<b><i>Online Extra</b></i> Facing a Breach, UPS Delivers Smart Cybersecurity Moves

United Parcel Service Inc.'announced on Aug. 22'that it had suffered a data breach exposing customer information, but the unusual part of the news was that it caught and held the breach to just 1 percent of its stores nationwide, affecting about 105,000 customers.

'It didn't affect millions of people, but rather was on the small side compared to other breaches,' attorney and cybersecurity expert Randy Sabett told CorpCounsel.com on Thursday. In contrast, the'cyberattack on Target Corporation last winter'involved tens of millions of credit and debit card accounts.

'There are several lessons to be learned here for in-house counsel,' said Sabett, vice chair of the privacy and data protection group at Cooley in Washington, D.C. He also is a former senior technology counsel at a Silicon Valley information security company.

Sabett said the important takeaways include a real-life measure of the value of having a good data security program in place, as well as a good response process that allows people to react quickly to a breach.

'People need to know what to do and how to still carry on business,' said Sabett, who served on the'Commission on Cybersecurity for the 44th Presidency, which provided digital security advice to President Barack Obama following his election, and co-chaired the American Bar Association's Information Security Committee.

'You didn't have a situation where the entire UPS network had to shut down,' he said, adding that without the right program and response, 'It could have been much worse' for the company.

Sabett, named the Information Security Professional of 2013 by the Information Systems Security Association, described the first day a breach is discovered as 'very hairy.'

Say you first found malware on computers in 12 stores, he said. 'Do you shut down those 12 stores, or surrounding stores or all stores nationwide? It's a dynamic situation as you gather information.'

He continued, 'I've been in cases where some information turns out to be false; data we thought was exposed actually wasn't. Until you know with some level of certainty what's involved, it might not be prudent to take any extreme steps.'

In its statement, UPS said the customer information that may have been exposed included names, postal addresses, email addresses and payment card information. 'The UPS Store is providing'an information website, identity protection and credit monitoring services to customers whose information may have been compromised,' it said.

Tim Davis, president of The UPS Store Inc., said in a statement, 'As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident,' Davis said.

The company said the breach occurred from January 20 to August 11, when it was eliminated.

'It shows that even companies that have really good security programs in place can still fall victim to attackers,' Sabett said. 'There is no such thing as 100 percent security.'

But Sabett noted one of the most remarkable lessons from the incident points to the success of information sharing. UPS said it recently received a government bulletin alerting it to certain malware that apparently was striking other companies, and which wasn't detected by current antivirus software.

'There hasn't been broad agreement on how information sharing should occur,' Sabett said, 'and in that sense, it is controversial. Some people believe that more sharing will lead to more finger pointing, more liability, more lawsuits. It can be used against you by your competitors or the plaintiffs' bar.'

But UPS was able to use the government bulletin information about the malware to react quickly, Sabett said, 'and kept the intrusion down to a small number of franchise stores. It was actually quite good.'

Sue Reisinger'writes for'Corporate Counsel, an ALM sibling publication of'e-Commerce Law & Strategy.'

'

United Parcel Service Inc.'announced on Aug. 22'that it had suffered a data breach exposing customer information, but the unusual part of the news was that it caught and held the breach to just 1 percent of its stores nationwide, affecting about 105,000 customers.

'It didn't affect millions of people, but rather was on the small side compared to other breaches,' attorney and cybersecurity expert Randy Sabett told CorpCounsel.com on Thursday. In contrast, the'cyberattack on Target Corporation last winter'involved tens of millions of credit and debit card accounts.

'There are several lessons to be learned here for in-house counsel,' said Sabett, vice chair of the privacy and data protection group at Cooley in Washington, D.C. He also is a former senior technology counsel at a Silicon Valley information security company.

Sabett said the important takeaways include a real-life measure of the value of having a good data security program in place, as well as a good response process that allows people to react quickly to a breach.

'People need to know what to do and how to still carry on business,' said Sabett, who served on the'Commission on Cybersecurity for the 44th Presidency, which provided digital security advice to President Barack Obama following his election, and co-chaired the American Bar Association's Information Security Committee.

'You didn't have a situation where the entire UPS network had to shut down,' he said, adding that without the right program and response, 'It could have been much worse' for the company.

Sabett, named the Information Security Professional of 2013 by the Information Systems Security Association, described the first day a breach is discovered as 'very hairy.'

Say you first found malware on computers in 12 stores, he said. 'Do you shut down those 12 stores, or surrounding stores or all stores nationwide? It's a dynamic situation as you gather information.'

He continued, 'I've been in cases where some information turns out to be false; data we thought was exposed actually wasn't. Until you know with some level of certainty what's involved, it might not be prudent to take any extreme steps.'

In its statement, UPS said the customer information that may have been exposed included names, postal addresses, email addresses and payment card information. 'The UPS Store is providing'an information website, identity protection and credit monitoring services to customers whose information may have been compromised,' it said.

Tim Davis, president of The UPS Store Inc., said in a statement, 'As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident,' Davis said.

The company said the breach occurred from January 20 to August 11, when it was eliminated.

'It shows that even companies that have really good security programs in place can still fall victim to attackers,' Sabett said. 'There is no such thing as 100 percent security.'

But Sabett noted one of the most remarkable lessons from the incident points to the success of information sharing. UPS said it recently received a government bulletin alerting it to certain malware that apparently was striking other companies, and which wasn't detected by current antivirus software.

'There hasn't been broad agreement on how information sharing should occur,' Sabett said, 'and in that sense, it is controversial. Some people believe that more sharing will lead to more finger pointing, more liability, more lawsuits. It can be used against you by your competitors or the plaintiffs' bar.'

But UPS was able to use the government bulletin information about the malware to react quickly, Sabett said, 'and kept the intrusion down to a small number of franchise stores. It was actually quite good.'

Sue Reisinger'writes for'Corporate Counsel, an ALM sibling publication of'e-Commerce Law & Strategy.'

'