“At every board meeting, whether it’s monthly, whether it’s quarterly, cybersecurity should be on [the agenda]. If not, you’re going to wind up in a situation where you’re having an emergency board meeting to discuss something that has gone wrong. You have to have a plan. You should have general counsel, public relations, communications, the IT people, the security people—all of them need to have a structure in place to be able to deal with something like this.” —Howard Schmidt, former White House Cybersecurity Czar, Wall Street Journal, Feb. 9, 2015. (See http://www.wsj.com/articles/what-business-and-the-feds-should-do-about-cybersecurity-1423540851.)
For several years, the common business refrain has been that “every company is a tech company,” as brick-and-mortar businesses turn to technology to distinguish themselves and enhance efficiency, intelligence, and customer experience. The corollary, of course, is that every company now also is a data company. In a world where transactions are conducted digitally and corporate strategy is driven by sophisticated analytics, data is fast becoming a company’s greatest asset. Almost everything a company cares about is increasingly stored in digital banks.
Unfortunately, as the recent string of high-profile security breaches—Target, Sony, Anthem—has made clear, the increasing value of data has been met with rising risk. As James Comey, director of the FBI, observed in a recent interview, “Cybercrime is becoming everything in crime. . . . Because people have connected their entire lives to the Internet, that’s where those who want to steal money or hurt kids or defraud go.” (See http://www.cbsnews.com/news/fbi-director-james-comey-on-threat-of-isis-cybercrime/.) Moreover, data security has become as much a legal issue as a technological one, as companies face a bewildering array of federal, state, and international laws and regulations governing cybersecurity, privacy, and breaches. In this quickly evolving climate, it is imperative that companies closely examine their breach preparedness from both a security and legal standpoint. The hours after a breach may well determine how a company fares.
Companies Face an Increasing Risk of Data Breach
The proliferation of security breaches poses an enormous threat to customers, and to the reputation and bottom line of compromised companies. In 2014, Ponemon found that 43 percent of U.S. companies had experienced a data breach within the last year, up from 33 percent in 2013. Moreover, even before the most recent breaches, it found data breaches were costing U.S. companies an average of $5.9 million, or an average of $201 for each compromised record. A brief review of some of the most prominent recent data breaches illuminates the breadth of industries affected by breaches, as well as the scope of potential damage.
● On February 3, Anthem, the nation’s second-largest health insurer, announced a data breach that had exposed the personal information, including Social Security numbers, of 80 million customers and employees. Anthem’s breach is the latest and largest in a series of data security issues affecting the health industry. In August 2014, Community Health Systems announced a data breach that had exposed 4.5 million patient records. Experian forecasts that data breaches may cost the healthcare industry as much as $5.6 billion annually.
● In perhaps the most notorious recent data breach, in November 2014, hackers obtained and released terabytes of internal data at Sony Pictures Entertainment, including embarrassing corporate documents and Social Security data for 47,000 Sony employees. In addition, all data on many Sony servers reportedly was destroyed. The breach is estimated to have caused Sony $70-$80 million in direct costs, as well as potentially more than $100 million in indirect costs from related loss of business. On February 4, Sony Pictures’ co-chairman resigned, largely due to fallout from the breach.
● In September 2014, Home Depot revealed that a data breach had exposed 56 million customer debit and credit card accounts, then announced shortly afterward that 54 million customer e-mail addresses also had been compromised. In its SEC filing for the third quarter of 2014, Home Depot disclosed that it had recorded $43 million in expenses arising from the breach.
● In August 2014, JPMorgan Chase disclosed that hackers had been siphoning data from its computer network for months, exposing contact information for 76 million households and 7 million small businesses. Subsequently, the bank announced that it would spend $250 million annually to implement new security initiatives and protect itself from future cyberattacks.
● In one of the largest breaches in recent memory, in December 2013, Target disclosed that hackers had stolen names, credit card data, e-mail addresses and phone numbers for up to 110 million users. Following the announcement, Target’s profits plunged by 40 percent. In February, it was reported that losses associated with the breach had reached approximately $200 million.
As the diversity of businesses affected—including healthcare, entertainment, financial and retail companies—demonstrates, data security is a critical issue not only for Internet businesses, but for all companies in all industries. As new mobile payment technologies emerge and companies continue to migrate data to BYOD programs and cloud-based systems, the risk of data breach is expected to continue to increase in 2015, heightening the need for companies to closely examine their own networks and data for security issues.
Companies Are Subject to Increasing Legal Risks and Obligations Relating to Data Security Existing Legal Landscape. Companies that have experienced data breaches not only have suffered from losses in good will, customer attrition and technological costs, but also legal liability. The current legal landscape governing data privacy comprises a sprawling patchwork of state, federal and international laws, and class action lawyers, as well as state, federal and global regulators are becoming increasingly vigilant and aggressive. Following a data breach, a company can find itself under legal fire from multiple angles.
At the federal level, the Federal Trade Commission, the Securities Exchange Commission, and other regulators have been very forward-leaning. As part of its consumer protection duties, the FTC has actively investigated companies’ data privacy and collection policies, levying monetary penalties and requiring companies to implement improved security policies subject to independent monitoring. It also has brought actions under the Fair Credit Reporting Act and the Gramm-Leach Bliley Act following breaches exposing consumers’ credit histories and financial data. The SEC’s Division of Corporation Finance has issued guidance regarding public reporting requirements for cybersecurity incidents, and Commissioner Luis Aguilar has confirmed that the SEC will hold boards of directors accountable for their companies’ cybersecurity risk management policies. Meanwhile, the Financial Industry Regulatory Authority and the SEC’s Office of Compliance Inspections and Examinations have begun examining the cybersecurity preparedness of regulated entities, with both bodies releasing reports of their findings and suggested best practices at the beginning of February.
At the state level, state attorneys general have taken an increasingly active role in investigating data breaches and enforcing privacy protections, with multi-state investigations currently underway regarding the breaches at Target, Home Depot and JPMorgan Chase. In these cases, states are investigating not only whether proper safeguards of consumer data were in place, but also whether after discovering their breaches, the companies properly notified affected customers. As 47 states have enacted some form of security breach notification statute over the last decade, each with varying timing and threshold requirements, compliance with notification statutes has presented serious issues for companies with widespread consumer bases. These issues are compounded for international companies, as notification statutes in other countries—including in the European Union—impose even more stringent disclosure requirements than those in the United States.
Finally, every prominent data breach has prompted a flood of consumer class action lawsuits, usually including a combination of negligence, contract, state consumer protection and federal privacy claims. Multiple lawsuits were filed against Anthem and Sony within hours of breach disclosures, and Home Depot disclosed that it has been named in at least 44 consumer lawsuits. Historically, companies have had success defeating consumer claims by challenging standing, arguing that without concrete allegations of actual identity theft, plaintiffs could not demonstrate classwide harm from the mere exposure of their data. Recently, however, courts have shown an increasing willingness to allow such claims to proceed. In September 2014, the Northern District of California permitted a data-breach class action to proceed against Adobe, holding that a “credible threat of real and immediate harm” in the future was sufficient to confer Article III standing on the class. In re Adobe Sys., Inc. Privacy Litig., No. 13-cv-051126, 2014 WL 4379916, at *6-*9 (N.D. Cal. Sept. 4, 2014).
New Legislative Developments. As data security continues to dominate the national conversation, federal and state lawmakers are rushing to update the existing body of privacy laws. The White House has made data privacy a major priority this term, proposing legislation that would reconcile inconsistent state notification statutes by creating a uniform federal standard for data breach notification. At the same time, California, New York and other states are continuing to amend and broaden their own notification statutes to cover additional entities and forms of data. In the financial sector, state regulators also issuing their own guidelines, and New York’s Department of Financial Services recently announced that it would start conducting its own preparedness assessments of banks and insurers. As new laws are proposed and go into effect, it is critical for a company to understand the legal obligations that may apply in each area it does business.
Companies Must Take Proactive Steps to Mitigate Exposure and Ensure Legal Compliance. It goes without saying that companies should take steps to safeguard customer privacy and to minimize the potential for a data breach. However, given the continued rise in frequency and sophistication of cybercrime, as well as the growing attention to notification requirements, companies must make it an equal priority to prepare themselves to respond when breaches inevitably occur. It is not only the smart thing to do, it is becoming the standard of care.
Given the complicated technical and legal issues involved, data breach preparedness can be a source of anxiety to companies. In Ponemon’s 2014 survey, 73 percent of companies reported that they had data breach response plans and teams in place, but only 30 percent believed that their plans were effective. Below are a few high-level guidelines that a company should follow when assessing its readiness for a breach.
Conduct a Readiness Audit. At a minimum, a company should assess its legal compliance and infrastructural ability to respond to an attempted breach by conducting a readiness audit. As part of this audit, a company should:
Map data and backups. Because the nature of data drives both the level of security and the legal obligations that flow after a breach, a company needs to know what data it has and where it is located. Put simply: the more important data is, the better the security should be. Moreover, in the case of a breach, knowing what was taken and where it was collected/located will determine a number of legal obligations. Finally, a company must have a realistic way to restore lost data or take parts of its system offline without causing more problems. Backups need to be done in a way that makes this possible.
Perform a network security assessment. Once a system map is in place, regular “penetration testing” must be conducted to identify potential system vulnerabilities. This includes subjecting company employees to phishing tests so that passwords are not inappropriately disclosed. Education is a must, and all employees should be aware of how to observe security precautions and avoid allowing unauthorized access.
Review insurance policies and contracts. With the rash of security breaches, insurance policies are now available to cover costs associated with data breaches, including notification, public relations, and resulting legal and liability expenses. Some policies even cover the costs of assessing the company’s preparedness for a data breach.
Monitor the legal landscape. In view of the ever-changing legal landscape, a company should engage legal counsel to identify and assess compliance with the universe of applicable state, federal and international regulations. Because even simple business decisions (e.g., requesting a physical address or changing the way data records are stored) can trigger new obligations in different territories, counsel must be consulted on an continual basis so that companies are accurately informed about their ongoing risks and obligations.
Maintain law enforcement contacts. In the event of a significant breach, law enforcement involvement will be necessary to identify and bring to justice the intruders. A company should establish contact with the state and federal law enforcement individuals that have jurisdiction in its industry or geographical area. In the event of a breach, legal counsel should manage any communications with law enforcement.
Prepare a Cyber Incident Response Plan. In addition to conducting a readiness audit, a company must have a comprehensive cyber incident response plan to minimize potential losses, keep customers informed on a timely basis, and avoid further legal liability in the event of a breach. Any response plan must assume that all internal systems are compromised. In developing this plan, a company should:
Prepare a legal response and notification strategy. A company must have a legal response and notification plan that complies with all applicable notification provisions. Legal counsel should be heavily involved both in drafting the plan and advising during its implementation as to when and where different notification duties may be triggered.
Prepare a communication strategy. A company should have not only an external communication strategy for satisfying notification requirements and customer expectations and needs, but also an internal communication strategy. All parties must be mindful of the risk that non-privileged communications may be subject to discovery in the event of a lawsuit or investigation. Employees or call center representatives should have clear guidance for all communications concerning a breach.
Prepare a forensic and technical response strategy. A company should identify all data that must be preserved and collected in the event of a breach. This data will not only be used for troubleshooting, monitoring, and recovery, but also as a record that will be used by regulators, lawyers and law enforcement after a breach. Forensic experts should be engaged to collect and examine the data as internal IT teams focus on restoring systems. To maximize work product and privilege protection, lawyers should hire and direct the forensic experts.
Designate response officials. A company should identify key employees who are knowledgeable of each critical area and who will be responsible for executing the response plan. At a minimum, legal counsel, company executives, communications, IT, and HR representatives (if employee actions or information are at issue) should be included.
Distribute call lists and written response plans. Once a detailed response plan has been prepared, it should be memorialized and distributed outside of the company’s computer systems to all relevant individuals. This should include a laminated call list of all designated response officials so that the plan can be put into effect immediately.
A cyber incident response plan necessarily is a sensitive undertaking, as a company must investigate and repair any breaches while simultaneously keeping customers informed, preserving evidence and cooperating with authorities who may be evaluating the company’s security policies and response procedures in real time. It is critical to engage legal counsel not only when preparing the plan but also while executing it, to identify and navigate all potential legal ramifications and to protect attorney-client and work-product privileges.
Quinn Emanuel has a team of lawyers with the experience, knowledge, and relationships to help your company navigate the thicket of issues that accompany a data security incident. In addition, our international presence means Quinn is poised to act on a moment’s notice and get in front of any legal issues, no matter where the incident occurs.