October 15, 2019

October 15, 2019

Subscribe to Latest Legal News and Analysis

October 14, 2019

Subscribe to Latest Legal News and Analysis

Take Action to Stop the Bleeding: Follow These Steps

“Heartbleed” has been all over the news, and companies have been scrambling to respond.  What sounds like a nasty medical condition is actually a recently discovered flaw in popular encryption software called OpenSSL.  It has been widely reported in the news outlets that approximately 60 percent of all web servers use OpenSSL.  According to the Federal Trade Commission, the flaw can permit a hacker to unlock the encryption and “monitor all communication to and from a server—including usernames, passwords, and credit card information—or create a fake version of a trusted site that would fool browsers and users, alike.”

So how can companies stop the bleeding?

  1. Figure out if any websites, systems (like e-mail) or applications (like virtual private network [VPN] endpoints, load balancers or database management software) use OpenSSL.  More information about how internal information technology (IT) teams can find and fix the flaw can be found on heartbleed.com.

  2. A comprehensive review of systems is important because, according to security firm Coalfire, OpenSSL is a program that is not just used on externally facing websites.  It also is frequently used on internal applications, management consoles, “appliances” and legacy systems, which will remain vulnerable until patched.  This is especially critical for systems that contain sensitive information, such as protected health information, financial information, Social Security numbers and other highly confidential items.  A firm like Coalfire can scan corporate systems to discover the vulnerability at a relatively modest cost.

  3. Update to the latest version of OpenSSL to fix the flaw.  After updating, companies need to generate a new encryption key (most IT teams know how to do this) and obtain a new SSL Certificate from a trusted authority, which will signal to browsers that the website is secure.  Generating the new key is critical—otherwise a company’s server and data could still be at risk.

  4. Confirm that vendors, business partners and contractors that provide technical services or support to company systems have addressed any OpenSSL flaws in their systems.

But what about the blood that’s already spilled?

After taking these steps to stop the bleeding by fixing OpenSSL flaws, a critical next step is for companies to conduct an assessment of data and actions previously thought to be encrypted.

Companies should consider evaluating with counsel how and when to communicate with customers and employees about changing log-in credentials and taking any other appropriate steps in light of the particular situation addressed by the company.

In addition, given the publicity and attention to this issue, customer service lines might see an increase in calls inquiring whether a company’s website is secure and whether log-in credentials should be changed.  Convening the right internal resources to prepare clear, concise talking points will help those customer service teams convey accurate, consistent information in a way that minimizes harm to consumers and brand.

Even if companies are confident that their own sites have been fixed, they should consider whether employees may have used corporate log-in credentials on mobile devices or over connections, such as remote access VPN systems or third-party hotspots, that may have been vulnerable to Heartbleed.  Those credentials will need to be changed and employees instructed on how to avoid exposing that information again through another connection that may not yet be patched.

Finally, organizations that find themselves to have been impacted significantly by this vulnerability should pre-plan with counsel for potential regulator attention and class action litigation in response to breach reports, media coverage and consumer complaints.  To do this, companies should contact their regular McDermott lawyer or any one of the authors who are poised to help.

© 2019 McDermott Will & Emery

TRENDING LEGAL ANALYSIS


About this Author

David Quinn Gacioch, White Collar Criminal Defense Attorney, McDermott Law Firm
Partner

David Quinn Gacioch is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm's Boston office. He focuses his practice in the areas of white-collar criminal defense and government investigations. Dave also has significant experience in product liability defense, general commercial litigation/arbitration, and appeals.

617-535-4478
Edward G. Zacharias, McDermott Will Emery Law firm, Healthcare Industry Attorney
Associate

Edward G. Zacharias is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Boston office.  Edward provides regulatory and transactional representation to health systems, academic medical centers, physician group practices, HMOs, faculty practice plans, nursing facilities and a variety of other health care clients.  He represents clients in connection with acquisitions, joint ventures, strategic affiliations, conversions to tax exempt status, HIPAA compliance, fraud and abuse and Stark, reimbursement,...

617-535-4018