Stop the Heartbleed. What Your Company Needs to Do
If you've listened to, or read the news in the last day or so, then you've probably heard about Heartbleed a/k/a the biggest security flaw in years. The flaw is so bad, that one NPR commentator stated that it was like leaving your car door open with the keys in the ignition. That doesn't mean someone will actually get in your car and drive away -- but the vulnerability is there.
On Tuesday, the United State Department of Homeland Security released a statement warning about the Heartbleed vulnerability, along with information and instructions on how to deal with the problem.
If you want to know the technical aspects of the bug, The Washington Post has a good explanation of the Heartbleed security flaw. As in-house counsel, here's what you need to know: if your company's website takes payment, or passwords, you have a problem. Leave the technical details of Heartbleed to IT and let's start putting out that fire.
1. Is Your Company's Site Affected?
Most likely. About two-thirds of websites are affected by the Heartbleed security flaw, according to The Wall Street Journal. If you're not sure, several sites are running tests to determine whether a particular website is vulnerable such as one developed by Filippo Valsorda, or LastPass, and Qualsys.
2. Stop the Bleeding
Get on the phone with someone at the IT department to determine (1) whether your company's website is affected; (2) what steps have already been taken to fix the problem; (3) what steps they plan on taking to fix the vulnerability; and (4) if the IT department needs any guidance from the legal department.
3. Inform Customers
Heartbleed has the Internet going nuts and if we learned anything from the recent Target/Neiman Marcus debacles, it's that you need to be open and honest with your customers. Get in touch with the marketing department to develop a message that lets your customers know if a fix has been put in place, or if one is coming. Advise your company's customers that once a fix is in place they should change their login passwords.
4. Develop Protocol
Once the Heartbleed situation is handled, it may be time to develop a protocol for reviewing your company's website security. You may want to hire an outside team to do security audits periodically to make sure that your website doesn't have any other potential security flaws.
There's a reason that cybersecurity continues to top the list of things that keep general counsel up at night -- because new threats arise constantly and there is a lot at stake. Once you stop the Heartbleed, it may be best to be on the defensive for other potential security threats.
Related Resources:
- National Cyber Security Awareness Month: Resources and Tips (FindLaw's In House Blog)
- 5 Ways In-House Counsel Can Improve Vendor Cybersecurity (FindLaw's In House Blog)
- Black Friday and Cyber Monday: Legal Issues, and How to Get Ready (FindLaw's In House Blog)