

Covenant to Prevent Theft of Digital Information.

(a)         Covenant. Company and any affiliate of the Company each covenant to prevent theft of Digital Information, and to institute any procedure, practice, or technology that expressly prevents theft of Digital Information, from any digital means (not limiting to personal, network, or cloud means) used by the Company, any subsidiary, any affiliate, or any employee of the Company.

(b)         Theft or attempt to steal by a person(s) or machines or bot(s). This covenant shall include theft prevention from any or all thefts or attempts to steal by a person(s), machine(s), bot(s), or a combination thereof.

(c)          Report attempts to steal. The Company shall provide a periodic report(s), no longer than each six (6) months of the theft incident, or an attempt to steal any or all Digital Information. The incident report of theft or attempt to steal such Digital Information shall at the minimum, include data and time of the incident, the location of the incident, details of specific Digital Information involved in the incident, the person(s) or bot(s) responsible for the incident, among other information related to the incident. At the discretion of the Company, any theft or attempt to steal highly confidential information shall be reported immediately.

(d)         Preventive and proactive incident response. The Company shall institute a procedure, practice, or technology that preventively and/or proactively addresses any known or unknown ways to steal or attempt to steal Digital Information, from known or unknown actors including persons, bots, malware, worms, or viruses.

We recommend that your legal counsel review the above article for use in your agreements while retaining the intent of the covenant.

Article (a) – The covenant

This article (a) above, intends a broad definition and expands the use of the prevention practices for all digital information. Your company may narrow this definition to proprietary information or specific referenced confidential information. Any narrow definition would imply that you require your company to implement ways to discover, classify, and deliver in-flight identification of specific referenced confidential data. Such discovery, classification, and identification also apply to public or non-public disclosures as part of compliance. If your business has a limitation in implementing ways to classify digital information in flight, it is best to treat all digital information in the same way. We recommend that your business find a way to implement classification, and role-based disclosure of digital information across your known actors.

This article (a) above, intends a broad definition and expands to company affiliates, meaning businesses wherein the company has a majority stake. Your company may narrow this definition. However, we believe that applying security policies consistently across the company, its subsidiaries, and affiliates deliver a far superior approach to preventing data breaches.

This article (a) above, intentionally does not propose a specific procedure, or practice, or technology. This implores your information security team to find cheaper means to prevent data breaches. Deploying expensive technology and subsequent operational expense to manage and maintain this technology is not the only way to prevent data breaches. Your team could find a combination of technology, policy, or process that is most effective for your business.

This article (a) above uses the term ‘digital’ and states certain means in which digital information may be stolen. Your company could carve out certain physical means in which digital information could be stolen such as the use of smartphones to take pictures of a computer screen. Your company needs to evaluate its BYOD (bring your own device) policies and relate them to your ability to implement data breach prevention. There are cases where hi-tech companies prevent the use of digital cameras in their campuses. For example, for visitors, a very large hi-tech company places watermarked tape on the cameras of electronic equipment entering their campus.

Article (b) – Theft or attempt to steal

This article (b) above intends a broad definition and expands to persons, machines, or bots. Persons could imply authorized users, malicious authorized users, careless authorized users, or unauthorized users. Machines or bots could imply known or unknown actors in the network such as compromised authorized users, hackers, scripts, bots, cronjobs, or simply spies ready to steal your intellectual property.  We recommend that you keep this article unchanged.

Article (c) – Report attempts to steal

This article (c) above uses the term ‘attempt’. When your business prevents a data breach, there is no theft. However, there is an attempt to steal. The reporting obligation is minimal. For most companies that comply with GDPR or other reporting laws, this reporting obligation is familiar.

We perceive that faster reporting at the discretion of the company is a better approach. It has certain advantages in the way you manage and maintain a relationship with your customers and partners. A counter-argument to faster reporting is more incident reporting. This implies more explanations to be given to your customer or partner. Account managers do not prefer to get this transparent with the customer and provide detailed explanations. However, we believe that customers or partners prefer transparency and resulting accountability. Soon, they will start to seek similar provisions and incident information from your competitors. This is your competitive advantage. You may at your discretion narrow down the definition of digital information to highly confidential information. This implies that you have the ability to discover, classify, and identify digital information whether the information is at-rest, or in-flight.

Article (d) – Prevention and proactive incident response

This article (d) above is a high standard for prevention. We recommend minor, if any, modifications to this. The usage of ‘known and unknown ways to steal or attempt to steal,’ is expected to set the right security policy for your business. An added advantage of this article is the prevention of intellectual property theft, and theft of trade secrets. Unknown actors are more clearly explained in the previous sections of this white paper.

One-sided covenant with your strategic customers

Our solution suggests the implementation of this change with strategic customers or partners. In your next QBR (quarterly business review) with a strategic customer, socialize this covenant and find ways to increase already high trust levels. The implication is more business and your customer opening up about their top-secret business initiatives.

The next step is to bring-in your CEO to your top 5 customers and have your CEO deliver this one-sided covenant to prevent theft of digital information. This cements an already strong relationship and potentially eases the pressure on annual price reductions. In these strategic customer and partner discussions, you will get a first-mover advantage to showcase your company as a highly trusted strategic partner. Your customers win big: They get their business terms, and they get information security compliance at the highest levels at no additional cost. You win big over your competitors.

One-sided covenant in your end-user agreements

Let’s take the case of Domino’s Pizza and how the pizza chain reintroduced “30 minutes or its free” campaign in India to get 40% market share. Under this policy, the consumers won. They got a fresh, hot product, delivered home, a value for their money. They also received a delivery that guarantees a hot, fresh product on time. (Rai, 2015)

Similar to the Domino’s Pizza policy, a covenant to prevent theft of personal information in your end-user agreement ensures that your consumers WIN two ways. They get your great product or service a value for their money. They get to use your product or service with no encumbrances of breach of their personal information or their privacy. Your business will establish a trusted brand.

The next step to this implementation is to bring in your CMO, your CISO, and General Counsel together. Draft a marketing campaign. Change and simplify terms of use. Deploy preventive measures. Launch a marketing campaign to build added trust in your brand. Get a first mover advantage and enhance your brand over your competitors.

Mutual covenant to prevent theft of digital information

Once you start implementing a one-sided covenant to prevent theft of digital information with your strategic or soon-to-be strategic customers, the next phase is the implementation of the mutual covenant with your suppliers or strategic partners. This mutual covenant shall be initially executed by your business with a few of your suppliers. The mutual nature of this covenant assures these suppliers that this is not an unreasonable ask. You may share certain elements of the implementation of security policies, technologies, or procedures with these suppliers. This delivers credibility, and intent to make the supplier successful. It also guarantees the supplier that their information is protected from theft.

Mutual Covenant to Prevent Theft of Digital Information.

(a)         Covenant. Both Parties and their respective affiliates each covenant to prevent theft of Digital Information, and to institute any procedure, practice, or technology that expressly prevents theft of Digital Information, from any digital means (not limiting to personal, network, or cloud means) used by the Receiving Party, its subsidiary, its affiliate, or any of its employees.

(b)         Theft or attempt to steal by a person(s) or machines or bot(s). This covenant shall include theft prevention from any or all thefts or attempts to steal by a person(s), machine(s), bot(s), or a combination thereof.

(c)          Report attempts to steal. Each Party shall provide the other Party periodic report(s), no longer than each six (6) months of the theft incident, or an attempt to steal any or all Digital Information. The incident report of theft or attempt to steal such Digital Information shall at the minimum, include data and time of the incident, the location of the incident, details of specific digital information involved in the incident, the person(s) or bot(s) responsible for the incident, among other information related to the incident. Either Party, at its discretion, shall immediately report any theft or attempt to steal highly confidential information.

(d)         Preventive and proactive incident response. Each Party shall institute a procedure, practice, or technology that preventively and/or proactively addresses any known or unknown ways to steal or attempt to steal Digital Information, from known or unknown actors including persons, bots, malware, worms, or viruses.

We recommend that your legal counsel review the above article for use in your agreements while retaining the intent of the covenant.

Mutual covenant with your strategic suppliers

Our solution suggests the inclusion of this change with strategic suppliers or partners. In your next QBR (quarterly business review) with a strategic supplier, socialize this covenant and find ways to engage, educate, and lead by sharing your experience with your customers. The implication is better protection of your confidential information with your supplier and a guarantee of theft prevention to your supplier. You may imply better access to strategic plans and better engagement. The sales team of your supplier will be your best ambassadors, and engaging your suppliers with a mutual covenant shall prove to be an easier task.

Mutual enforceable non-disclosure agreement

As the final phase, our solution suggests the inclusion of the mutual covenant in non-disclosure agreements. This delivers a mechanism for mutual enforceability of non-disclosure of proprietary or confidential information. Today, non-disclosure agreements are difficult to enforce. This covenant adds an enforceable provision to a boiler-plate mutual non-disclosure agreement.

When a new business partner initiates discussion under non-disclosure, we recommend adding the mutual covenant for execution in a non-disclosure agreement. Upon request, a discussion on such covenant prior to execution will convince the new business partner that you take the non-disclosure of their confidential or proprietary information very seriously. It is mutual, and the business partner is extremely likely to execute this mutual enforceable non-disclosure agreement.

When you start the implementation of this final phase, we consider that you have completed the digital transformation. You now have a culture that makes preventing data breaches a way of doing business.

The Network Effect – free the world of data breaches

Your business now has a culture of prevention, the knowledge of protecting digital assets, and the know-how to prevent theft of digital information. You may also have a mechanism to discover, classify, and identify digital information at-rest and in-flight. Your customers now place significantly more trust in your brand. This may result in more business or less pressure on future price reductions.

Your customers and partners start to recognize the benefits of preventing theft of digital information and are likely to implement a similar covenant with their own customers, partners, and suppliers. Are we now on the way to free the world of data breaches?

References

Attias-v-Carefirst, 16-7108 (US Court of Appeals – DC Circuit 08 01, 2017).

Breach Level Index by Gemalto. (n.d.). Data Breach Statistics. Retrieved from https://breachlevelindex.com/

Davis Wright Tremaine. (2016, 8 6). Breach Notification Summary. Retrieved from www.dwt.com

Greenberg, P. (2018, 3 29). SECURITY BREACH NOTIFICATION LAWS. Retrieved from NCSL.

IBM. (2018, 4 24). Data Privacy Now a Top Public Priority. Retrieved from www.securityintelligence.com

LIEW, A. (2013, 10 25). Auckland District Law Society. Retrieved from ADLS

Rai, S. (2015, 01 13). How Dominos Won India. Retrieved from FastCompany

Toplin, J. (2018, 2 16). Business Insider. Retrieved from Business Insider

TrendMicro. (2017, 6 21). TrendMicro. Retrieved from www.trendmicro.com

Vollmer, N. (2017, 12 16). EU GDPR. Retrieved from EU GDPR

Acknowledgment: We acknowledge several people for their feedback, edits, and comment including – Ramana Prasad Parimi, Michael Chiu, Yasmine Staton, and Bhanu Panda.

More information on preventing data breaches

Learn about Office 365 DLP

Complete guide to Office 365 DLP

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *