Solar Winds Supply Chain Hack Wins Password Contest

Privacy and cybersecurity compliance issues are inextricably linked. In one sense, they are peas in a pod. A security breach can leak all sorts of information assets, from useless server logs to trade secrets to sensitive personally identifiable information, or PII. At the heart of many privacy compliance obligations is the recognition of a duty to make “reasonable” efforts to protect PII through technical and organizational means. Such balancing tests are necessarily a key aspect of enterprise risk management.

The massive SolarWinds supply chain hack is a case in point. On January 12, 2021, security research company CrowdStrike reported discovery of a 3rd strain of malware named SUNSPOT that was deployed in September 2019 – that is 15 months before the first discovery of the hack by cybersecurity company FireEye on December 8, 2020. There are important questions to be answered about the scope and intent of the hack. Was it a massive penetration testing dry run? Can infected IT infrastructure be fully cleaned without burning it to the ground and rebuilding? Was it espionage on steroids or an act of war? How many more shoes will drop?

News reports of the SolarWinds hack often speculate whether important PII was exfiltrated, as happened with the 2015 Chinese hack of 22 million records held by the U.S. Office of Personnel Management. On March 18, 2021, Mimecast reported exfiltration of some production grid source code repositories. Of the many categories of data that could have been (or still may be) impacted, data that is governed by privacy compliance obligations presents a critical risk management challenge for boards and managers.

Data breaches are expensive. According to the 2020 IBM/Ponemon Institute Report, the average cost incurred for a U.S. company data breach was $8.64 million. The risk is real, and an actual or presumed failure to meet privacy compliance obligations is a significant cost driver following a reported breach. Privacy failures also negatively impact public perception and reputation. With this in mind, in addition to vigilance across the entire data protection front, boards and managers should actively concentrate on identifying and protecting data governed by privacy compliance obligations. If “they” are going to keep breaking in through vendors or other back doors, why not store your PII in a better safe?

What is needed, and can be accomplished one step at a time, is a privacy compliance plan. It starts with a recognition of the need for Privacy by Design (PbD), a concept adopted by both the FTC in the U.S and the GDPR in the EU. By taking a proactive approach to privacy today in system design, technology selection, procurement, and encryption technology, PII can be made safer tomorrow – hopefully before the next great hack.

The first step is for boards and managers to recognize the need for privacy risk management and create a team with authority to build a Compliance Roadmap. Whether a core team model (e.g., Chief Privacy Officer) or a partially-outsourced privacy working group is best, will depend on the organization and its risk environment. Whatever the model, the privacy team must have the backing of the board and C-suite and a seat at the table to help spot where privacy risks might exist.

An early step in assessment of risk is to discovery where personal and sensitive data resides in the organization and create PII data maps. If PII is already segregated, encrypted, and considered safe in terms of industry standards and best technical practices, the privacy team must still inquire and be able to certify that all applicable compliance obligations are met for each jurisdiction.

For example, other than regulation of false or misleading statements regarding privacy governed by the FTC, the U.S has no national privacy standards – such regulation is on a state by state basis. (e.g., Mass. 201 CMR 17.00; California CCPA/CPRA). The only way for the privacy team to navigate this patchwork of laws is to analyze where the organization does business, has employees, collects data, or other myriad “triggers” of various state laws/regulations. The bottom line is that out-of-state privacy laws may be enforceable. For example, the California Consumer Privacy Act (CCPA) can trigger substantial privacy compliance obligations outside of California. Similarly, the European Union GDPR regulation applies to U.S. firms processing personal data (i.e., PII) of EU citizens.

To develop a privacy compliance roadmap every privacy team must, at a minimum, investigate the location & sensitivity of its PII, research the applicable compliance obligations, evaluate risks from vendors, create or improve a comprehensive written information security program, enforce security controls, develop compliant data protection & privacy policies, provide training to create good compliance habits, and run fire drills on a breach response plan.

Simple steps matter. News reports disclosed that SolarWinds used a guessable password, “solarwinds123.” One of the Privacy by Design principles is “data minimization.” Non-governmental organizations should create and enforce a document retention (a.k.a. document destruction) policy, especially to cull unneeded PII. Creation of a data map can be automated with data discovery tools but is often accomplished through an internal privacy audit/questionnaire and documented in a spreadsheet. Uncertainty, complexity, or fear of ultimate cost are not legally defensible excuses after a breach of PII. Prudent boards and managers should recognize the wisdom in the Lau Tzu proverb: “The journey of a thousand miles begins with one step.”