Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/5/2019
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit

Assessments can be used against your company in court proceedings. Here's how to mitigate this potential risk.

SOC 2 audits and third-party technical assessments are useful tools for an organization to use in navigating the security risks it may face. But these security road maps also can provide direction to a plaintiff's counsel suing your organization in a later lawsuit related to a data breach. If the assessment describes your organization as being riddled with security vulnerabilities and, after the assessment, one of these unrepaired vulnerabilities is utilized to infiltrate your network, the assessment becomes proof that your organization knew about the risk and did not fix it.

On the flip side, engaging a third party to assess your security risk can also be used as a defense in court proceedings, showing that your organization engaged unbiased third parties to determine what risks it might face. In that way, an assessment can be a powerful tool in later court proceedings.

How do you mitigate against this potential future risk? Here are two strategies you can employ.

1. Think hard about who you're engaging and the services they provide.
In the last few years, there has been a proliferation of service providers claiming to offer technical security assessments. In determining who to hire, budget can't be your primary driver. Are your own customers requiring you to have a SOC 2 audit? Then you will need to engage a CPA firm that offers auditing services covering the Systems and Organizational Controls 2 (SOC 2) as put forward by the American Institute of Certified Accountants. Outside of a SOC 2, you may engage technical firms to perform assessments based on a variety of approaches, including the matrix from the National Institute of Standards and Technology.

But keep in mind that not all technical firms are created equal and that you need a reputable provider to put forward an assessment. Cheap sometimes means shoddy work. And if a service provider is looking for a later "up-sell" of services, be aware of that, too. Offering an array of services is not bad per se, but be cognizant of what could be motivating some of the findings. For instance, if the provider sells firewalls and suddenly your assessment comes back suggesting you need an upgrade, you may wonder whether the assessment was motivated by an unbiased opinion.

Create a list of questions to conduct diligence on providers and interview multiple providers. Develop a document trail of the process that went into engaging the audit team. This can be beneficial later to show your organization was thoughtful about security risk and wanted a truly unbiased opinion.

2. Arrange the engagement to protect the findings.
Attorneys have two special powers when it comes to confidentiality and protecting information. The first is the attorney-client privilege. Under the attorney-client privilege, communications between a lawyer and a client seeking and providing legal advice are protected from disclosure. The second is a nuanced doctrine called the work-product doctrine. Under this doctrine, a lawyer may engage a consulting expert to support the lawyer's legal work on behalf of a client. This too, in most cases, is considered confidential and privileged.

So, what does all this have to do with getting an assessment? Organizations are now hiring outside counsel to work with them on obtaining an assessment in order to shield assessments with confidentiality. The process works like this: An organization engages outside counsel to assist in reviewing the organization's cybersecurity risk. Outside counsel then engages the third-party assessment team to provide a technical assessment or SOC 2 to the lawyer. The engagement letter is set up so that the lawyer receives the technical assessment to support the lawyer's legal work. The lawyer and the client discuss the findings of the report together.

What does this do? It insulates, as best we can, the findings from being disclosed in a later lawsuit by using both the attorney-client privilege and the work-product doctrine. I've seen assessments come back with score cards of 35/100. The last thing any defendant in a data breach lawsuit needs is a 35/100 assessment scorecard blown up as an exhibit in front of a jury box, with an impassioned plaintiff's lawyer talking about how the company received a F on its assessment and did nothing to repair the risk before the breach occurred.

Without a lawyer, there is no privilege. Marking the document "confidential" and exchanging it may keep it confidential within your organization. But it won't protect the assessment from being disclosed to a plaintiff's lawyer in a later data breach lawsuit. The only way to try to do that is to work hard on the front end of obtaining assessments and have a lawyer involved in the process.

Related Content:

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jmurphy116
50%
50%
Jmurphy116,
User Rank: Apprentice
12/17/2019 | 8:05:24 AM
Re: black magic
The article isnt telling companies to not fix their bad security practices, it is telling them how to have an honest assessment of their security with true confidentiality. If a company is afraid that any flaw found in an assessment can be brought out as Exhibit A in a lawsuit, they are far less likely to seek a high quality assessment. If a company knows that security company A is a top rated pentest company, and they will most likely find something significant to be addressed, but security company B is also "certified" from a check the box regulatory perspective but most likely wont find anything, AND they are concerned that any finding can be incorporated into a lawsuit, then what is the motivation to go with security company A? If however, the findings are truely confidential, as the process involved here outlines, than the company can go with the best to find all of its flaws and work on correcting them.
sgkmp
50%
50%
sgkmp,
User Rank: Apprentice
12/9/2019 | 12:03:51 PM
black magic
I'm appalled by this article. Instead of directing people with bad security practices to fix them, you are counselling them on how to hide their poor practices!!! Shameful.
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft Patches Windows Vuln Discovered by the NSA
Kelly Sheridan, Staff Editor, Dark Reading,  1/14/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Post a Comment
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3683
PUBLISHED: 2020-01-17
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and...
CVE-2019-3682
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
CVE-2019-17361
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
CVE-2019-19142
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.
CVE-2019-19801
PUBLISHED: 2020-01-17
In Gallagher Command Centre Server versions of v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier, an unprivileged but authenticated user is able to perform a backup of the Command Centre databases.