CYBERSECURITY AND PRIVACY: REDUCING YOUR COMPANY S LEGAL RISK By: Andrew Serwin January 19, 2018
Overview What are companies concerned about? What information are we concerned about? Cybersecurity Who are the threat actors? Steps to address a breach Consequences of a breach Examples of incidents Steps to prepare and respond Notice on a global basis Litigation and enforcement Morrison & Foerster LLP 1
Overview Continued How concerned are Boards? What are the relevant legal obligations for the Board? How should the Board think about cyber? Where should cyber be addressed at the Board? What are the threats and challenges? What should the Board do about cyber? What should Management do about cyber? What are emerging SEC issues regarding cyber? Lessons learned and takeaways What questions should you ask? Morrison & Foerster LLP 2
Top-Level Concerns Controller v. processor Data misuse Generally a first-party issue Failure to fully disclose data practices; Failure to comply with applicable laws; Marketing mistakes; and Others. Attacks Third-party focused There are two primary types of attacks: Theft of information (e.g., PI, trade secrets); and Attacks on the grid (e.g., denial of service, attempts to shutdown systems). Morrison & Foerster LLP 3
All Companies Have Information of Value Companies create and process a significant amount of information: Financial information; Information regarding individuals (employees and customers); Proprietary/confidential information IP; Undisclosed M&A activity; Business and marketing plans; and Pricing; Information regarding businesses processes, including process improvements; Information regarding business trends; Social data/user-generated content; Machine data; and Many other forms of information. Morrison & Foerster LLP 4
Understanding the Cyber Threat YESTERDAY Threat Actors Isolated Criminals Script Kiddies Goals Identity Theft Self-promotion Theft of Content or Services TODAY Threat Actors Organized Criminals Nation States Hacktivists Insiders Goals Intellectual Property Financial Information Strategic Access/Destruction Terrorism Embarrassment Morrison & Foerster LLP 5
Breaches are on the Rise Security breaches are becoming more common and reported on more frequently Morrison & Foerster LLP 6
Have you Stopped Buying Based upon a Breach? 90% 80% 78% 70% 60% 50% 40% 30% 20% 22% 10% 0% Yes No Morrison & Foerster LLP 7
You ve Been Breached Now What? Investigate and stop intrusion. Determine notice obligations and comply with deadlines. Evaluate whether PR firm is needed. Morrison & Foerster LLP 8
Common Issues Escalation Privilege Who is in charge? The role of third-party vendors Morrison & Foerster LLP 9
Should You Hire a Vendor? Vendors can investigate breach and plug infiltration. You may also need third parties for notice-related issues, PR, and other services. Morrison & Foerster LLP 10
Tips & Suggestions Regarding Privilege in the U.S. Copying a lawyer on an email does not necessarily make it privileged. To be privileged, the email must be seeking legal advice or contain legal advice. Limit the distribution of documents containing legal advice to people who have a need to know. Do not cc: or forward emails containing legal advice to any third party (e.g., government, other companies). Stamp or add legend to documents that are privileged to make them easy to identify. But simply stamping everything privileged can hurt more than it helps, so don t overuse the designation. Morrison & Foerster LLP 11
Privilege Quick-Reference Guide Attorney-Client Privilege: DO: Only applies to communications with lawyers regarding legal advice Is usually lost (waived) if shared outside the company Consult with attorneys before hiring consultants to decide whether the engagement should be privileged Ask attorney before forwarding privileged email DON'T: Wait to consult attorney before taking initial steps to stop an incident Put heat-of-the-moment opinions or speculations in writing that could later embarrass the company Forward privileged emails to people who do not have a need to know or who are outside the company Morrison & Foerster LLP 12
What are the Consequences of a Breach? Impact on brand/trust; Bad PR; Corporate governance issues; Significant costs and use of internal resources; Enforcement by regulators on a global basis; and Private litigation in the United States. Morrison & Foerster LLP 13
Incident Number 1 IP Theft A publically traded U.S. company has spent a significant amount of money creating a chemical compound that is critical to the manufacturing of solar panels, and it is protecting the compound via trade secret protection. A month before the company is getting ready to release the product, the General Counsel receives a call from the FBI informing her that there are indicators that a foreign state has penetrated the company s network and stolen a significant amount of data, including the proprietary formula for the solar panel compound, as well as other intellectual property. What do you do? Morrison & Foerster LLP 14
Incident Number 2 PII Theft A Fortune 50 retailer receives a call from a prominent member of the press informing the company that he is aware of a security breach involving the company and over 40,000,000 credit cards. He will be making the breach public in 24 hours and asks for a comment from the company. What do you do? Morrison & Foerster LLP 15
Incident Number 3 A Grid Attack A global Financial Services company sees an uptick in fraud and subsequently discovers that it has been attacked and 200,000,000 user credentials have been stolen from the company. The company hires a forensic expert who determines how the attackers have accessed the network and then takes steps to block the attackers from having continued access. As soon as the attackers are removed from the system, the company is hit with a sophisticated Distributed Denial of Service (DDoS) attack that causes its entire network to crash. What do you do? Morrison & Foerster LLP 16
Incident Number 4 Public Embarrassment A Fortune 100 health care company with a significant number of government contracts receives an email from a Hacktivist group demanding a number of concessions from the company, including terminating certain lines of business that the Hacktivists find objectionable, or the group will begin disseminating damaging information regarding the company. The company has 48 hours to respond, and it does not meet the group s demands. The Hacktivists respond by posting numerous emails on a Peer-to- Peer Network that reveal a pattern of inappropriate conduct by the CEO, and seem to indicate that there may be government fraud occurring. The company is given another 48 hours to meet the Hacktivist s demands. Morrison & Foerster LLP 17
What Can Companies Do to Prepare? Pre-breach considerations include: Identifying critical systems; Identifying key legal and notice requirements; Creating an incident response plan; Identifying key internal and external stakeholders, including important customers and regulators who may require notice; Identifying professionals to assist in the event of a breach; Conducting a tabletop exercise; Anomaly detection; Establishing relationships with law enforcement and others in your industry to discuss sharing information; and Conducting a security review. Morrison & Foerster LLP 18
What Should Companies do to Respond? When a breach occurs: Containment and recovery; Advising on information sharing strategy (e.g., critical partners); Document preservation, including forensic collection, if appropriate, with consideration of the application of the work-product doctrine; Making the facts stand still; Creating a PR plan based upon the nature and scope of the incident; Assessing notice, disclosure, and other legal obligations; Advising on engagement strategy with law enforcement; and Conducting a lessons learned review. Morrison & Foerster LLP 19
Notice of Security Breach Legislation Common issues: When notice must be given; The form of the notice; Who notice must be given to; The scope of federal preemption; and The effect of existing security policies. Morrison & Foerster LLP 20
Data Breach Laws Vary by State in the U.S. Most states have enacted data breach notification laws requiring businesses and other entities to notify affected individuals when a data breach involving their personally-identifiable information occurs. The requirements of these laws vary and sometimes conflict. Morrison & Foerster LLP 21
There Are Federal Laws as Well HIPAA is an emerging issue for many technology companies. Morrison & Foerster LLP 22
GDPR GDPR attempts to harmonize European data protection rules, including implementing a European notice of security breach rule. Morrison & Foerster LLP 23
GDPR What Is a Breach? Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. Morrison & Foerster LLP 24
Notice Requirements A Controller must notify the Individual of a Personal Data Breach, without undue delay, where that Personal Data Breach is likely to result in a high risk to the rights and freedoms of the Individual in order to allow him or her to take the necessary precautions. The Controller also must notify the DPA of a Personal Data Breach, unless the Personal Data is unlikely to result in a risk to the rights and freedoms of the Individual, without undue delay and, where feasible, not later than 72 hours after having become aware of it. Exceptions. Morrison & Foerster LLP 25
Asia/South Asia: Data Security Reasonable organizational, technical, and administrative measures to protect data. More detailed rules in: India Japan Korea Taiwan Morrison & Foerster LLP 26
Examples of Asian Countries with Breach Notification Laws or Voluntary Standards Japan Korea Philippines Singapore Taiwan Morrison & Foerster LLP 27
Strategy for Compliance Review and comply with the breach notifications laws for each relevant country or state (i.e., those states where individuals whose personal information is held by the company reside, or where your data controller exists). Time is often of the essence. Determine whether other entities need to be contacted (state attorney general, office of consumer affairs, FTC, consumer credit reporting agencies). Morrison & Foerster LLP 28
What If I Fail to Notify? Failure to notify could result in enforcement action, penalties, or lawsuits brought by affected consumers. Morrison & Foerster LLP 29
The Different Legal Fronts A high-profile nationwide breach may require the largest coordinated legal effort in a company s history Government investigations State AGs FTC SEC Functional regulators (e.g., FCC, HHS, federal banking agencies) Congress International regulators (e.g., Canada OPC) Litigation Consumer class actions Shareholder suits Bank class actions Morrison & Foerster LLP 30
Class Action Risk for Data Breach Class action bar has targeted companies that are victims of data breaches. File multiple copycat class actions across the country. Brought on behalf of nationwide and state classes. Morrison & Foerster LLP 31
Legal Theories Violation of state consumer protection laws Negligence Breach of contract Invasion of privacy Violations of state data security regulations (e.g., Mass. Data Security Reg.) Violations of federal data compliance/security regulations (e.g., FCRA, ECPA, CFAA, etc.) Civil RICO Morrison & Foerster LLP 32
How Concerned are Boards about Cyber? According to a 2016 NACD survey, 46% of Boards were concerned about cyber, the fourth highest ranked concern of Boards for 2016. Morrison & Foerster LLP 33
Have You Stopped Buying Based upon a Breach? Research by the Lares Institute in 2015. 90% 80% 78% 70% 60% 50% 40% 30% 20% 22% 10% 0% Yes No Morrison & Foerster LLP 34
Fiduciary Duties Generally Fiduciary duties are state law specific. Generally, directors have: Duty of Care Duty of Loyalty Duty of Oversight The most relevant duties are the Duty of Care and Oversight. Morrison & Foerster LLP 35
Duty of Care The Board must act on an informed basis after due consideration of relevant materials and proper deliberation. Adequate procedure drives the court s inquiry did the Board: have access to relevant information? receive input from management and advisors? consider alternatives? follow a reasonable process? adequately deliberate? Directors may rely on the reports and advice of appropriate advisors, including officers and employees of the Company, counsel, and other professionals. Morrison & Foerster LLP 36
Business Judgment Rule Ordinarily, a decision to take action, or a conscious decision not to act, is entitled to the protection of the business judgment rule and a court will not substitute its judgment for that of the Board. To be eligible for this protection, the Board s actions must be: Based on material information available with reasonable diligence and inquiry Made in good faith Made in the honest belief that the action taken or not taken is in the best interest of the Company and its stockholders Made without a conflict of interest A person challenging the Board s decision has burden to show the Board failed to satisfy its fiduciary duties. Morrison & Foerster LLP 37
Duty of Oversight In re Caremark (Del. Ch. 1996) Duty of oversight: A director s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by noncompliance with applicable legal standards. Stone v. Ritter (Del. 2006) To establish a breach of oversight, it must be pleaded and proven that: (a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention. Morrison & Foerster LLP 38
Understanding Cyber Cyber is an asymmetric threat. This means that the attackers may know more about your vulnerabilities than management does. The Board will inherently know less about the vulnerabilities than management. Ultimately managing cyber risk is a governance issue; and to appropriately manage this risk, the Board must understand the potential risks to the business. Information Risk/Value Information is an asset of the company, and the Board should ensure that it is appropriately protected, valued, and utilized for the benefit of the company. Morrison & Foerster LLP 39
The Costs of Cyber Costs of not addressing cyber can include: Financial; Legal/compliance; Reputational; and Operational risks. But there are costs to consider when addressing cyber: Costs of remediation; Customer friction; Loss of productivity; and Breaking systems. Ultimately, management must balance all of these costs and determine what the appropriate risk governance strategy is. Morrison & Foerster LLP 40
What Is Your Cyber Risk Tolerance? After examining the potential impact of a cyber event, management, with appropriate input from the Board, should determine what the company s risk tolerance is regarding cyber. Ultimately, the Board needs to understand the earnings impact of the risk tolerance of the Company and ensure that it and management are aligned, and it must ensure, via its oversight responsibility, that Company management appropriately addresses cyber. Morrison & Foerster LLP 41
Where Should Cyber Sit at the Board? Dodd-Frank requires certain financial institutions to have a Risk Committee at the Board. While it is not required for other companies, some Boards have created Risk Committees. The Board should determine where cyber fits in any relevant committees of the Board, whether that is through Audit, Risk, or other committees. While it is not a requirement, Boards should consider whether cyber should factor into other committees, including compensation, nominating and governance, as well as how it should fit into the Board Agenda. Morrison & Foerster LLP 42
All Companies Have Information of Value Companies create and process a significant amount of information: Financial information; Information regarding individuals (employees and customers); Proprietary/confidential information IP; Undisclosed M&A activity; Business and marketing plans; and Pricing; Information regarding businesses processes, including process improvements; Information regarding business trends; Social data/user-generated content; Machine data; and Many other forms of information. Morrison & Foerster LLP 43
Understanding the Cyber Threat Threat Actors Organized Criminals Nation States Hacktivists Insiders Goals Intellectual Property Financial Information Strategic Access/Destruction Terrorism Embarrassment Morrison & Foerster LLP 44
Challenges Threat actors have more time and more resources The threats constantly changing Inadequate information sharing Chief Information Security Officers cite gaps in skill sets on their teams, lack of bandwidth, and inadequate budgets as some of the biggest issues Morrison & Foerster LLP 45
Ramifications Cyber can impact the Company in a number of ways: Loss of trust/reputational harm; Bad PR; Impact on earnings due to: Loss of customers (including for B-to-B Companies); Increased costs that result from fines, response costs, investigative costs, litigation costs and settlements, remediation costs, as well as many others; and Significant distraction for employees, management, and the Board. Morrison & Foerster LLP 46
What Should the Board Do? Understand the cyber risk profile of the Company by discussing this with management, and any appropriate third parties; As appropriate, engage with management, to help set the risk tolerance for the company; Make sure that management has appropriate processes and programs to engage in appropriate risk assessment, which include identifying, assessing, and mitigating risk; Make sure that management appropriately communicates the risk; Engage in appropriate oversight by: making sure that cyber is appropriately addressed by the Board, including through relevant committees; ensuring that risks are appropriately remediated; and the cyber risk program is otherwise functioning appropriately; and Do an appropriate, executive-level table-top exercise. Morrison & Foerster LLP 47
What Should Management Do? Conduct an appropriate enterprise cyber risk assessment; Determine what your most critical systems and information are; Assist the Board with determining the Company s risk tolerance; Create an appropriate, cross-functional risk governance structure that continually assesses and improves cyber risk This includes organizational, behavioral, and technical changes; Keep the Board appropriately informed of the Company s cyber risks; Align incentives for employees with the risk tolerance of the Company; Make sure escalation criteria are clear; and Engage in appropriate business continuity planning; Morrison & Foerster LLP 48
What Should Management Do? Appropriately manage the company s cyber risks, via an appropriate cyber risk mitigation program, including appropriately remediating known cyber issues; Have a third-party evaluate your company (under privilege); Test and train employees, as appropriate, on common attack vectors such as phishing ; Make sure escalation criteria are clear; Appropriately plan for any foreseeable business disruption due to cyber; Engage in appropriate information sharing; Develop appropriate relationships with law enforcement; and Practice responding to a security incident. Morrison & Foerster LLP 49
SEC Issues Risk Factors need to be reviewed When to Disclose a Breach Enforcement (Coordination with DOJ) Pre-Breach Questions Post Breach Questions Morrison & Foerster LLP 50
Lessons Learned from Breaches Unclear decision making paths Unclear escalation criteria Lack of practice on incident response plan Lack of business continuity planning Morrison & Foerster LLP 51
Board Dos and Don ts Ask the right questions Ask if the right experts have been retained Engage in appropriate oversight Morrison & Foerster LLP 52
What Should the Board Be Asking? Is our actual cyber risk consistent with our intended cyber risk? Have we considered appropriate risk shifting devices, such as insurance? Is the Board appropriately engaged regarding cyber, and does it have the appropriate organizational structures, including committees, to meet its oversight obligations? This includes assessing how often, and where, cyber is reported on to the Board. What organizational structures at the management level exist to measure, govern, and assess data and information risk, and how are threat assessments managed and reported? Does management appropriately report on cyber risk to the Board? Does management consider cyber risk, as appropriate, when it makes decisions regarding new products or services? Morrison & Foerster LLP 53
What Should the Board Be Asking? Has management reviewed and de-conflicted these cyber organizational structures with the organizational structures for other risks i.e., is your cyber risk management consistent in approach with the management of other risks? Have the company's security processes and systems been reviewed by a third-party assessor? Third-party review of cybersecurity readiness can be a crucial factor in defending the company after a security incident, as well as helping a company to take reasonable steps to prepare for and defend against a cyberattack. Has internal audit been appropriately engaged? Does the company have an incident response plan, and are the appropriate business leaders identified in it? Is it cross-functional? Have you tested it through a tabletop? Morrison & Foerster LLP 54
What Should the Board Be Asking? Has the level of penetration testing (internal and external), software patching, and other similar activities been reviewed by a third party to ensure it is adequate for your company? Has the company benchmarked its cybersecurity risk posture against those of other similar businesses? Has management determined what the company s information sharing strategy is? Has management allocated responsibility for protecting the Company s information assets appropriately? Has management completed a high-level data inventory of the company's information assets so that it has an understanding of what information the Company has and generally where it is located? Morrison & Foerster LLP 55
What Should the Board Be Asking? Has management done a thorough review of policies and procedures to ensure that they comply with the relevant data security laws and are consistent with industry best practice? Has management done appropriate resiliency planning for a cyber attack? Morrison & Foerster LLP 56