The pandemic has pushed the corporate workforce to remote locations, which has resulted in increased risk to corporate data. As corporations rise to the challenge of responding to this risk, compliance officers, CISOs, and leaders should look to revamp disjointed and siloed approaches to protecting corporate data. The past few years have seen a notable expansion of trade secret laws resulting from a new federal trade secret act in the U.S., the passage of stricter trade secret regimes in Asia, and the harmonization of trade secret protection in Europe with the EU trade secret directive. With these new laws has come a noticeable uptick in trade secret civil and criminal cases. Like traditional compliance risks, theft or loss of information can lead to loss of valuable R&D, business disruption, loss of competitive advantage, reputational damage, and – if an employee improperly uses a third-party’s trade secrets – costly civil or criminal litigation. While ransomware, hacking, and phishing schemes often get the most news coverage, insider theft represents the vast majority of data loss.

The Importance of a Cross-Functional Team Approach 

In our view, a Chief Information Security Officer cannot – on her own – sufficiently mitigate the risks posed by insider threats. The task of building and maintaining a robust information security system to mitigate against internal theft requires cross-functional input, execution, and maintenance. While the critical work of protecting infrastructure and equipment is led by the Info Security team, IT, Human Resources, Legal, and other functional groups have a role to play in successfully protecting the company’s resources. This is especially true as it relates to insider threats, where a company’s own employees or trusted partners steal, lose, or divulge the company’s information.

For example, Human Resources needs to be involved in the training, education, hiring, on-boarding, and off-boarding procedures. R&D and business leaders need to make crucial decisions about designation and access to confidential information. They should also be integrally involved in the design of information security systems and the execution of processes that build the systems. Legal needs to be involved in the drafting and execution of confidentiality agreements, supplier agreements, NDAs, as well as incident management, investigations, and pursuing potential legal remedies if and when theft occurs.

There also needs to be communication between and amongst these groups. For example, Human Resources may work with IT on credential management to disable access for departing employees or alert Legal if an employee with access to valuable information resigns to work for a competitor. IT can advise if company devices are outstanding so that Legal can trigger an investigation, decide to preserve the employee’s devices, or send a letter to the new employer, alerting them of the employee’s ongoing confidentiality obligations. However, in many companies, these functional groups have not historically worked together to develop a cohesive, strategic, and tailored approach to data security. Instead, each group addresses areas of the problem that fall within its silo, leading to inefficient and sometimes counterproductive outcomes. Additionally, some functional groups outside of Legal — such as Human Resources — are not trained on the critical role they play in data security, such as ensuring the prompt collection of a departing employee’s laptop, leading to data leakage theft.

Companies have started to coalesce these different functional groups under a unified leadership structure. The implementations and reporting structures vary, from task forces to steering committees, to “trade secret leadership.” But the goal is the same: to align the functional groups to one unified and smart approach for protecting company assets and preventing employees from using or uploading confidential information belonging to a former employer. This “reverse threat” of a current employee bringing confidential information from a former employer into the business environment is a real risk. That’s because corporations are typically the “deep pocket” on the wrong side of a trade secret theft lawsuit. A cross-functional, unified approach to protecting corporate information will be viewed as a best practice.

Building an Operational Strategy

Companies spend significant amounts of money developing confidential and proprietary data and must implement security measures to protect the data from theft or loss. While many corporations focus on information security to protect against outside cyberattacks, most data theft occurs from insiders. Because employees need access to corporate data to do their jobs, a company must consider which additional data security measures are necessary to allow employees to work. At the same time, there is an obligation to protect trade secret data, including, for example, tracking if confidential or proprietary data leaves the system. This is not just a best practice; it is required. Trade secret regimes worldwide require a company to demonstrate that it took “reasonable measures” to protect their data before they can claim trade secret protection over its information. While “reasonable measures” is not a well-defined term, courts are looking at the overall robustness of an organization’s approach to data security to determine whether a trade secret right has been established.

To address this threat and ensure that reasonable measures are in place, we recommend a cross-functional team to develop an operational strategy. This high-level operational plan allows the team to identify risk and reach consensus on priorities, strategic response, implementation, responsibilities, and accountability. Building consensus around a well-thought-out approach – including identifying data protection strategies designed to protect data from insider threats and allocating resources – is a key step toward effective trade secret protection.

Further, a company’s ability to respond to data theft and minimize what can be catastrophic and costly consequences – depends on the implementation of measures to detect, investigate, and contain any such theft long before it occurs. The operational plan should address data theft response so that a company is well-positioned to respond swiftly and efficiently.

Focusing on Trade Secret Audits

We counsel clients to be proactive in protecting corporate data by conducting a data security audit to identify and protect confidential and trade secret information. The audit should not just focus on the technical aspects of the systems (though technical audits and strategic roadmaps are integral aspects of most information security programs), but also approach protection from a cross-functional, proactive perspective looking at preventing theft, detecting theft, and responding to suspected theft. By assessing the maturity of technical systems and processes and the human side, companies will be able to determine their risk to information theft more accurately and be well-positioned to mitigate that risk in a coordinated approach.

These audits involve identifying the corporate trade secret information, how the data is handled, and who has access to such data. The audits consider a review of the data security provisions in place to restrict and protect data, and a review of policies, processes, and procedures. Audits also include analyzing the enforceability of the company’s standard confidentiality agreements and assessing information security measures, including interviews with key stakeholders.

While the contours of such an audit vary depending on a company’s size, international presence, industry, type of workforce, nature of its trade secrets, and risk tolerance — all companies need to be addressing this risk from the perspective of cross-functional groups.

Here’s a typical scenario. When a key employee is off-boarded, does HR ask probing questions about confidentiality and the employee’s next move? Does HR notify Info Sec when an employee has given notice so that heightened monitoring may be employed? Does R&D fully utilize logs and data access restrictions for higher prioritized information? Do the Legal and InfoSec teams have a protocol for investigating potential misconduct that maximizes evidentiary value while also preserving legal optionality? Have hiring managers been trained about the risks of soliciting competitive information?

The answers to these types of questions, and many others, have a direct bearing on the success or failure of a data security program but may fall within several groups, besides the purview of the CISO.

Furthermore, systems or protocols to improve how the company answers these questions or address data theft require buy-in and implementation by employees outside of the InfoSec team. A company must take a cross-functional approach to data theft to minimize data theft and maximize its ability to respond to (and mitigate the consequence of) a theft that does occur.

As the workforce changes how employees interact with corporate data, companies should bring together the key stakeholders to develop an operational plan to address information security from insider threats and conduct a trade secret audit to protect its valuable data.

Companies that bring teams together and form an operational strategy are more likely to protect data than the best-intentioned silo approach.

Curtesy: cisomag.eccouncil.org

Air India disclosed a data breach after personal information belonging to roughly 4.5 million of its customers was leaked two months following the hack of Passenger Service System provider SITA in February 2021.

The Indian national carrier first informed passengers that SITA was the victim of cyberattack on March 19.

“This is to inform that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers,” Air India said in a breach notification sent over the weekend. 

“This incident affected around 4,500,000 data subjects in the world.”

The airline added that the breach impacted the data of passengers registered between August 2011 and February 2021.

Nevertheless, after investigating the security incident, it was found that no credit card information or password data was accessed during the breach.

However, Air India urges its passengers to change their credentials to block potential breach attempts and ensure their data security.

“The breach involved personal data registered between 26th August 2011 and 3rd February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data,” Air India added.

“However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor.”

The protection of our customers’ personal data is of highest importance to us and we deeply regret the inconvenience caused and appreciate the continued support and trust of our passengers. — Air India

Data breach impacts Star Alliance members

Almost a dozen more air carriers besides Air India informed passengers that some of their data was accessed during a breach of SITA’s Passenger Service System (PSS), which handles transactions from ticket reservations to boarding.

SITA also confirmed the incident saying that it reached out to affected PSS customers and all related organizations in early March.

At the time, a SITA spokesperson told BleepingComputer that the breach impacts data of passengers from multiple airlines, including:

  • Lufthansa – combined with its subsidiaries, it is the second-largest airline in Europe in terms of passengers carried; Star Alliance member and Miles & More partner
  • Air New Zealand – flag carrier airline of New Zealand
  • Singapore Airlines – flag carrier airline of Singapore
  • SAS – Scandinavian Airlines
  • Cathay Pacific – flag carrier of Hong Kong
  • Jeju Air – the first and largest South Korean low-cost airline
  • Malaysia Airlines – flag carrier airline of Malaysia
  • Finnair – flag carrier and largest airline of Finland

Some of these air carriers (including Air India) are part of the Star Alliance, a global airline network with 26 members, including Lufthansa, the largest in Europe.

Star Alliance told BleepingComputer that its members also share customer details relevant to awarding traveling benefits. 

The information is limited to membership names, frequent flyer program membership numbers, and program tier status.

Curtesy: bleepingcomputer.com