Canada-U.S. Blog Trade Lawyers Cyndee Todgham Cherniak and Susan K. Ross

Cybersecurity

Posted in Aerospace & Defence, Agriculture, Border Security, Controlled Goods Program, Corporate Counsel, Criminal Law, Cross-border deals, Cross-border litigation, Cross-border trade, Customs Law, Energy, Environment, Export Controls & Economic Sanctions, FCPA/Anti-Corruption, Intellectual Property, NAFTA, Transportation

Originally published in the Journal of Commerce in May 2014.

The word cybersecurity causes shudders in the hearts of anyone in the etailing business, and one need to look no further than Target, Michaels, eBay and Neiman Marcus for the latest examples of significant consumer data theft. Unfortunately, cybersecurity and the thought of data being compromised has not caused as much concern among other businesses. For those of us involved in the movement of goods, but not in etailing, cybersecurity is an ever increasing headache.  By way of example, we continue to hear about containers which arrive. The cargo being shipped should fill the container but instead, when the doors are opened, there is no cargo but only evidence of individuals having been smuggled into the country and are long gone. Perhaps more compelling is a recent story from a Homeland Security Investigator with whom I shared a panel on the topic of cybersecurity. He provided details about a recent intrusion that presents truly chilling overtones. The saga begins with containers exported from South America and drugs stowed in with the cargo. The vessel arrives in Amsterdam, the containers are off-loaded. At this point, the drug smugglers hack into the computer system of the terminal operator, track where their containers are located and figure out the point where they can break into the containers. The goal is to retrieve the drugs in a way they are least likely to observed or caught. This process was used repeatedly before it was discovered.

Perhaps we do not need to think quite so dramatically when looking at the issue of data being compromised.  Many companies do not even worry about who has access to their goods or documents. They aren’t even sure they know how payroll data for their own employees is protected. If you use a payroll service, do you know how many individuals at that service have access to the Social Security numbers and other key data of your own staff? Do all those individuals need access to that data all the time? If not, how are you making sure only those with a need to know have access? If you handle your own payroll, you should be asking the same questions – who has access to the key personal data of the employees, and do they routinely need that access to all that data?

Similarly, when it comes to data about shipments, who has access or read/write authority to the data? Do they absolutely need it? Who has access to the containers when being loaded and unloaded?  At a program discussing cargo security a number of years ago, a security expert told the story about one of his customers in the high-end perfume business.  The company was encountering significant losses despite a security protocol having been put in place. So, the security company sent the expert to observe with the obvious goal of trying to figure out why the losses continued. The security protocol mandated only the warehouse manager or warehouse supervisor would seal the trailers. Instead, they were handing the seals to the drivers who were left to seal the trailers themselves. One enterprising driver that day was chewing on the seal so he distorted it enough that it would seem to seal the trailer. He would then go a couple of miles down the road, remove the seal, unload some of the perfume, hand it off to his co-conspirators, reuse the seal to seal the trailer and, when he arrived at destination, the seal appeared intact.

While this process was admittedly a low tech form of supply chain corruption, the more high tech process of intruding into a computer system, identifying shipments to target and then grabbing them is a part of every day life these days.

An oft-stated feeling in the transportation industry is corruption of the supply chain is really only a concern when it comes to the shipment of drugs or high value goods. While it is true that furniture has been constructed around drugs, and drugs have been commingled in fresh fruits and vegetables being shipped in various forms, the reality is that corruption of the supply chain means more than cargo damage or loss. If you have a container arrive with evidence of someone living in it, your supply chain has been corrupted. Similarly, if bribes have been paid to foreign officials, or trade secrets have been stolen, or the computer code to the design of your latest product is posted on the Internet, your supply chain has been corrupted.  You need only read the daily newspaper or journalism websites to see regular evidence of supply chain corruption in the form of theft of trade secrets, misdeclarations of goods and other illegalities. and with alarming frequency.

When it comes to high value cargo, the term needs to be defined. Certainly, the obvious meaning of a multi-million dollar shipment is clear but those often travel with additional security. But, a shipment can be high value because it is the new line for a successful apparel company, or it could be the latest mock-up of a construction site. These and many more examples offer situations where competitors or bad guys see a way to gain an advantage if they steal the information.  Therefore, the cargo is ripe for theft and it might be something as simply as the price of the raw material going up dramatically, thereby making the product highly valued at that particular moment, but not generally otherwise. Another example was the recent story of a diamond merchant losing $2 million in diamonds when he was pulled over while driving and the gems stolen from his person. You know someone had inside information –  they knew where he was going to be, when and what he had on him – his supply chain was successfully hacked!

In the IT community, the general feeling is large companies with much to protect usually do a successful job with their electronic infrastructure. However, much like the neighborhood thief who avoids the home with an alarm system and looks instead for the open window through which to get into the house, hackers are now looking for easier access to highly prized information. So, they are turning to intruding into a service provider’s system, e.g., the freight forwarder, law firm, accountant or air conditioning/heating provider.  They might also plant malware on your website and use its spread to get into your computer system.

As the threat of computer hacking spreads to companies of all sizes and sorts, here are some questions to consider:

1)         Has the issue of cybersecurity remained with your IT department or do you have involvement from ownership, the Board of Directors or the officers regarding compliance?

2)         When was the last time you had your computer system checked by a third party as a form of due diligence?

3)         If you are a service provider who is required to report about cybersecurity measures in a request for quotation, how can you be sure the steps you are saying are being taken are actually being regularly implemented within your company?

4)         Just about every company now supports BYOD – bring your own device. This is generally done to facilitate ease of working remotely. How recently did your company review how best to balance the need to keep data secure with enhancing employee working flexibility? How frequently is that issue revisited?

5)         What is the size of your current computer infrastructure budget? Is that amount really adequate to do the job?

6)         Do you know the internal reporting procedures in the event you discover your company’s has been hacked?

7)         Who handles reporting the hack to management? To outside regulatory authorities? To law enforcement? Is there even such a procedure in place? If not, why not? What will it take to create one so you are ready when the intrusion happens?

At a recent meeting of major companies and law firms, an IT security consultant was asked how many of the companies and law firms represented in the room had been hacked. His immediate answer was all of them! How is your company preparing for that eventuality?

Finally, if you work for a publicly traded company, bearing in mind the mandate of Sarbanes-Oxley that the CEO and CFO certify the financial statements, if your Board is not invested in cybersecurity, what will be the fallout when the officer certifications are found to be a sham because the risk related to cybersecurity was never properly identified or managed?