This page contains a Flash digital edition of a book.
by Alan Wlasuk Small Businesses and Law Firms—


Is there anything more financially fragile than a small business in the U.S. today? As we climb out of the Great Recession, many of the surviving small businesses were forced to cut corners, often making com- promises on the IT side. Combine this with an unprecedented rise in cyber crime that took the 2011 U.S. cost of security breach- es to $32 billion, and one can easily predict the future security troubles of many small businesses.


As legal, and sometimes operational and financial, advisors to small businesses, law offices should be more aware than ever of the security risks to small business clients, understand how to mitigate these risks, and lend support when a security breach occurs.


While I can’t cover IT security in its en-


tirety here, I’ll touch on three areas, each of which should give you an idea of security troubles ahead and what you might be do- ing to anticipate these troubles: 1. Professional and financial liabilities 2. Reasonable contractual expectations 3. Responses after a breach To set the stage for my thoughts on


the advice and support a law office might provide to small businesses or at least be aware of, let me start by sharing a few de- tails of my background. I am the manag- ing partner of 403 Web Security, a web ap- plication security company, and WDDinc, a software development firm with close to twenty years of developing software, much of it for small businesses. While I am not a legal expert, I have seen more than my share of software-related contracts and have a firsthand view of the risks these or- ganizations place themselves under. For the sake of simplicity and to take full advantage of my experience, I’ll limit my notes to web application security—more commonly known as security within small business web sites.


Professional and Financial Liabilities


Without hesitation, I can say that the vast majority of small businesses not only have inadequate security protections in place, but also are oblivious to the fact they are security risks. Even worse, recent headlined security breaches of high-profile compa- nies seem to engender only a misguided belief that they are immune from securi- ty attacks because they are small fish in a huge ocean.


The truth is, not only are small business- 32


Protecting the Security Interests of Clients they are prime


es not immune from attack,1


targets because of their lack of security. Consider the monetary value of even small, undetected breaches—unlimited time to exploit compromised data and the oppor- tunity to revisit the sources months and years into the future.


When considering security liabilities, I like to separate small businesses into two categories. The first would be those busi- nesses that collect and save protected data (i.e., medical, identity) within their own en- vironments. The web sites that support these businesses tend to be custom built by design or development companies that have little or no experience in creating se- cure web sites, and almost never have the capabilities of testing new sites for security vulnerabilities. These companies potential- ly are open to huge fines when their data is compromised.


The second, and larger, category is small businesses with e-commerce components. These businesses usually, and wisely, use well-established (and secure) external web services to handle credit card and other payment transactions. Unfortunately, this approach is successful only when the busi- ness’ basic web site is secure. The point al- most always missed is that a hacker does not always breach a web site for its under- lying data. For example, a hacked site may be modified in subtle ways to take an un- suspecting consumer to a fraudulent e- commerce service that will happily collect and exploit the consumer’s credit card as soon as it is entered. Or, one of my favor- ite security flaws, Cross Site Scripting (XSS), might allow a hacker to take over a legiti- mate user’s browser—effectively compro- mising that user’s e-commerce transactions or invading the user’s entire computer. In either case, a small business may be financially and legally liable for the fraud and illegitimate use of information from its security breaches. Perhaps just as impor- tantly, the loss of reputation and consumer confidence alone might be enough to ruin any small business. A proactive law firm might be in a unique position to address potential security is- sues and breach consequences with their clients. This should be part of the support of any client.


Reasonable Contractual Expectations


One of my best contractual stories re- volves around a conversation with the


THE VERMONT BAR JOURNAL • SUMMER 2012


president of a local web site design firm—a good friend and one who feels comfortable with being candid with me. During one of his development projects, I offered to do a free security evaluation of the soon-to-be- released web application. His rejection of my offer came with the rationale that if the web application was ever compromised, he wanted to be able to honestly tell the client that, to the best of his knowledge, the de- livered web site was secure. I haven’t the faintest idea of the legal- ity of my friend’s hope for plausible deni- ability,2


but it should be obvious that two


very poor consequences come out of his approach to security. The first is that his cli- ent will end up with an unsecure web site, when they could just as easily have had a product that would have withstood all but the most experienced and persistent hack- ers. The second eye-opening realization is that the client never asked about secu- rity, and the development contract never addressed security. In this case, the client (and potentially the law firm that reviewed the contract) never included security devel- opment and testing as one of the primary requirements of the relationship. A single section added to the development con- tract might have the effect of preventing a devastating security breach. A favorite statement of mine goes as fol-


lows:


Businesses end up with a lack of se- curity because they never, ever ask about it.


Almost all web site development contracts include obvious legal details like payment schedules, software ownership, and prod- uct specifications. These terms protect the interest of the business as well as the de- velopment firm—standard boilerplate. A well-written contract should also in- clude a requirement that the contracted web site be developed under strict security guidelines (consider OWASP3


as a source


of information) and that a comprehensive third-party security penetration test (Acu- netix4


as one such test) be run and present-


ed before product acceptance. The additional cost for security-orient- ed development should be minimal, since a knowledgeable development firm should be adhering to these practices regardless of a request. The third-party security pen- etration test can be contracted for with one of many firms and should cost only a few thousand dollars.


www.vtbar.org


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48