The hacks keep coming. Equifax recently announced a massive hack exposing personal financial information of potentially 143 million Americans – 40% of the American population. The Equifax hack is one of the three worst data breaches in history only surpassed by the Yahoo! data breach involving more than one billion user accounts and the Sony cyber attack in 2014.
Cyber incidents have taken place across industries and across the globe, and do not discriminate based on size. A study published by The Business Journals reported that forty-three percent of all cyber attacks target small and mid-sized businesses. The same study predicted that more than 550,000 small and mid-sized businesses will be forced to shut down in 2017 because of a cyber incident.
Moreover, cyber risk has proven to be remarkably egalitarian. Cyber incidents have taken place across industries and across the globe. Cyber incidents also do not discriminate based on size. A study published by The Business Journals reported that forty-three percent of all cyber attacks target small and mid-sized businesses. The same study predicted that more than 550,000 small and mid-sized businesses will be forced to shut down in 2017 because of a cyber incident.
Cyber risk has two primary components: legal exposure and technology risk. Unfortunately, due to a variety of factors, including a headlong rush to be seen as doing something or becoming “compliant” with some technical standard, many companies or their technology-trained consultants either fail to consider or give short shrift to the potential legal exposure associated with a cyber incident (i.e., governmental investigations and fines, civil litigation and the discovery process, and loss of goodwill). For example, like many companies, Yahoo!’s biggest exposure stemming from its two announced cyber incidents is almost assuredly going to be its legal exposure:
- Its legal exposure to fifty percent of any cash liabilities stemming from the case In re: Yahoo Inc Customer Data Security Breach Litigation, U.S. District Court, Northern District of California, (No. 16-md-02752), which the Court recently ruled could proceed against Yahoo!;
- Its legal exposure to an SEC investigation about what Yahoo knew about the cyber incidents and when, and whether it properly informed investors, which is just getting started;
- Its legal exposure to a putative derivative shareholder class action recently filed in the Delaware Chancery Court;
- Its legal exposure to fifty percent of any cash liabilities stemming from actions filed in courts outside of the U.S.; and
- Its legal exposure to fifty percent of any cash liabilities incurred related to non-SEC government investigations, which reportedly include the U.S. Federal Trade Commission, a number of State Attorneys General, the U.S. Attorney’s office for the Southern District of New York, and non-US government officials and agencies.
There are a number of ways to lessen a company’s legal exposure to cyber risk. The most significant cyber risk threat is not external. Rather, it is what happens or fails to happen, inside the company before a cyber incident. The following are our top 5 ways to reduce your legal exposure to cyber incidents.
- Leverage the Attorney-Client Privilege and Work Product Doctrine
Every company considering cyber risk should reduce its legal exposure by taking steps to avail itself of the protections afforded by the attorney-client privilege and the work product doctrine. As anyone who has been involved in even a pedestrian litigation matter can attest, the attorney-client privilege and work product doctrine protections are often very valuable risk avoidance tools. Since discovery post-incident is likely to unearth a toxic brew of troubling cyber assessments, table top training exercises gone awry, corrective action reports, and a host of intemperate emails and notes, these legal protections may prove to be a company’s most valuable risk avoidance tool.
To put itself in a position to assert these protections, a company’s risk assessments, incident response plans, tabletop training exercises, security investigations, and all other internal and external examinations covering cyber risk benchmarking and audits should be conducted under the direction and supervision of legal counsel. For the avoidance of doubt that may be posed by a court or government agency, companies should have an outside law firm subcontract all non-legal cyber security providers. Without these legal protections, all of the assessments, minutes of review meetings, and other communications (emails, notes, etc.) related to cyber risk are likely to be discovered by a governmental agency or plaintiffs’ counsel following a data incident.
Moreover, if a company’s current outside legal counsel does not possess an expertise in cyber risk, the company should engage a law firm that does, to ensure that these specific issues are managed effectively and “compliance” and oversight are conducted properly. Relying on lawyers without a sufficient grounding in this area or non-lawyer consultants, however well meaning and technologically proficient, is an open invitation to unnecessarily risk in this area.
- Know the Law Pertaining to the Data Held by Your Company and Integrate that Law into Your Company’s Policies
Cyber security is no longer the province of IT professionals. Cyber security is now firmly in the hands of heads of state, senators, congress people, ministers, chancellors, government agencies, committees, and commissions, and attorneys general and prosecutors. And, they all have one thing in common: no one wants to be seen as being soft on cyber risk or cyber crime. As a result, governments across the globe have raised the stakes by racing to enact and implement new and increasingly more complex laws and regulations designed to address cyber risk.
For example, last year alone, governments enacted or revised the following laws, regulations, and guidance:
- In February, for the first time, the then California Attorney General and now U.S. Senator, released a list of “recommended” cyber safeguards that the Attorney General deemed as constituting reasonable information security practices;
- In September, the New York State Department of Financial Services promulgated a proposed first-in-the-nation mandatory cyber security regulation that listed specific requirements for insurance companies, banks, the financial industry, and the third parties servicing those industries;
- In September, the Philippines issued the Implementing Rules and Regulations of the Philippine Data Privacy Act of 2012;
- In September, the US Computer Emergency Readiness Team, which is part of the US Department of Homeland Security, issued its National Cyber Incident Response plan;
- In November, The Peoples Republic of China promulgated its Cyber Security Law, which goes into effect in July 2017;
- In November, the Chancellor of the Exchequer, formally launched the UK Government’s National Cyber Security Strategy 2016-2021, which includes the establishment of the UK’s new National Cyber Security Centre that purportedly will provide a rapid response to major incidents; and
- In December, the New York State Department of Financial Services issued a revised set cyber security requirements;
These new pronouncements join the following statutes and regulations:
- The California information security statute (California Civil Code Section 1798.81.5);
- The California Confidentiality of Medical Information Act (part 2.6 of Division 1 of the Civil Code) and the California Health and Safety Code Section 1280.15 for licensed clinics, health facilities, home health agencies and hospices in California;
- The Gramm Leach Bliley Act for the financial services industry;
- The Health Insurance Portability and Accountability Act for health care entities and their business associates;
- 16 C.F.R. Part 314 for the Federal Trade Commission;
- The Federal Information Security Management Act of 2002 for federal agencies; and
- The SEC guidelines for public company disclosures.
These statutes and regulations are layered on top of the data breach notification laws of 47 U.S. states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands, as well as non-U.S. jurisdictions around the world. The three U.S. states without breach notification laws are Alabama, New Mexico and South Dakota.
The breach notification laws in the 47 U.S. states are similar in many ways. There are differences, primarily in six areas: (i) the notification trigger; (ii) the timing for notification and law enforcement delay; (iii) the definition of covered information; (iv) the content specifically required in the notification; (v) the requirement to notify the state Attorney General and/or another government agency; and (vi) whether the breach notification will be published and maintained online.
A few states have very unique content requirements. For example, the Massachusetts law prohibits disclosing the nature of the breach or the number of residents affected in the notice, the Wisconsin law requires the notice to tell the recipient to make a written request to learn the personal information involved, and the laws in Maryland, North Carolina, and Rhode Island require specific contact information be provided.
The following twelve (12) U.S. states now post and maintain breach notification databases online:
- New Hampshire;
- Washington; and
In addition, there are other online repositories for data breach notifications, including:
- The U.S. Department of Health & Human Services Office of Civil Rights for HIPPA breaches;
- The Privacy Rights Clearinghouse, a California nonprofit corporation, which compiles data breach notifications reported to state and government agencies as well as the media; and
- The Identity Theft Resource Center, which also compiles a report of data breaches confirmed by various media sources and/or notification lists from state government agencies.
Finally, since a company’s cyber security policies and human resources policies related to cyber security will likely be exhibits A and B in connection with a government investigation or lawsuit following a cyber incident, it is critical that these policies accurately reflect and incorporate the current laws and regulations that the Company must follow. Designing a set of policies – even those based on so-called best practices – that is devoid or otherwise tangentially related to the applicable law or regulations can be an extremely costly and counterproductive mistake. These policies should be some of the best evidence that you can present to support your defense. They should not be admissions that you failed to follow the law. Ideally, in the event of an investigation or civil matter, counsel should be able to map the company’s policies directly to the applicable law and regulations.
- Take Advantage of Encryption
While the online breach notification databases reference above are ostensibly beneficial to consumers, these databases increase a company’s potential legal exposure. These databases will likely serve as valuable sources of information for government investigators and Plaintiffs’ counsel. By cross-referencing these databases, investigators, among other things, can test compliance with the various notification statutes and more readily learn about first offenders and repeat offenders. These databases also may serve as a tool to alert cyber criminals to easy targets. As a result, if at all possible, companies should try to avoid having to make a notification.
Forty-four (44) of the forty-seven (47) U.S. states, which have breach notification laws, also have a “notification safe harbor” for encrypted data. Under a notification safe harbor, notification need not be made; provided, the data is encrypted and the encryption key is not compromised at the time of the data incident.
Of the U.S. states that have “notification safe harbors,” there are only four (4) states that articulate a specific standard for encryption: (a) Massachusetts and Rhode Island which mandate AES 128 encryption or better; and (b) Washington and Nevada which mandate NIST level encryption (or an equivalent). After performing the impact analysis test for encryption as set out by NIST with respect to Washington and Nevada, we have concluded that most companies would be best served to adopt the AES 256 standard (or an equivalent 256 bit algorithmic process) to avail itself of the notification safe harbors available in the US. Our conclusion in this area was bolster by our research into the relevant encryption standards, which included NIST and Cisco’s research Quantam Computer Resistant and Next Generation Encryption. Based on this research, we understand that AES 256 is expected to meet the security scalability requirements of the next two decades.
- Scrutinize Insurance Policies Annually
The Wall Street Journal reported that cyber insurance is the fastest-growing insurance product in America. However, with any legal document, insurance policy details are important.
Far too many companies fail to evaluate whether their existing policies cover their potential legal exposure to cyber risk. Rather than simply renewing existing, possibly outdated policies, companies, in close coordination with legal counsel, should evaluate their company’s insurance needs and obtain policies that address their risks.
The New York cyber regulation requires senior officers oversee their company’s cyber security program and certify compliance with the regulation on an annual basis. In the event of a data incident, the Department of Financial Services or private plaintiffs may argue that the certifying officer made a deliberate or inadvertent misrepresentation about the company’s cyber program. Companies should therefore regularly review their D&O insurance. Generally speaking, companies should make sure that their D&O coverage does not exclude claims stemming from cyber liability. It is important to ensure that the D&O policy will pick up the cost of defending regulatory actions and any resulting penalties. This coverage may be included under the main coverage sections, separate policy coverages within the main policy form or by endorsement.
Companies that have purchased cyber insurance should likewise regularly review their cyber insurance policies. Although most cyber policies cover direct loss, legal liability and consequential damages, the scope of the risk might be narrowly defined. Moreover, in this rapidly evolving landscape, cyber policy language can become outdated and irrelevant. These “stale” policies can create unanticipated risks.
Particular attention should be paid to policy exclusions, which often include employee-generated losses. For example, it could exclude damages incurred by a rogue employee that intentionally discloses information or sells the information to another entity.
- Routinely Assess Whether to Switch to a Managed Cyber Security Service and Use a Dedicated Compliance Platform to Maintain Compliance
There is no substitute for experience. Recruiting and retaining a competent legal and technology cyber risk team is an imposing challenge for companies of all sizes.
For many companies, there are only two cyber risk options – outsourcing or waiting for an inevitable misfortune. With the fast changing and increasingly complex legal landscape, the rapid adoption of new technologies, and the growing sophistication of cyber criminals, very few organizations have the internal legal and technical resources to adequately address their cyber risk. As result, companies – both large and small – are increasingly outsourcing their cyber risk program to managed cyber security services.
There are no excuses anymore to having substandard technology or cyber policies to safeguard information. On an annual basis, companies should assess whether their internal resources are up to the task of addressing their cyber risk. Learning belatedly that your internal team was not suited to the task in a class action complaint or part of a government investigation is not a recipe for success.
Finally, whether companies decide to insource or outsource this important work, it is imperative to use a dedicated compliance platform to become complaint and maintain compliance. With the number of moving parts to be addressed, record keeping is a key component of any viable cyber program. Indeed, trying to become compliant or maintain compliance without such a software platform is simply a fool’s errand. Moreover, there is no time to gather basic information that should already be organized in a single platform after a data incident. The incident response team should be directed to the platform to get an accurate snap shot of the company prior to the data incident.
Our firm understood the importance of having a robust compliance platform at our inception. As a result, we heavily investigated and tested a variety of such platforms. We currently use the OnTrack platform and highly recommend it to our clients. Simply put, we would not be able to maintain our ISO 27001 data security certification without OnTrack. With OnTrack, we are able to easily coordinate and accomplish the above recommendations.
For more information, please contact one of our cybersecurity team leaders.
David Hickey at firstname.lastname@example.org or 626-737-9505
Rene Kahn at email@example.com or 626-737-6236
Jason Balogh at firstname.lastname@example.org or 415-813-4455