Legacy software poses an increasing data security risk to corporations, argues Lisa Lifshitz
January 14th marked the end of Microsoft’s support for its Windows 7 product. Why is this date important? Because, following this date the software joined the ranks of so-called “zombie” or “legacy” software that no longer receives patches, technical support or security updates from its creator, making devices and systems using the software more vulnerable to security risks and viruses.
The exit took some time. Windows 7 was first released in 2009 and the company stopped selling the operating system in October 2013. Support for systems with Windows 7 that were pre-installed ended three years later. Prior to the sunset date, Microsoft repeatedly warned its customers still using this program to upgrade to a newer version such as Windows 10.
However, many organizations appear not to be in any great hurry to cast off the legacy operating system. Kollective Technology, an enterprise cloud-based content delivery company, surveyed 100 US- and UK-based companies in January 2019 and found that overall, 43 per cent of businesses across the US and UK were still running Windows 7, while 17 per cent were unaware of the end-of-support deadline. Kollective’s white paper on the end of Windows 7 support found that only 77 per cent of businesses had completed their migration to Windows 10. Perhaps even more concerning, nearly one in five large enterprises had yet to complete their migrations.
Overall, this is not an inspiring result. Unsupported software is arguably a disaster waiting to happen, as it remains especially vulnerable to malware and hackers, in turn increasing organizational risk for costly data/cybersecurity breaches.
For example, in May Microsoft identified the so-called BlueKeep security vulnerability in various legacy NT-based Windows operating systems, including Windows XP, Windows 7, Windows 2000, and Windows Server 2003 and 2008. BlueKeep was found within the Remote Desktop Protocol (RDP) used by these Microsoft Windows operating systems and allowed hackers to perform remote code execution on an unprotected system by sending specially crafted packets to one of these operating systems in which RDP was enabled.
After successfully sending the packets, a hacker could perform a number of actions including adding accounts with full user rights; viewing, changing, or deleting data; or installing programs. No user interaction was required before authentication. Even worse, the malware exploiting this vulnerability could propagate to other vulnerable systems similar to the WannaCry malware attacks of 2017. Although many of these products had reached their end-of-life and were no longer eligible for security updates, Microsoft continued to release security patches to deal with BlueKeep; however, companies should not rely on last-minute vendor intervention to protect valuable (and vulnerable) personal information.
It can be certainly argued that Canadian organizations have explicit and positive legal obligations to deal with the ongoing risks posed by reliance on legacy software. As more Canadians are affected by data breaches (Statistics Canada found that 57 per cent of Canadians reported experiencing a cybersecurity incident in 2018), the risks and liability associated with the continued use of legacy software by corporations are increasingly shifting from being an IT problem up to an organization’s C-suite of top executives.
And it has become increasingly difficult for Canadian corporations to ignore the costs of data breaches; as of 2018, the average cost of a single data breach was $3.86 million in Canada and $7.91 million in the United States, as reported in by the Ponemon Institute in its 2018 Cost of a Data Breach study. Moreover, whereas Canadians have historically been less keen on litigation, the significant data breaches in 2019 (i.e. of Desjardins Group, with 4.2 million members affected, and LifeLabs, with 15 million customers affected) is increasingly giving rise to privacy class-action lawsuits.
Canadian public companies are already subject to various requirements, such as the Canadian Securities Administrators’ Staff Notice 11-332 that outlines cybersecurity reporting guidelines. Principle 7 of the Personal Information and Protection of Electronic Documents Act requires companies to protect personal information using safeguards appropriate to the sensitivity of the information and against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Methods of protection should include reasonable technological measures, and it’s unlikely that regulators would be favourably impressed if they determined companies had relied on unsupported software.
Officers and directors of Canadian companies already have cybersecurity obligations that arise under a variety of corporate laws and Canadian jurisprudence, including the duty of care under the Canada Business Corporations Act and applicable provincial statutes, such as the Ontario Business Corporations Act. Members of boards of directors are required to demonstrate loyalty towards the corporation and act honestly, in good faith and in the best interests of the corporation; and to exercise the care, diligence and skill a reasonable prudent person would exercise in comparable circumstances.
In the event of any cybersecurity incident, directors must establish that they took steps to address known concerns, that oversight and reporting responsibilities were being administered reasonably, and that they acted responsibly when taking actions and making decisions, and made reasonable efforts to investigate and address any deficiencies. If a corporation becomes aware (or should be aware) that it is relying on outdated, unsupported legacy software in its critical systems, including those that process personal information, then arguably the directors and officers of that organization failed to discharge their corporate duties.
The failure to adequately address cybersecurity risks, including those related to legacy software, is not only a problem for executives and corporate directors. In-house counsel often inherit the cybersecurity mantle, and any resulting liability (say, from a breach of security safeguards) may land at their feet. Many general counsels already view their mandate to include thwarting cyberattacks and mitigating vulnerabilities, and top issues of concern for GCs include cybersecurity, regulatory compliance and risk management. So, it behooves Canadian internal counsel to also ensure that their organizations are not relying on outdated, vulnerable legacy software.
Such failures involving legacy software may soon prove to be even more costly for corporations given upcoming privacy law reforms. The Trudeau government has recently signalled that, as part of its commitment to advance a new “digital charter” and reform existing federal privacy laws, updated legislation would contain provisions that give Canadians “appropriate compensation” when their personal information is breached.
The recent mandate letter to Innovation, Science and Industry Minister Navdeep Bains mentions enhanced powers for the Privacy Commissioner to establish a new set of online rights, including data portability; the ability to withdraw, remove and erase basic personal data from a platform; knowledge of how personal data is being used, including with a national advertising registry and the ability to withdraw consent for the sharing or sale of data; the ability to review and challenge the amount of personal data that a company or government has collected; proactive data security requirements; and the ability to be informed when personal data is breached with appropriate compensation.
Minister Bains has publicly stated that compensation will include punitive fines for those found guilty of breaching personal information, “to demonstrate to businesses very clearly that there are going to be significant penalties for non-compliance with the law."
To mitigate their risk, organizations should, at a minimum, conduct a thorough internal audit of their existing systems and document their own legacy software risks and exposure, including cataloguing any pending end-of-life support dates. It often takes months, if not years, for an organization to successfully transition to a new software system while otherwise keeping the lights on, and this must be factored into any risk mitigation planning.
On a going-forward basis, organizations should ask detailed questions about a software product’s planned life cycle when acquiring new software and operating systems. Cybersecurity due diligence questionnaires given to a vendor should ask about a company’s patching and upgrade/release protocols.
Purchasers of and investors in companies should also require express representations/warranties that their target entities are using current versions (or at least supported versions) of critical software; the entity has up to date maintenance and support policies; and that patches/upgrades are installed regularly. Failure to meet these requirements should trigger indemnification of the purchaser/investor.
In the meantime, it is worth noting that Microsoft has thrown a life raft to laggard organizations that are still not ready to migrate off Windows 7. They are now offering an extended support package that will cost organizations $25 per device running Windows 7 Enterprise, and $50 per each Windows 7 Pro PC. The cost for this extended support will double each year after 2020, to a maximum of $100 per Windows 7 Enterprise license and $200 per Windows 7 Pro license.
Rather than relying on this Band-Aid, though, it is strongly recommended that organizations get a handle on the critical cybersecurity issue of legacy software, and avoid the zombies.