I remember being told in the first semester of law school that “ignorance of the law is no excuse.” I am beginning to think a corollary for corporate counsel is beginning to emerge: technological risk cannot be solely entrusted to tech experts.
Two recent items in the news brought this to the forefront for me.
First we saw yesterday that a “rogue algorithm” in trading programs used by Knight Capital may have been responsible for sudden gyrations in NYSE trading.
Many of us may recall the original “rogue trader,” one Nick Leeson, who brought down Barings in 1995. He only makes #3 on the linked list of these rapacious rogues. No word yet on whether the massive loss incurred this year by a major U.S. bank is traceable to “rogue” trades.
A rogue algorithm, on the other hand, may be harder to catch until it trips, since it is a bug in software. The nature of today’s high-frequency trading is that it is executed by superfast computers. Stock positions are sometimes held for mere seconds.
Indeed, a potentially disruptive new online stock market cancelled its IPO earlier this year when its own software failed on the proposed opening day of trading.
When we start to think that maybe this sort of programming risk is confined to high-finance, let’s focus on the legal community. It’s not immune from tech-related risk, either.
This second item comes courtesy of Bloomberg last week, which detailed extensive alleged penetration of Western corporate and legal data by foreign agents.
According to breathtaking reporting by Michael Riley and Dune Lawrence, around the time of potential state-sponsored attacks on the technical security of certain U.S. nuclear facilities…
…six people at the Wiley Rein law firm were ushered into hastily called meetings. In the room were an ethics compliance officer and a person from the firm’s information technology team, according to a person familiar with the investigation. The firm had been hacked, each of the six were told, and they were the targets.
Among them were Alan Price and Timothy Brightbill. Firm partners and among the best known international trade lawyers in the country, they’ve handled a series of major anti-dumping and unfair trade cases against China. One of those, against China’s solar cell manufacturers, in May resulted in tariffs on more than $3 billion in Chinese exports, making it one of the largest anti-dumping cases in U.S. history.
Dale Hausman, Wiley Rein’s general counsel, said he couldn’t comment on how the breach affected the firm or its clients. Wiley Rein has since strengthened its network security, Hausman said.
Given the nature of that practice, it’s almost a cost of doing business. It’s not a surprise, he said.
Every corporate counsel and serious minded outside counsel should read this Bloomberg article in its entirety. The sobering reality is that these intrusions were going on undetected for weeks or months. This is not confined to one highly regarded law firm. Major corporations with tech budgets in the hundreds of millions of dollars were being penetrated.
One of the sources that went on the record for Bloomberg is Amit Yoran, a former director at the Department of Homeland Security who is now at RSA Security. That company is responsible for the key fobs used by many law firms, corporation and financial institutions to control remote access to internal systems. And it is the same company who had those key fobs hacked in some fashion last year, allowing unauthorized access to data and systems of defense contractors working on highly classified projects.
Mr. Yoran responded to the fact that most companies don’t know when they have been hacked, and then almost never disclose these data breaches to stockholders or stakeholders (like customers):
Until we can have this conversation in a transparent way, we are going to be hard pressed to solve the problem. […] I’m just not sure America is ready for that, he said.
We can’t expect lawyers to understand data security like the experts. But we also can’t leave the problem to these same experts without involvement from lawyers who need to understand how access is controlled, when intrusions occur or are suspected, and what disclosures need to be made and to whom.
Some years before I was told about ignorance in law school, I heard this idiomatic phrase:
What you don’t know can’t hurt you.
I don’t think that works anymore.