Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

e-Commerce Law & StrategyLJN NewslettersNewsSections

<b><i>Online Extra</b></i> Facing a Breach, UPS Delivers Smart Cybersecurity Moves

By Sue Reisinger
August 28, 2014

United Parcel Service Inc.'announced on Aug. 22'that it had suffered a data breach exposing customer information, but the unusual part of the news was that it caught and held the breach to just 1 percent of its stores nationwide, affecting about 105,000 customers.

'It didn't affect millions of people, but rather was on the small side compared to other breaches,' attorney and cybersecurity expert Randy Sabett told CorpCounsel.com on Thursday. In contrast, the'cyberattack on Target Corporation last winter'involved tens of millions of credit and debit card accounts.

'There are several lessons to be learned here for in-house counsel,' said Sabett, vice chair of the privacy and data protection group at Cooley in Washington, D.C. He also is a former senior technology counsel at a Silicon Valley information security company.

Sabett said the important takeaways include a real-life measure of the value of having a good data security program in place, as well as a good response process that allows people to react quickly to a breach.

'People need to know what to do and how to still carry on business,' said Sabett, who served on the'Commission on Cybersecurity for the 44th Presidency, which provided digital security advice to President Barack Obama following his election, and co-chaired the American Bar Association's Information Security Committee.

'You didn't have a situation where the entire UPS network had to shut down,' he said, adding that without the right program and response, 'It could have been much worse' for the company.

Sabett, named the Information Security Professional of 2013 by the Information Systems Security Association, described the first day a breach is discovered as 'very hairy.'

Say you first found malware on computers in 12 stores, he said. 'Do you shut down those 12 stores, or surrounding stores or all stores nationwide? It's a dynamic situation as you gather information.'

He continued, 'I've been in cases where some information turns out to be false; data we thought was exposed actually wasn't. Until you know with some level of certainty what's involved, it might not be prudent to take any extreme steps.'

In its statement, UPS said the customer information that may have been exposed included names, postal addresses, email addresses and payment card information. 'The UPS Store is providing'an information website, identity protection and credit monitoring services to customers whose information may have been compromised,' it said.

Tim Davis, president of The UPS Store Inc., said in a statement, 'As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident,' Davis said.

The company said the breach occurred from January 20 to August 11, when it was eliminated.

'It shows that even companies that have really good security programs in place can still fall victim to attackers,' Sabett said. 'There is no such thing as 100 percent security.'

But Sabett noted one of the most remarkable lessons from the incident points to the success of information sharing. UPS said it recently received a government bulletin alerting it to certain malware that apparently was striking other companies, and which wasn't detected by current antivirus software.

'There hasn't been broad agreement on how information sharing should occur,' Sabett said, 'and in that sense, it is controversial. Some people believe that more sharing will lead to more finger pointing, more liability, more lawsuits. It can be used against you by your competitors or the plaintiffs' bar.'

But UPS was able to use the government bulletin information about the malware to react quickly, Sabett said, 'and kept the intrusion down to a small number of franchise stores. It was actually quite good.'

Sue Reisinger'writes for'Corporate Counsel, an ALM sibling publication of'e-Commerce Law & Strategy.'

'

United Parcel Service Inc.'announced on Aug. 22'that it had suffered a data breach exposing customer information, but the unusual part of the news was that it caught and held the breach to just 1 percent of its stores nationwide, affecting about 105,000 customers.

'It didn't affect millions of people, but rather was on the small side compared to other breaches,' attorney and cybersecurity expert Randy Sabett told CorpCounsel.com on Thursday. In contrast, the'cyberattack on Target Corporation last winter'involved tens of millions of credit and debit card accounts.

'There are several lessons to be learned here for in-house counsel,' said Sabett, vice chair of the privacy and data protection group at Cooley in Washington, D.C. He also is a former senior technology counsel at a Silicon Valley information security company.

Sabett said the important takeaways include a real-life measure of the value of having a good data security program in place, as well as a good response process that allows people to react quickly to a breach.

'People need to know what to do and how to still carry on business,' said Sabett, who served on the'Commission on Cybersecurity for the 44th Presidency, which provided digital security advice to President Barack Obama following his election, and co-chaired the American Bar Association's Information Security Committee.

'You didn't have a situation where the entire UPS network had to shut down,' he said, adding that without the right program and response, 'It could have been much worse' for the company.

Sabett, named the Information Security Professional of 2013 by the Information Systems Security Association, described the first day a breach is discovered as 'very hairy.'

Say you first found malware on computers in 12 stores, he said. 'Do you shut down those 12 stores, or surrounding stores or all stores nationwide? It's a dynamic situation as you gather information.'

He continued, 'I've been in cases where some information turns out to be false; data we thought was exposed actually wasn't. Until you know with some level of certainty what's involved, it might not be prudent to take any extreme steps.'

In its statement, UPS said the customer information that may have been exposed included names, postal addresses, email addresses and payment card information. 'The UPS Store is providing'an information website, identity protection and credit monitoring services to customers whose information may have been compromised,' it said.

Tim Davis, president of The UPS Store Inc., said in a statement, 'As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident,' Davis said.

The company said the breach occurred from January 20 to August 11, when it was eliminated.

'It shows that even companies that have really good security programs in place can still fall victim to attackers,' Sabett said. 'There is no such thing as 100 percent security.'

But Sabett noted one of the most remarkable lessons from the incident points to the success of information sharing. UPS said it recently received a government bulletin alerting it to certain malware that apparently was striking other companies, and which wasn't detected by current antivirus software.

'There hasn't been broad agreement on how information sharing should occur,' Sabett said, 'and in that sense, it is controversial. Some people believe that more sharing will lead to more finger pointing, more liability, more lawsuits. It can be used against you by your competitors or the plaintiffs' bar.'

But UPS was able to use the government bulletin information about the malware to react quickly, Sabett said, 'and kept the intrusion down to a small number of franchise stores. It was actually quite good.'

Sue Reisinger'writes for'Corporate Counsel, an ALM sibling publication of'e-Commerce Law & Strategy.'

'

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.