Litigation against corporate board members and C-level executives for data privacy and security claims is on the rise. Specifically, the number of suits stemming from data breaches and other cybersecurity incidents has increased as such breaches and incidents have become more common. Recently, plaintiffs have targeted corporate board members and C-level executives alleging that their data privacy–related claims result from a breach of fiduciary duties. For example, plaintiffs may allege that the board’s or C-suite’s breach of fiduciary duties caused or contributed to the data breach due to a failure to implement an effective system of internal controls or a failure to heed cybersecurity-associated red flags. Even if a breach does not lead to litigation or enforcement action against board members or C-level executives, data breaches can tarnish a corporation’s name and lead to increased scrutiny from regulators. This year alone, the U.S. Department of Health and Human Services Office for Civil Rights has recorded over 100 breaches of unsecured electronic protected health information, or ePHI. The department noted that most cyberattacks could be prevented or substantially mitigated by implementing appropriate security measures.
Given the increase in regulatory scrutiny and lawsuits stemming from data breaches, board members and C-level executives would be wise to educate themselves about measures corporations can take to mitigate their cybersecurity risk. Putting effective cybersecurity into place is not a one-time exercise, and companies and their boards must continuously monitor advances in technology that merit modifications or augmentations of their cybersecurity defenses. In this article we explore certain key developments that corporations should be aware of: quantum computing and quantum-resistant encryption, zero trust security, and zero knowledge proofs. Although far from an exhaustive list, these emerging technologies and tools can play a major role in preventing bad actors from penetrating a company’s cybersecurity defenses.
Quantum computing has the potential to revolutionize computing in its current state, creating both cybersecurity opportunities and risks for companies. Quantum computing can generate truly random numbers for encryption keys as compared with traditional random generators utilized by traditional encryption systems, which can only approximate randomness. As a result, an attacker could reverse engineer such traditional random number generators and thereby crack a company’s encryption. In contrast, scientists posit that there is no way to predict the random numbers produced using the principles of quantum physics, therefore enhancing the strength of the resulting encryption.
These quantum random number generators are becoming commercially available, but until widescale adoption of such new technologies, many companies continue to rely on traditional encryption as a cornerstone of their cybersecurity strategy. Quantum computing could “break” many of the public-key cryptosystems used today.
Many data privacy laws incentivize encryption, but also incentivize regularly testing, assessing, and evaluating the effectiveness of technical and organizational security measures to ensure security of processing. Currently, the European Union’s General Data Protection Regulation (GDPR) considers encryption to be an “appropriate safeguard” for personal data of European individuals. Furthermore, under the California Consumer Privacy Act (CCPA), businesses that do not encrypt personal information and suffer a data breach may be sued directly by consumers whose personal information has been exposed. Damages can range from $100 to $750 per consumer per incident, so in the event of a data breach, this price tag could add up quickly.
Given the regulatory risk of not keeping up with seismic evolutions in technology such as quantum computing, a broad range of private and public actors are preparing for the advent of quantum computing and investing in related encryption technology. Experts estimate that widespread adoption of quantum computing is likely a decade away. Nevertheless, interest and development in the space will continue to expand as quantum computing transforms itself from a technology of the future into one of the present.
Quantum-resistant encryption in particular has drawn much attention. Since 2016, the National Institute of Standards and Technology (NIST) has been overseeing several rounds of competition to develop new quantum-resistant standards of encryption and cryptography, with initial results expected later this year. Based on the latest data available from the competition’s entrants, lattice-based cryptography appears to be a front-runner. Lattice-based cryptography is an encryption method that relies on grids with billions of individual points, as opposed to public-key encryption, which leverages traditional math to protect data. Lattice-based cryptography is considered the most promising technology to combat potential cyber threats that might stem from quantum computers.
Board members and C-level executives are encouraged to pay attention to the potential opportunities and threats that quantum computers present as well as technologies that may mitigate any such risk.
Zero trust security
Zero trust security is a security method employed by organizations to mitigate cyber risks posed by an “insider” threat. Traditional network security is tailored toward preventing external actors from breaching a network. However, this leaves organizations susceptible to internal threats from users who have already been authenticated and gained access to a network. In fact, certain statistics suggest that over half of data breaches occur from within an organization. Zero trust security helps to counter this risk by employing a “zero trust” approach. In other words, zero trust security requires all users and devices to verify their identity when attempting to access network resources, even when those users or devices have already entered the network.
NIST has published extensive information on best practices for organizations that opt to pursue a zero trust security strategy, including Special Publication 800-207 on zero trust architecture. NIST’s guidelines focus on authentication and authorization as the central pillars of zero trust security. This requires organizations to focus on “shrinking implicit trust zones” by reducing those areas within the network where users and devices can exist without being reverified. When internal and external bad actors gain either authorized or unauthorized access to an organization’s network, a zero trust security strategy restricts those actors from existing and operating within the network unchecked, making the strategy a valuable tool in an organization’s cyber-defense arsenal.
Zero knowledge proofs
Although highly dependent on the architecture of the blockchain itself, blockchain technology in general is built on principles of data obfuscation, decentralization, and cryptography. However, blockchain’s immutability and reliance on a potentially wide group of network participants to validate data can make users reluctant to share sensitive data with an extensive network and can also prompt other data privacy and security-related concerns.
Zero knowledge proofs (ZKPs) form the basis of a cryptography protocol that may enhance blockchain’s functionality and usability as a method for exchanging data, although ZKPs can be useful as a cybersecurity tool outside of the blockchain space as well.
ZKP cryptography involves proving something is true without disclosing the underlying data, e.g., proving that a person seeking to enter a bar is over the minimum drinking age without revealing the person’s full birth date. ZKPs utilize algorithms that allow users to verify the authenticity of a data set through mathematical methods instead of revealing the underlying data. This offers the potential for corporations to minimize the amount of data they collect and reduce the risk of a data breach, as they can process transactions without ever needing to possess or access certain data that is not necessary. For example, a financial services firm could verify that a client’s income level meets certain predetermined thresholds without having to access the client’s financial information. In this example, the financial services firm would have increased confidence that a client meets the firm’s income eligibility criteria, and the client would have the assurance that personal, sensitive financial data is subject to this additional layer of privacy and protection.
Whether a company uses or does not use blockchain, board members and C-level executives are advised to consider employing ZKPs to provide additional security to their organizations and reduce the amount of data they need to collect to engage in transactions.
While no single cybersecurity tool is sufficient, this article offers insight into a few emerging technologies that C-level executives and board members should stay abreast of in the ever-evolving data security landscape. Quantum computing, quantum-resistant encryption, zero trust security, and ZKPs offer powerful tools for protecting user data from harmful internal and external actors and can mitigate a corporation’s exposure to potential financial and legal liabilities arising out of a data breach or other security incident.