A hacker released the first nine episodes of the new season of the Netflix series “Orange is the New Black” when Netflix refused to pay a ransom demand. The breach late last month was not the result of a daring intrusion or sloppy network security at Netflix, but a data breach at Larson Studios, an audio post-production company that did work on the episodes in the background. It was the failure of a specialized vendor that will likely result in the loss of millions of dollars in entertainment properties from several major studios.
In a 2015 Best in Law column, I cautioned companies on the importance of good data hygiene at home. Many companies in the past few years have taken that advice to heart, investing substantially to protect their trade secrets and private information, as well as those of their customers and employees. But a company’s information is only as secure as its weakest link. In modern supply chains, that link may be two or three steps removed, with a parts supplier or subcontractor who has access to vital intellectual property used to manufacture products.
Sensitive information may also be information in the hands of professional service providers, such as accountants, attorneys and engineering firms and customer lists may reside on the networks of marketing and advertising firms . All these vendors are potential targets as service providers with access to information across companies and industries.
The threat of cyber criminals using extortion against commercial interests is growing in size and sophistication. In 2016, according to the FBI, over $1 billion was extorted from American companies by cyber criminals who hacked valuable information and demanded ransom for its safe return — and this was from the companies that were willing to report the crime.
The loss of valuable data to extortion can cause damage to a company in a myriad of ways, from the actual loss of trade secrets to the loss of reputation, trust and customer goodwill. If personal financial information is disclosed, it can also lead to significant costs in terms of legal disclosure requirements and liability to consumers.
There are a few good ways to protect against threats in the supply chain. In addition to non-disclosure agreements and confidentiality provisions, business vendors and suppliers should be required to comply with the same security standards that a business employs to protect its information. Contracts should require the use of virtual private networks and encrypted connections to transfer sensitive data. Do not allow the transfer of files by email. Avoid blanket limitation of liability clauses that do not exempt liability from data breaches or the loss of confidential information. In other words, expect a vendor to treat sensitive information on a network with the same caution they would treat a prototype product or tooling for a sophisticated part.
Another way to protect the information is through insurance against cyber extortion. This insurance can help to manage the costs of complying with an extortion demand and the other financial impacts if security precautions have failed.
However, read the fine print on these policies very carefully. Make sure that they cover the disclosure of confidential information by you or third parties. Also, review the claim requirements. Many of these policies will require that the extortion demand be reported and payment approved in advance. Extortion demands often have very short timeframes for responses, and involving the insurance carrier up front may not always be practical when making critical decisions about whether to comply with an extortion demand.