We are increasingly seeing situations in which a client’s information systems are breached by an ethical hacker. Typically, they take a screen shot or two of data to prove their accomplishment, carefully redact any confidential or protected information and then notify the organization of their security defect, often hoping for a reward or a so-called “Bug Bounty.”
In response, the organization fixes the defect, confirms that no information was downloaded by the hacker and that access by others did not occur, and evaluates the event to confirm data subjects did not face any risk nor harm. At this point, the organization reaches the stage of their Incident Response Plan that addresses whether or not to notify the data subjects and their respective states of the event. Does the incident constitute a “breach” that requires notification to the data subjects and relevant state authorities?
Most organizations are tempted to conclude that there is no duty to notify: notifications are costly, embarrassing, and confusing. Moreover, in this situation, notification would arguably cause confusion among the data subjects, who would receive an alarming letter without facing any risk. If someone within the organization had discovered the flaw, and no one else accessed the information, no law anywhere would require a notification. It would be viewed as a “near miss.” So why should the outcome be any different when the flaw was discovered by an ethical hacker who behaved in the same manner as any employee of the organization?
Like any juicy legal issue, there is another side to this analysis. To understand this side’s argument context helps. A breach is commonly described as the unauthorized access to protected information. Many breach notification laws require a notification to the data subjects and relevant state authorities only when the information breached is also acquired. In this sense, acquired means that the information was downloaded or viewed by an unauthorized individual in such a way that the content was appreciated and perceived by the unauthorized individual. Other states require notification when the information is merely accessed. For example, New York state’s previous breach notification law used to define a breach as: “unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business.” (See 899-aa of the General Business Law.) The current version of the law defines a breach as the “unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business.” Thus, under the old law, an organization would likely conclude they were not breached in the opening example because the ethical hacker did not acquire the information.
Today the organization might not reach the same conclusion. Even though the notification would cause needless worry and aggravation, it could be prudent to conclude the hacker’s momentary access to the file constituted a breach under the new language, so arguably a notification should be made - at least until some guidance is given to the contrary - since the fines are $5,000 per violation up to $250,000. There is, after all, no doubt the hacker accessed the file, as screen shots attest. Unfortunately, the law does not directly consider the circumstances of an ethical hacker.
To try to resolve this issue we might consider that New York state has an exception to the definition of “breach” in its notification law. It allows that
“Good faith access to, or acquisition of, private information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.” 899-aa(1)(c).
The law goes on to help understand the concept of “access” to say:
“In determining whether information has been accessed, or is reasonably believed to have been accessed, by an unauthorized person or a person without valid authorization, such business may consider, among other factors, indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.” Id.
But when the hacker first accessed the system, were they authorized to do what they did? Again, as with any good legal issue, the answer is that it depends. Many organizations have what is called a “bug bounty” program. They have clearly defined rules of engagement, methods for communicating a breach, and a defined reward for hackers (or as many of them prefer to be called, “security researchers“) to claim if successful. There are internet sites devoted to the practice. Consider www.hackerone.com as one example. In the scenario of a published bug bounty, an organization could argue that the actions of the hacker were authorized and even invited. Smaller organizations that cannot afford a full-time security expert may rely on the bounty program as a part of its security program because it gets the benefit of a skilled security expert for a rather trivial sum of money to help fix the systems that are insecure. Large organizations may retain them because no one is perfect, and the efforts of many ethical hackers could find flaws that internal groups might miss. Thus, from a public interest standpoint, ethical hackers address holes for repair and protect the citizens of the state in a manner that is feasible for businesses of every size. This is essentially extreme “penetration testing,” where an external agency is contracted to try and breach a system. But in the case of the bounty program you don’t know the name of the external entity until after they succeed.
There is also the situation of an organization approached by a “security researcher” that did not have a bounty program in place prior to the researcher gaining access. Assume in this example that the hacker still brings the incident to the attention of the organization and behaves exactly as if there was a bounty program in place. They don’t download any content, take only a few redacted screenshots do not demand any payment and help the organization fix the security flaw. Is this a breach? The fact that the organization did not have an official bounty program undercuts the argument that the activity was “authorized.” The question then becomes whether one can authorize a hacker after the fact.
The FTC recently settled a case against Uber in which hackers maliciously downloaded a tremendous amount of protected information and demanded a six-figure payout. Uber essentially sought to “launder” the incident as an ethical hack by paying them $100,000 through a bug bounty platform and requiring them to delete the files and execute an NDA. Uber did not notify the data subjects of the breach. Uber also fired their then CISO and chief legal compliance officer. Typical of these sorts of efforts, it was discovered, and Uber settlement resulted in their agreeing to a fine of $148,000,000.
Although Uber is an example of what not to do, the Complaint does allow for a strong argument that were these actually ethical hackers and not extortionists, the failure to notify data subjects would have been appropriate. At paragraph 26 of the amended complaint, the FTC writes:
26. Respondent paid the attackers $100,000 through the third party that administers Uber’s “bug bounty” program. Respondent created the bug bounty program to pay financial rewards in exchange for the responsible disclosure of serious security vulnerabilities. However, the attackers in this instance were fundamentally different from legitimate bug bounty recipients. These attackers did not merely identify a vulnerability and disclose it responsibly. Rather, the attackers maliciously exploited the vulnerability and acquired personal information relating to millions of consumers.
One could reasonably conclude that because the FTC acknowledges legitimate bug bounty programs and used the language that “these attackers did not merely identify a vulnerability and disclose it responsibly,” it suggests that to the FTC, at least, identification of a defect by a legitimate bug bounty hunter who acts responsibly is not a breach which requires reporting. But Uber did have a formal bug bounty program, so the example is not perfect.
There are no other cases addressing this issue; so whether a state would agree with this or if FTC would still reach the same position for a company without a formal bounty program is an open question. If the data set is relatively small, the least risky and potentially least expensive course of action would be to notify the data subjects of the event explaining how the new laws are unclear about reporting requirements and, out of an abundance of caution, notification is being made even though the incident does not pose any material risk.
For larger datasets it is a harder business decision about whether to notify data subjects of a breach by a genuine ethical hacker or researcher. The elements to consider would be:
- Does the organization have an established bug bounty program and were the rules of that program followed?
- Can the organization conclusively show that the content was not downloaded or otherwise acquired?
- Are the hackers legitimate and reputable?
- Did the hacker act responsibly?
- Is it fair to characterize the payment as a bounty or was it extortion?
a. How much was paid?
b. What were the terms of the payment?
c. Why did the organization decide to pay?
d. Did the individual help remediate the security flaw?
- Does the incident pose any risk to the data subjects?
We don’t think the lack of a preexisting bounty program precludes the conclusion that no notification is required. It is just one element to consider. However, if the other five elements fail, it becomes riskier to avoid notifying the data subjects and their respective states because there is likely some event that will precipitate the investigation; and unless the communications are well-crafted, chances are that someone will characterize any bounty payment as extortion that will be seized upon by the investigatory agency.
