This page contains a Flash digital edition of a book.
Again, the role of a law firm in this en-


vironment should certainly be the crafting and approval of the basic development contract, but also making sure security vali- dation is a well-defined requirement of the overall agreement.


How to Respond After a Breach


When a security breach does occur, busi- nesses (and their counsel) need to be ready to react thoroughly and decisively. A few of my suggestions for the days, weeks, and months following a breach are:


• Don’t panic. Carefully consider the nature of the breach, what data (if any) has been compromised and what the business’ next steps should be. A premature release of breach informa- tion may cause unnecessary customer panic or, even worse, make manage- ment look even more inept when they revise information sent out too hast- ily. Advise them to take the time to respond with dignity and thoughtful- ness.


• If required, inform the appropriate financial and legal entities as soon as possible. Depending on the indus- try, there may be strict requirements for reporting security breaches. Your client’s problem will only get worse if they are caught hiding informa- tion. Keep in mind that many security breaches become public knowledge as the compromised data is used or sold within the cyber underground, not as a result of company disclo- sure. As a side note, an embarrassing- ly large number of security breaches are never discovered by the company that was breached.


• Inform users or clients and custom- ers as soon as appropriate. There is a line between keeping a compa- ny viable and an ethical responsibili- ty to customers. My thoughts on this line are to consider the damage that might be done to customers and think about how you would expect to be treated.


• Call the insurance company. Depend- ing of the nature of the breach, the business may be covered for some, if not all, of the expenses associated with recovery. Suggest that the busi- ness give their insurance company a call. They might also take the time to talk about cyber insurance with their agent—for the next time.


As a legal professional, you should easily be able to see the pitfalls inherent in pan-


www.vtbar.org THE VERMONT BAR JOURNAL • SUMMER 2012 33


ic-stricken businesses reacting to security breaches. Legal, financial, and professional stakes surrounding a security breach may be high enough to shut down the business. The correct reaction may be well outside of the expertise of the business, or, even worse, the business may naively attempt to react on their own.


Conclusion


Hopefully, I have provided food for thought on the security opportunities and responsibilities of law firms supporting small businesses. Obviously, I’ve brought up far more issues and concerns than solu- tions. My hope is that even a casual discus- sion of security problems will prepare you with far more knowledge that the majority of your clients. It’s a mean world out there; cyber crime is an industry run by foreign nationals from countries where cyber criminals are not prosecuted. An industry-accepted statistic is that more than 70% of all Internet web sites5


One final note to add one more level of additional worry: Web application security awareness has only recently entered main- stream web site development. If your cli- ent’s web site is more than four years old, not only is it certainly open to a critical se- curity attack, but it is probably a target for even the most amateurish hackers: script kiddies, young kids who hack web sites be- cause doing so is more fun than playing a predictable Xbox game. ____________________ Alan Wlasuk is a managing partner


of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with more than eighteen years of experience build- ing secure web applications, Wlasuk is an expert in web security—from evaluation to web development and remediation.


____________________ 1


Alan Wlasuk, Security Through Obscuri-


ty? Don’t Count on It, SECURITY WEEK, Oct. 21, 2011, at http://www.securityweek.com/security-


through-obscurity-dont-count-it. 2


ability-web-security-version. 3


Page. 4


5 Alan Wlasuk, Plausible Deniability: The Web


Security Version, SECURITY WEEK, July 15, 2011, at http://www.securityweek.com/plausible-deni-


https://www.owasp.org/index.php/Main_ http://www.acunetix.com.


Paul Roberts, Insecure Applications: We Are


The 84 Percent!, THREAT POST, Dec. 7, 2011, ath- ttp://threatpost.com/en_us/blogs/insecure-ap- plications-we-are-84-percent-120611.


contain critical security vulnerabili- ties. Many of your clients undoubtedly are on the wrong side of this depressing num- ber.


Small Businesses and Law Firms


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48