Companies that suffer from cyber security breaches or cyber vulnerabilities increasingly face claims of failing to implement adequate cyber security measures, deceiving others around the extent of their data security measures, or inadequately notifying the individuals whose personal information may have been at risk.
The Legal Risks
At the federal regulatory level, the Federal Trade Commission (FTC), the Department of Health and Human Services, the Federal Communications Commission, the Consumer Financial Protection Bureau, the Commodity Futures Trading Commission, and the Securities and Exchange Commission have all taken action against companies that, in their view, violated federal laws covering data security.
The FTC, in particular, has authority to prevent “unfair or deceptive” trade practices under Section 5 of the FTC Act. It has taken the position that a failure to employ reasonable and appropriate data security practices constitutes an “unfair” practice under the statute, and that misleading consumers about data security risks or practices can constitute a “deceptive” practice.
State and city regulators, predominately state attorneys general, have also taken action against companies that allegedly employed insufficient data security practices, asserting that such practices violated laws prohibiting unfair or deceptive conduct, specific statutory data security requirements, and data breach notification laws.
Companies that experience a breach or vulnerability may also face private claims. Most commonly, such claims are brought by the individuals (such as consumers or employees) whose data was allegedly compromised in a data breach.
Recently passed laws and regulations further increase the legal pressure on companies that collect personal information. For example:
- New York’s Department of Financial Services recently issued regulations imposing detailed cyber security requirements on insurance and financial services companies.
- California passed a statute to take effect in 2020 that creates a private right of action for certain failures to have “reasonable” cyber security measures. The state also passed a separate statute that takes effect in 2020 requiring “reasonable” security for certain connected devices.
- The EU’s General Data Protection Regulation (GDPR), which became operative in May 2018, imposes data breach notification requirements and an obligation to maintain appropriate security measures on companies subject to its provisions.
How Organizations Can Reduce Risk
Given this complex legal landscape, how can organizations reduce their risk? Some steps companies might consider taking include:
- Implement and maintain reasonable and appropriate security measures. Enforcement typically involves claims that companies failed to create and maintain a sufficient information security program and allowed an otherwise preventable data breach to occur.
- Verify accuracy of statements around the company’s data-security practices and how the company responds to a breach. Many suits in the data breach context allege that companies did not live up to the level of cyber security they promised.
- Develop and regularly test an incident response plan. Most cyber security claims challenge, at some level, the adequacy of companies’ responses to cybersecurity incidents.
- Understand notification obligations. Regulators and private plaintiffs are increasingly citing alleged failures to properly notify consumers in their suits.
Plan Ahead for a Cyber Breach
While many organizations focus on their incident response, incident preparedness is just as important. Yet companies often fail to take certain steps that could reduce risks associated with the litigation and enforcement proceedings that often follow cyber breach announcements. Some common issues we see even before a breach occurs include:
- Lack of an incident response plan or a plan that’s overly complicated to execute.
- Failure to test the response plan or include senior management in assessment exercises.
- Failure to preserve the attorney-client privilege for potentially damaging documents such as security assessments.
- Overlooking the involvement of third party vendors in a response plan.
- Failure to develop cross-function relationships among key plan participants and stakeholders.
- Lack of a communications plan.
- Limited or inaccurate IT documentation showing what cyber security measures the company took.
- Lack of cyber security insurance, or having insurance that isn’t the right fit.
- Lack of full network visibility.
Once the aforementioned details are accounted for, there are many additional ways to prepare for a cyber security incident:
- Tabletop Exercises: Many companies find it helpful to supplement their internal exercises with exercises that are facilitated by external providers, including legal counsel and cyber security consulting firms. Typically, these outside providers will play out a relevant cyber threat scenario by delivering a series of developed “injects” (simulated events) for the group of designated stakeholders to react to. At the end of the tabletop exercise, these stakeholders receive a series of observations made during gameplay, as well as strategic recommendations for enhancement.
- Information Security Policy Review: Organizations can conduct a legal review of information security and other relevant policies to identify potential gaps or policy language that the courts, the plaintiffs’ bar, and regulators have relied upon to confer Article III standing; assert claims for unfair or deceptive business conduct; or otherwise support claims in litigation or government enforcement action following a security breach.
- Insurance Policy Cyber-Coverage Review: Companies often are unaware of significant gaps and exposures in their insurance policy coverages when it comes to data breaches involving personal information and other cyber incidents. An outside law firm can conduct a legal review of cyber risk insurance portfolios to help identify potential shortcomings and identify the right scope of coverage
- Written Incident Response Plan Reviews: Companies should have counsel review their incident response plans to address legal requirements and regulator expectations. This is often accomplished with the help of a cyber security consulting provider.
Steps to Take After A Breach
Even with best efforts, cyber breaches can and will happen, and the moves organizations make following a compromise can have both immediate and long-term consequences. To minimize harmful consequences, organizations should:
- Consult promptly with experienced legal counsel to limit damage and ensure compliance with time-sensitive legal obligations.
- Work with legal counsel, with assistance from an incident response firm, to ensure that forensic evidence is appropriately preserved.
- Work with legal counsel, with assistance from an incident response firm, to investigate and contain the incident.
- Determine whether insurers should be notified.
- Brief senior leadership and the board of directors on the incident.
- Determine what types of external and internal notification are required.
Internal company representatives involved can vary, but should include in-house counsel, IT and information security, and, in most cases, senior management.
How Prepared is Your Organization?
If you’d like to learn how to evaluate your incident preparedness, watch the on-demand webinar “Are You Ready to Handle a Cyber Crisis?” presented by Rob van der Ende, Mandiant vice president of Asia Pacific and Japan, and Mimi Yang, Ropes & Gray partner, from the FireEye 2018 Cyber Resilience Virtual Summit.
Yang and Van Der Ende explain how Ropes & Gray and Mandiant have joined forces to help you evaluate your organization’s ability to respond effectively to a cyber incident before it occurs.
To learn about the newest techniques for managing cyber risk, watch “Cyber Security Risk Management: New Methods to Gain Control,” another on-demand webinar from the summit presented by Ropes & Gray Partner Michelle Visser, FireEye Senior Director Matthew Keane, and FireEye Senior Consultant Travis Fry.
You’ll learn new approaches to generating realistic risk forecasts, effective metrics techniques, and a clear roadmap for capability improvements,
These webinars are just a few of several sessions designed to help you map a plan for managing cyber risk and battling the latest threats. In each webinar, experts share insights and intelligence from the latest breach investigations and knowledge from research into the threat landscape.
Visit the FireEye 2018 Cyber Resilience Virtual Summit page to review the list of available on-demand webinars.
Michelle Visser and Mimi Yang are partners of Ropes & Gray LLP. Michelle has extensive experience assisting companies with legal issues resulting from data security breaches, and Mimi has extensive experience in private securities litigation, U.S. DOJ and SEC enforcement matters, and internal investigations.