Cybersecurity––Penetration Testing Under a Lawyer’s Umbrella
Nowadays, “malware,” “ransomware,” and “hacking” are ubiquitous terms. Take a quick glance at your LinkedIn feed and you might see something related to cybersecurity. Frankly, cybersecurity should be there. The protection of sensitive, personal data is paramount and corporate leaders are taking notice. According to recent surveys by Grant Thornton and the Association of Corporate Counsel, cybersecurity has become a major concern for corporate officers and general counsel. Their concerns aren’t surprising as businesses can sometimes face devastating consequences following a data breach. Recent headlines reporting on the Uber and Equifax data breaches have highlighted the necessity for businesses to enhance cybersecurity awareness.
Cybersecurity comes in many forms. A robust cybersecurity strategy should—at a minimum—include items such as vulnerability assessments, cybersecurity policies and procedures, compliance audits, tabletop exercises, and penetration testing. Each tool in the cybersecurity arsenal serves a unique and vital purpose. This brief article focuses on penetration testing and the legal issues that should be considered prior to a contracting for a formal security assessment.
A penetration test, or “pen” test, is a highly useful tool in which cybersecurity experts are given permission to test––i.e., authorized to attack––an organization’s computer systems. The purpose of pen tests can vary as they can be used to establish a security baseline, to assess the organization’s security controls, or to uncover cybersecurity weaknesses. Cybersecurity weaknesses often include vulnerabilities that hackers can exploit to gain unauthorized access into the organization’s systems or networks. Shockingly, it is not uncommon for hackers to exploit unpatched security vulnerabilities. That’s a huge problem. In many cases, vulnerabilities can be remedied by patching the system––usually involving some type of a security update––in the first instance. However, if the vulnerability hasn’t been patched, a skilled pen tester might discover it and notify the organization before it is exploited.
The above description is rather elementary but pen testing is a highly complex, formal cybersecurity process that involves a number of technological and legal considerations. Importantly, these issues must be carefully deliberated and discussed prior to commencing the pen test. Below are some issues that companies and pen testers should consider:
Written Permission – The pen tester must be given express authorization to conduct the pen test. Importantly, the pen tester should also confirm (in writing) that the business has the authority to authorize the pen test on all of the systems within in the scope of the test.
Scope – The pen tester and the business should clearly define the boundaries of the pen test before the process begins. Remember, pen testers could face problems if they exceed the bounds of the authorized scope.
Cloud – If the organization uses cloud-based computer systems, you may need permission from the cloud service provider (“CSP”) to conduct a test on that system. Remember, the agreement between the organization and its CSP may have restrictions on pen testing.
Data Breach – The agreement should specify what the pen tester should do if, during the course of the pen test, she or he identifies a data breach. Remember that the pen tester’s responsibility is to conduct a penetration test and not to respond to and remediate a data breach.
Indemnification – Penetration tests are highly complex and could potentially expose the pen tester to liability if a problem arises during the test. There are a number of issues to consider regarding the agreement between the business and the pen tester.
Legal Counsel – Oftentimes, penetration tests are merely viewed as a function of cybersecurity rather than as a function of determining the legal risks associated with cybersecurity. For pen testers and businesses alike, it’s probably best to treat pen tests (and other security audits) as the latter because significant legal issues can arise at every stage of the process. To that end, parties who consult with legal counsel at the onset may gain significant legal protections should an unforeseen event occur, such as the discovery of a data breach or lawsuit.
All businesses must face the issue of cybersecurity. It’s not an issue solely relegated to the Fortune 500. As Robert Mueller stated: “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” As instances of cybercrime continue to rise, businesses must continue to evaluate and reevaluate their cybersecurity posture. While penetration testing should certainly be a tool in your cybersecurity arsenal, both the pen tester and the business should carefully consider the legal issues early in the process in order to avoid unnecessary legal risk.
 Association of Corporate Counsel, Chief Legal Officers 2017 Survey, available at http://www.acc.com (last visited December 20, 2017); see also, Grant Thornton, Rising to the risk: Cybersecurity top concern of corporate counsel, available at https://www.grantthornton.com/~/media/content-page-files/advisory/pdfs/2017/Cybersecurity-top-concern-of-corporate-counsel.ashx (last visited Dec. 20, 2017).
 Vulnerabilities can exist in a number of places, including websites, web browsers, networks, email servers, mobile devices, computer applications, and other computer-based systems.
 Roger A. Grimes, Zero-days aren’t the problem -- patches are, available at https://www.csoonline.com/article/3075830/data-protection/zero-days-arent-the-problem-patches-are.html (last visited December 20, 2017).
 Robert S. Mueller, Combating Threats in the Cyber World: Outsmarting Terrorists, Hackers, and Spies, RSA Cybersecurity Conference (Mar. 1, 2012), available at https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies (last visited Dec. 20, 2017).
. . .