So What Does General Counsel Have to Do with Cyber-Security, Anyway?
By Ronald Sarian, VP and General Counsel, eHarmony
eHarmony is big data. We currently have approximately 60 million registrants, each of whom has completed our Relationship Questionnaire (RQ) that contains upwards of 150 questions specifically tailored by psychologists to elicit our proprietary 29 Dimensions of Compatibility. This primary data is used to create what we believe to be unequaled matches. Added to that, the secondary data we obtain—consisting of location, preferences, device, browser, sites visited, and much more—is about 1.6 petabytes to be exact. We take protection of this data very seriously.
“A GC should have a very clear understanding of each and every device and program used to keep the bad guys out”
Though we were utilizing best practices cyber protections for the time, the well publicized 2012 cyber attack on eHarmony caused us to review every aspect of our security with a magnifying glass and up our game to the point where we believe we currently employ industry leading bulwarks. On a macro level, we now have three units within eHarmony responsible for 24/7 monitoring: Technical Operations, Trust and Safety, and Engineering. Tech Ops is responsible for the implementation of data base segregation, firewall, web application firewall (to prevent DDOS bots, SQL injection, cross-site scripting), network layering, encryption (SHA-2 hashing), logging, utilization of Whitehat hacking, two factor authentication/RSA encryption endpoint security and, off boarding when an employee leaves (immediately disabling access to all networks). On top of this, Tech Ops now has in place a robust “off-line” cloud based solution that allows all departments to communicate securely without fear of eavesdropping by hackers in the event of an unauthorized access into the system. This is critical as you don’t want them to know you’re on to them or to be aware of the mitigation measures you are adopting to address the problem, which would very likely cause them to change their tactics.
Trust & Safety is responsible for our Emergency Response Management System, which uses a bespoke scoring algorithm to escalate matters based upon geo-location/discrepancies, device ID, Hot Files (we scan for certain suspect phrases/entries, phrases commonly copied and pasted, amongst others), and inconsistent/odd answers to the RQ questions (e.g., initial answers suggest one personality type but later answers point in a different direction). They also handle all customer complaints about anything fishy (or phishy for that matter).
Last but not least is Engineering, which is responsible for all application based problems.
Each of these departments, as well as our CTO, is in constant communication with one another–and with me. You may wonder what a GC has to do with any of the foregoing. Well, everything. This is especially true in a smaller company, where the General Counsel (GC) is typically the CSO for purposes of insurance and Board communications. Cyber security is now a board level issue due to the frequency and potential gravity of modern cyber attacks. As such, a GC should have a very clear understanding of each and every device and program used to keep the bad guys out. A lot of questions need to be asked. Its General Counsel’s duty to make sure the company is staying, or at least trying to stay, one step ahead of the hackers. I am in constant communication with our Tech Ops, Trust & Safety, Engineering and our CTO. I actually consider them friends in addition to co-workers, quite often having lunch with them. I have their cell numbers. I also spend considerable time on the internet keeping myself up to date with the latest developments in the field so I can engage in intelligent colloquy with my people to assure we remain at the forefront of cyber protection.
Yet in spite of what you have in place, you’d be naive to believe you were invincible. We face an aggressive and relentless foe–and if they get through we face the legal fallout. So if despite all your cyber-security measures your company is hit, the GC must be the one who coordinates with all relevant departments and controls the procedures to immediately identify and mitigate the threat. A detailed recovery plan should be in place and should be rehearsed. The contents of this plan are an extensive topic for another discussion but they rest on the cornerstone that the GC must be involved as early as possible—and to the fullest extent possible. This is not only to afford maximum protection to the company under the attorney client and attorney work product privileges, but to assiduously address the myriad issues that arise separate and apart from the actual attack. For example, General Counsel should immediately formulate the appropriate press release and thereafter coordinate with PR, either in house or outside, to address all media inquiries. Once the extent of the attack has been ascertained, the GC is the one who prepares the requisite consumer notification and disclosures to the various agencies, if the disclosure requirements are triggered. It’s General Counsel’s duty to know the rapidly developing law in these areas, and the law varies by state. Of course, in addition to the bad press and potential reputation damage, litigation and governmental proceedings (attorneys general, FTC, etc.) are always looming on the horizon. General Counsel’s job is to proactively diffuse these potential landmines to the fullest extent possible. And it will be the GC’s tail on the line before the Board in the event the cyber protection is not up to snuff or an attack is thereafter not handled properly.
There is so much more, but suffice it to say that General Counsel is a critical and integral part of a company’s cyber-security envelope. The GC has virtually everything to do with cyber-security. Better make sure yours is on top of it!