The term "Penetration Test" is used quite a bit, but what does the term mean? What is the value of the test for a small or medium sized company? Is the test necessary? And, why is a lawyer writing about this?

Penetration tests, or pen-tests, are conducted by computer network experts to test a computer network's vulnerabilities to outside threats. The pen-test can be conducted by consultants hired by the company or internal IT personnel to test their own company's network. A typical test will run a series of programs across a network to determine IP addresses, ports, services, programs, operating systems, and more, and provide a list of systems or programs that may be vulnerable to an attack. As an example, a test may show that an employee has an FTP program running on their computer. The test may show that the program is unauthorized and may expose files on the computer to an exploitation and to even copying or exfiltration of the data from the network. At its most basic level, a penetration test is conducted to find IT vulnerabilities before a malicious hacker exploits a vulnerability to the detriment of the company. An exploitation of a threat and loss of data then can have significant consequences for a company.

An IT vulnerability by itself is not the biggest cause for concern, however. The biggest cause for concern for any company should be the legal liability that accompanies the loss of the data. Losing the data of a client, customer, or vendor, can lead to legal liabilities under federal, state and, believe it or not, foreign law. The General Data Protection Regulation (GDPR) can potentially apply to any organization that does business with a citizen of the European Union. Violations of the GDPR can result in severe penalties. The potential for significant fines and liabilities can be hefty enough to put any company out of business, but, based on this heightened threat to small and medium sized businesses this even more concerning.

Cyber threats and the resulting liability will have the biggest impact on small to medium sized companies because they do not employ a permanent IT staff and most likely do not have a CSO or CISO. This isn't to say that the largest companies aren't targets of cyber threats - they are and they have a lot to lose if a cyber-attack is successful - but, larger companies also tend to have the best budget for an IT staff, a CSO or CISO, the most money to spend on education, prevention and new gadgets, gizmos, doodads, and whatsits designed to protect their network and IP holdings. Furthermore, larger companies are better positioned to withstand and absorb significant financial and legal consequences. A small company could be putting their entire business at risk by being connected to the Internet. A simple hack could steal their intellectual property, put their computers in a state of non-use if ransomware is installed, expose customer's or vendor's information to the hackers, subject the company to civil fines and penalties, and, in the worst-case scenario, force a company out of business.

Thus, a pen-test is worth significantly more than a list of IT vulnerabilities, it is a list of legal liabilities. This is where a cyber lawyer may be able to help. A knowledgeable cyber lawyer consulted before a penetration test is conducted could potentially help with several matters, including:

  • The necessity of the scheduled tests
  • The scope of the test, e.g. which systems and which tools
  • The liability for any indirect, punitive, special, incidental, or consequential damage caused by test (think of computer downtime)
  • Non-disclosure agreements
  • Ownership of the results or data

When the test is complete a cyber attorney should also be able to look at the results and put a value on the legal liability to the company. The costs or value of legal liability of data breach could include:

  • Legal costs if a potential breach includes PII, ePHI, or PCI
  • Potential civil fines
  • Legal obligations to clients, employees, partners, and regulators
  • Applicable notifications under federal or state law
  • Time and notification constraints
  • Law enforcement notification
  • Contractual obligations to private parties

These are just a few of the issues a lawyer can help answer when considering a penetration test or in reviewing the results from a penetration test. Legal analysis can enable a company to place a value on the vulnerabilities and legal liability and intimately aid in business decisions such as how much cyber insurance to purchase, whether to upgrade the computer systems, purchase additional software, or whether to hire additional personnel.

After all, the whole reason for the penetration test is to determine if vulnerabilities will lead to legal liabilities; or, to put it another way, if there were no legal liabilities does anyone care about IT vulnerabilities?

Visit our Cyber Law blog for more interesting updates on how the law is developing with the change and growth of technology. Have any questions or comments? Contact our Sioux City, Sioux Falls, or Omaha office today!


Subscribe Our Blog

DISCLAIMER: The information in this blog post (“post”) is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. By visiting this website, blog, or post you understand that there is no attorney client relationship between you and the Goosmann Law Firm attorneys and website publisher. No information contained in this post should be construed as legal advice from Goosmann Law Firm, PLC, or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this Post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.