Hunter Fox
Associate
Article
7
Cyberattacks are a consistent and significant threat plaguing businesses in Canada. As the cyber landscape evolves, so must our strategies for safeguarding sensitive information. An increasingly popular approach to bolstering cyber security is engaging with white hat hackers, also known as ethical hackers.
In this article, we will explore how partnering with ethical hackers can benefit a company's cyber security efforts while shedding light on the legal considerations of such collaborations.
White hat hackers, or "ethical hackers," are cyber security experts who use their skills and knowledge to identify vulnerabilities in computer systems, networks and applications with the owner's permission. Their primary goal is to uncover weaknesses before malicious actors exploit them, helping organizations strengthen their security posture. White hat hackers always have permission from the organization.
The term "white hat hacker" comes from old Western movies, where the protagonists, or "good guys," wore white or light-coloured hats. There are two other broad categories of hackers: black hat hackers, who break into computer networks with malicious intent or for sport, and grey hat hackers, who may sometimes violate the law or an ethical standard but without the malicious intent of black hat hackers.
White hat hacking began in the 1960s as a way for businesses and governments to test emerging technologies for vulnerabilities. Today, many organizations will use white hat hackers to test vulnerabilities by offering a monetary award, or "bug bounty," to vetted hackers who find and disclose network vulnerabilities.
Recently, the US Department of Defense paid out $75,000 USD to ethical hackers who were part of an initiative to alert the Pentagon to vulnerabilities to fix them before they could be found and exploited.
A penetration test is essentially a simulated cyber-attack. Ethical hackers conduct thorough assessments of a company's digital assets, identifying vulnerabilities that might otherwise go unnoticed.
White hat hackers attempt to "break-in" to an organization's systems to find holes. They will often prepare a report afterwards that sets out the issues they found and ways to fix them. This proactive approach allows organizations to patch weaknesses and enhance their defences before bad actors exploit them.
White hat hackers simulate cyberattacks, providing companies with valuable insights into how their systems would fare in an actual breach scenario. This realism helps companies refine their incident response plans and develop more robust security measures.
Organizations may realize they need to update or create policies, update or replace tools, and update or replace configurations.
Collaborating with ethical hackers can be a cost-effective way to improve cyber security. It is often more affordable than dealing with the aftermath of a successful cyberattack, including potential legal liabilities and reputational damage.
White hat hackers often find vulnerabilities that an organization's IT team might miss.
Organizations demonstrate a commitment to cyber security best practices by engaging with white hat hackers. This proactive stance can aid in regulatory compliance and reduce the risk of legal repercussions in the case of a breach.
Such partnerships empower organizations to prepare better and establish effective security safeguards to meet their privacy and other security obligations.
While the benefits of working with white hat hackers are clear, there are essential and unique legal considerations that must be addressed:
Companies must ensure that ethical hackers have explicit permission to conduct their assessments. This authorization should be documented in a legally binding agreement to avoid misunderstandings and set clear assessment boundaries.
Authorization is a crucial distinction from so-called "grey hat" hackers, who look for vulnerabilities without an organization's awareness or consent and then notify the owner of the identified issue afterwards, often requesting a fee for their services.
Companies must ensure the testing process does not violate data protection laws or infringe on individuals' privacy rights. Ethical hackers should be given access only to the information necessary for their assessments.
When a white hat hacker discovers and accesses a vulnerability, organizations should endeavour to understand the full extent of the scope of their access. Any agreement with an ethical hacker should include data protection and privacy provisions.
For example, the ethical hacker should be treated as a third-party service provider who must comply with all applicable privacy laws, including not using any personal information accessed or exfiltrated for other purposes and destroying all personal data following the conclusion of the assessment.
Due to the nature of work, white hat hacking exercises can create the potential for disruption or outages.
A "successful" white hat hacking exercise might expose a critical vulnerability that compromises an organization's entire IT system. This type of compromise may even occur where appropriate mitigation measures are in place to limit the potential impact. If something goes wrong during the testing process, liability issues may arise.
Companies should clearly define the scope of the engagement and establish liability limitations in their agreements with ethical hackers. Ethical hackers should attempt to minimize the damage inflicted on an organization's systems and refrain from actions that could cause unwanted harm.
Organizations should require ethical hackers to sign non-disclosure agreements to protect sensitive information discovered during testing.
Ethical hackers could also be asked to abide by specific terms and conditions set out by the company, such as restrictions on downloading any accessed information, to ensure confidentiality. This is crucial to safeguarding proprietary data and customer information.
In an era of constant cyber threats, engaging with white hat hackers can be a powerful ally in the battle for enhanced cyber security. When harnessed legally and responsibly, their expertise can help organizations identify and address vulnerabilities before malicious actors exploit them.
By addressing the legal considerations discussed above and fostering a collaborative relationship with ethical hackers, businesses can fortify their defences and protect their invaluable assets in the digital realm. Remember, a proactive approach to cyber security can often be the difference between success and catastrophe.
Don't hesitate to get in touch with a member of the Gowling WLG Data Protection & Cyber Security Law Team member to discuss how we can assist with your organization's cyber security issues.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.