Steve Zipperstein, CLO of Blackberry, speaks to Argyle's General Counsel membership on hacking, sabotage, and corporate liability in the modern digital landscape.
Zipperstein began his presentation at the 2015 Chief Legal Officer Leadership Forum held in Chicago on September 30th by challenging the audience with this question: “Three years ago, would you have believed that a single contractor could steal every classified document from the United States National Security Agency, or that the NSA was engaged in hacking and interception of private information of global leaders, individuals, and companies around the world?” No, but that’s all changed. Hacking is now at the top of the agenda for everyone. “One constant theme I’ve been hearing, whether I’m in Indonesia or India or Argentina or Europe or anywhere, is concern about cyber threats,” he said.
“One constant theme I’ve been hearing, whether I’m in Indonesia or India or Argentina or Europe or anywhere, is concern about cyber threats.”
Basically, these threats fall into two categories, Zipperstein explained. First, people are concerned about plain, old-fashioned theft—breaking into a computer system of a company and either stealing internal corporate data, stealing the information on the balance sheet, or stealing information in employee files.
The second threat, which Zipperstein said he’s hearing much more of recently, is sabotage—people breaking into a computer system and causing the computer to do something other than what it was programmed to do. Generally, IT systems are the target of theft and OT (operational technology) systems are the target of sabotage. Zipperstein emphasized that "sabotage is a huge concern as we move into the Internet of Things, in which we have machines interacting with other machines in cyberspace as opposed to the traditional cyber model of a human being interacting with a machine, a smartphone, a computer, or a tablet."
"Sabotage is a huge concern as we move into the Internet of Things, in which we have machines interacting with other machines in cyberspace as opposed to the traditional cyber model of a human being interacting with a machine."
Companies are sued as the result of hacks, even though they’re victims. How can the victim of a hack be liable? The theory is quite simple, said Zipperstein. “You were negligent. You failed to take reasonable steps.”
There are good defenses to this claim, however. First of all, standing. The mere theft of a customer’s data doesn’t automatically mean the customer was injured unless there’s evidence of economic or physical damage. “Absent some kind of economic injury or physical harm in the case of sabotage, it’s going to be very difficult for a customer to establish standing,” noted Zipperstein.
“If we lose on standing from the defense perspective and we have to go forward and defend the case, then, of course, you’re talking about damages,” said Zipperstein. Individual damages might be low but, on a class-wide basis, if a plaintiff is able to get a class certified, damages can be quite high.”
"Boards are now holding accountable not just senior management but also vendors to the company."
One thing Zipperstein is spending a lot of his time on is collaborating with his CIO to ensure that the company is best in class. They’re benchmarking against other high-tech companies to make sure they’re doing everything they can to have not just the most resilient and most robust defenses around both the center and edge of their network, but the most technologically advanced as well.
Boards of directors are now rightly concerned about their personal liability and their company’s liability for failure to maintain an adequate program to prevent, detect, and deter cyber theft. "In addition, boards are now holding accountable not just senior management but also vendors to the company." Zipperstein stated that his board wants him to make sure that not only is the company protected but that its vendors are protected as well. “You’re going to see a lot more of this, I predict, as we go forward,” said Zipperstein.