“Heartbleed” has been all over the news, and companies have been scrambling to respond. What sounds like a nasty medical condition is actually a recently discovered flaw in popular encryption software called OpenSSL. It has been widely reported in the news outlets that approximately 60 percent of all web servers use OpenSSL. According to the Federal Trade Commission, the flaw can permit a hacker to unlock the encryption and “monitor all communication to and from a server—including usernames, passwords, and credit card information—or create a fake version of a trusted site that would fool browsers and users, alike.”
So how can companies stop the bleeding?
- Figure out if any websites, systems (like e-mail) or applications (like virtual private network [VPN] endpoints, load balancers or database management software) use OpenSSL. More information about how internal information technology (IT) teams can find and fix the flaw can be found on heartbleed.com.
- A comprehensive review of systems is important because, according to security firm Coalfire, OpenSSL is a program that is not just used on externally facing websites. It also is frequently used on internal applications, management consoles, “appliances” and legacy systems, which will remain vulnerable until patched. This is especially critical for systems that contain sensitive information, such as protected health information, financial information, Social Security numbers and other highly confidential items. A firm like Coalfire can scan corporate systems to discover the vulnerability at a relatively modest cost.
- Update to the latest version of OpenSSL to fix the flaw. After updating, companies need to generate a new encryption key (most IT teams know how to do this) and obtain a new SSL Certificate from a trusted authority, which will signal to browsers that the website is secure. Generating the new key is critical—otherwise a company’s server and data could still be at risk.
- Confirm that vendors, business partners and contractors that provide technical services or support to company systems have addressed any OpenSSL flaws in their systems.
But what about the blood that’s already spilled?
After taking these steps to stop the bleeding by fixing OpenSSL flaws, a critical next step is for companies to conduct an assessment of data and actions previously thought to be encrypted.
Companies should consider evaluating with counsel how and when to communicate with customers and employees about changing log-in credentials and taking any other appropriate steps in light of the particular situation addressed by the company.
In addition, given the publicity and attention to this issue, customer service lines might see an increase in calls inquiring whether a company’s website is secure and whether log-in credentials should be changed. Convening the right internal resources to prepare clear, concise talking points will help those customer service teams convey accurate, consistent information in a way that minimizes harm to consumers and brand.
Even if companies are confident that their own sites have been fixed, they should consider whether employees may have used corporate log-in credentials on mobile devices or over connections, such as remote access VPN systems or third-party hotspots, that may have been vulnerable to Heartbleed. Those credentials will need to be changed and employees instructed on how to avoid exposing that information again through another connection that may not yet be patched.
Finally, organizations that find themselves to have been impacted significantly by this vulnerability should pre-plan with counsel for potential regulator attention and class action litigation in response to breach reports, media coverage and consumer complaints. To do this, companies should contact their regular McDermott lawyer or any one of the authors who are poised to help.