Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
By Richard J. Bortnick of Traub Lieberman Straus & Shrewsberry LLP
Data breaches don’t care about how mighty your organization is. Whether your company is Fortune 500®, middle-market or even a mom and pop, you’re at risk of a breach. It doesn’t matter whether the intrusion is attributable to malicious activity or simple employee or third-party negligence, the effect is the same. Your clients’, customers’ and employees’ sensitive information is at risk.
In many cases, the effect of a cyber incident could be devastating, if not fatal, to your company’s reputation—and, by extension, its economic viability.
To whom should you make your first call? A cyber lawyer. Unlike a lay advisor, attorneys bring with them the attorney-client privilege and work-product protection in many respects. Although vendors and IT specialists can promote themselves as having the appropriate knowledge and training to teach and implement best practices, they do not possess the critical protections afforded by the attorney-client relationship. In a relatively new space like cyber/privacy (CP), where the law is uncertain and developing, the likely privileges become even more important.
The Importance of Protecting a Business’ Reputation
A business’ reputation and goodwill can be as valuable as, if not more valuable than, its tangible assets.
In the best of circumstances, bad things can happen. And almost inevitably, affected persons (and business partners) will want to blame (and sue) someone. And a breached entity is an easy target.
There is no “one size fits all” to CP security. Both the nature and the potential magnitude of a CP event are unique to every business, although the crisis-management tools designed to avoid, mitigate and remediate a loss of personally identifiable information, personal health information and sensitive commercial information are relatively standard.
Perhaps, or more important, the risks vary with who presents the threat. There are casual hackers, people carrying out vendettas, cyber-terrorists and major cybercrime groups. All have different goals, strategies and methods. Indeed, some don’t have “goals” in the same sense as other criminals, and do not care what they do to systems they penetrate.
Former Defense Secretary Leon E. Panetta has warned that the U.S. is facing the possibility of a “Cyber-Pearl Harbor” and is increasingly vulnerable to non-U.S. hackers who could dismantle the nation’s financial networks, power grid, transportation systems and government. The term “cyber tsunami” also has been thrown around.
FBI Director Robert Muller anticipates that in the near future, cyber threats could surpass terrorism as the FBI’s top priority. “There are only two types of companies, those that have been hacked and those that will be. Even that is merging into one category. Those that have been hacked and those that will be hacked again.”
Why Executives Should be Concerned
For a variety of reasons, many companies’ managements fail to focus on the fact that they hold third parties’ personally identifiable information, personal health information and other sensitive data. It is not that they ignore the associated risks and exposures. Rather, it is simply a function of the fact that they typically are too busy running their business to think about it. But they should. Whether it comes down to questions of being unaware of the risks, penny-wise, pound-foolish, neglect or hypocrisy, too many companies are failing to take the steps necessary to protect themselves—or their clients, customers and employees.
SMEs (and Midsize Enterprises) Are Particularly Susceptible to CP Threats
Should you conclude that the above concerns don’t apply to you and are unfounded rhetoric designed to lead a company to create and deploy unneeded cyber security strategies, please think again.
According to Jake Kouns of Risk Based Security, “… [l]arge data breaches typically get a great deal of media attention and it leads many people to believe that all breaches are substantial in size. Indeed, 91.9 percent of data breaches have exposed less than 10,000 records.” In other words, SMEs are more at risk than large ones. Still, the recent Anthem breach demonstrates how bad it can get for some entities.
Think of it this way. If one were planning to rob a bank, would one rob a bank in the middle of a big city that likely has implemented best practices for both physical and cybersecurity? Or would one choose a small local branch in a remote suburb or exurb. The likelihood of a clean getaway is far greater than in the urban environment.
What if you could accomplish the same successful result tens or hundreds of times over without leaving your desk? You could pick small targets and get in and out of their computer systems before anyone realizes what has occurred. Small pickings are only small until they are multiplied through methods the cyber age makes easy for suitably motivated attackers.
To the point, absent a political or social agenda, most cyber intruders choose not to waste their time trying to penetrate a sophisticated, state-of-the-art security system. It’s far easier to compromise an SME that has little-to-no cybersecurity protection beyond, at most, an off‐the-‐shelf software program.
Regrettably, SMEs typically do not have (and many cannot afford) sophisticated and/or updated security procedures and policies, have not adequately trained their employees on data security, do not maintain dedicated information technology specialists, and may outsource security to unqualified contractors or systems administrators. It’s a question of asset deployment. And where assets are limited, so too are the security protections and procedures.
A study conducted by Symantec found that 31 percent of cyber attacks were aimed at businesses with 250 employees or fewer. Symantec further reported that 40 percent of nearly 1.4 billion known global cyber attacks were targeted at companies with 500 or fewer employees.
In short, no company, regardless of its size, is safe. This view is borne out by a recent study cited by the U.S. House Small Business Subcommittee on Health and Technology. The House report found that nearly 20 percent (a somewhat smaller percentage than Symantec found) of all cyber attacks hit small businesses with 250 or fewer employees. Even more troublesome, roughly 60 percent of small businesses closed within six months of a cyber attack. Whether the cessation flows from reputational damage and/or the business’s inability to afford the high cost of loss mitigation, the result is real and palpable.
It bears repeating that bad things happen. Sometimes by accident, sometimes by negligence and sometimes as the result of malicious conduct. But they happen.
Why Best Practices?
Whether we acknowledge it or not, a breach (or negligent loss of information) is more than possible: as observed by former FBI Director Muller, it’s virtually inevitable, leading to the loss of personally identifiable information, personal health information and/or confidential commercial information. And, in many instances, the follow-on lawsuit.
In light of this, it is not an overstatement that the most effective defense to a CP‐related lawsuit, whether brought by a private or public entity, is best practices. A favorable outcome is more likely if a company can demonstrate that it implemented prudent security procedures in advance of an incident (or, better yet, state-of-the-art security procedures, although the cost might be prohibitive for small and midsize companies [SMEs]), than it would be if a plaintiff was able to show the deficiencies and flaws in a business’s risk management plans and procedures and how it could have employed best practices at a reasonable cost. If a company can demonstrate the use of appropriate best practices, the plaintiff’s case potentially falls apart.
What Are Some of the “Best Practices” To Be Considered?
In many ways, cyber-related best practices are similar to those employed in other contexts. Formulate and implement an avoidance/loss mitigation strategy, put into place a crisis response plan, and buy cyber/privacy insurance. Of course, the devil is in the details, particularly when the devil is sitting at a computer terminal half-way around the world outside the reach of local law enforcement authorities.
There is no way to entirely avoid CP events. Human beings sometimes make mistakes. And the loss of a laptop and/or cellphone, for example, is a mistake made more frequently than one would like to think. You can teach, coax, cajole and use all of the tools at your disposal to keep employees (or yourself) from committing human error. It isn’t possible to eliminate the risk entirely, though. Negligence happens.
Similarly, if a sophisticated and intrepid hacker wants to get in, he or she will. There is no magic bullet to prevent it. Ask the FBI. Or the CIA. Or Scotland Yard. They all have been breached.
So, what can a company do in an effort to protect itself from a CP incident or a post-incident lawsuit? It would be trite to say that every situation is unique and that every profession has its own set of best practices. But that doesn’t change the dynamic that this statement is accurate. The nature and breadth of risk management, loss avoidance and mitigation, and breach response plans depend on the sector involved, the size of the company, the ubiquity of its technology and office locations, the sophistication of its legal, risk management, IT and other related personnel (if any), and other factors. Still, there are common themes that apply.
The following suggestions should be considered in conjunction with a law firm’s analysis of its CP risks and exposures:
(1) At the outset, allocate a portion of your firm’s budget to IT and data security. You need to determine how much financial, human and technical resources you can deploy so you can spend them wisely;
(2) Appoint a trusted individual to oversee privacy and security development and compliance as an express component of his or her job responsibility. This person should monitor things such as: (a) applicable laws; (b) contractual obligations; (c) internal policies (email and network integrity, Bring Your Own Device [BYOD] policy and oversight, information security, social media, human resources issues, etc.); (d) compliance programs in which you participate; and (e) industry best practices;
(3) Retain experienced legal counsel with the all-important attached legal privileges to “quarterback” the development of cyber incident avoidance, loss mitigation and breach response plans, provide updates on legal developments, monitor competitors’ and others’ security practices and procedures, report on significant and specific threats, risks and loss events;
(4) Identify and coordinate your plans with computer forensic consultants and other risk-avoidance/crisis-management consultants;
(5) Work with your legal advisors and human resources personnel to develop written cybersecurity policies and procedures, then communicate them to and train employees, vendors, etc., in their use and application. Issues to be addressed include statutory and legal responsibilities, privacy and security rules and guidelines for employees and third-party business partners, and encryption (this is essential);
(6) Perform periodic analyses of your security plans, procedures and systems to ensure that they are current and appropriate for your business and business sector. You don’t want to enable a competitor to get ahead of you and distinguish the breadth of its security processes and procedures from yours;
(7) Periodically audit your administrative, technical and physical infrastructure, among other assets, to reaffirm that they are properly protected;
(8) Implement a protocol that requires senior management to receive and meaningfully review periodic reports on your firm’s current information and technical plans and procedures, security issues and related matters;
(9) Work with counsel to develop templates and information security tools for use with employees, vendors and third-party business partners, among others. Such documents could include Non-Disclosure Agreements, Business Associate Agreements under HIPAA, indemnity and insurance agreements, and other legal instruments intended to mitigate or avoid economic loss. These documents should be disseminated to all personnel with contracting authority, who also should receive training; and
(10) Treat your clients’ and your own trade secrets, “Big Data,” and other critical proprietary information with the same level of care and attention you devote to the preservation and growth of other core assets.
(11) Purchase dedicated cyber/privacy insurance. Over 50 underwriters in the U.S. and London currently are insuring such risks. In conjunction therewith, policyholders should retain and work with a sophisticated broker to navigate the markets and ensure that you obtain the policy that is most appropriate for your business operations.
These examples are simply the first steps to properly secure and protect your clients’, employees’ and your own personally identifiable information, personal health information and confidential commercial information. And, of course, your company’s reputation and the continuing viability of your business.
How Does Cyber/Privacy Insurance Factor Into Best Practices?
A business’s management should not be dismayed by the obvious need to allocate resources (financial, human and technical) for the implementation of risk management and risk-transfer strategies. It’s prudent, cost-effective in the long run, and, quite simply, a question of relativities. A company can pay four or five figures now or risk not being able to afford six or seven figures later.
Regrettably, in many cases, executives assume that their commercial general liability (CGL) forms cover CP risks. This is a critical mistake. Indeed, more than a few insurance brokers and policyholders misunderstand the extent and limitations of general liability insurance. In particular, many mistakenly believe that advertising and personal injury coverage (typically Part B or Part II of a CGL policy) covers a cyber breach. This view is wrong. For this reason alone, a sophisticated insurance broker is a necessity. You could buy a policy. The right broker can ensure that it’s the right policy for your business.
Although limited CP-related insurance may be provided by a CGL insurance policy, the lion’s share of fees, expenses and other loss incurred following a CP incident would not be covered. CGL policies cover damage to a third party’s tangible property (or person) as well as, in certain situations, advertising and personal injury (if purchased).
In stark contrast, CP insurance (depending on the coverage purchased) will cover not only third-party liability claims, but also will extend to first‐party loss (i.e., business interruption, extra expense, extortion threats and the like) as well as the frequently large (and unanticipated) crisis-management fees and expenses.
Moreover, the desire to purchase cyber insurance should play a significant positive role in incentivizing the adoption of best practices, which, if handled correctly, will reduce the risk of a CP incident—as well as the premium associated with the purchase of CP insurance. The more robust your protections, the lower your premiums. It’s a significant and critical risk/benefit analysis.
The attorney wielding the applicable privileges also is the safest conduit to respond to an insurer, as the attorney will be in a position to assimilate the information provided by a client and pass along relevant claim information to a business’ insurer. Knowledge, of course, is invaluable. And by providing privileged and non-privileged information to the attorney, the company can be more secure that the privileged information is protected while coloring the attorney’s ability to properly advise the insurer of those facts necessary to protect the client’s ability to capitalize on the insurance coverage available.
Put differently, those who discount the need for CP best practices and CP insurance should consider this: do you want to risk having your CGL coverage exhausted by a cyber breach? Or would you rather preserve the limits of liability for legitimate (or even frivolous) claims? After reading the foregoing, if you were considering increasing the limits of your CGL policy to account for CP risks, why not just use the added premium to buy dedicated and tailored CP coverage and add the available first‐party and crisis management protections? Although it may be more expensive than excess CGL coverage (although it’s still modest by comparison to other insurance products), the additional coverages available are worth it.
Many businesses take cyber risks and exposure seriously. Regrettably, it’s still too few. But there are solutions.
Best practices training and CP insurance are a practical place to start. An attorney can assist a company in formulating and implementing practical and reasonable steps to protect personally identifiable information, personal health information and confidential commercial information.i And, by extension, the company’s reputation and, perhaps, financial future. All while maximizing protection against that advice being discoverable through the course of litigation.
To the point, the litigation discovery process is one of the key drivers of the rising costs of litigation. And many cases are won and lost in the discovery stage. When used appropriately, a legitimate privilege can shield troublesome documents and evidence from having to be produced to your opponent. And oftentimes, the proper assertion of privilege and the applicable protections afforded can be outcome determinative.
In the long run, an experienced, knowledgeable cyber attorney’s fees will be markedly cheaper than the cost of having to remediate a CP incident, litigate through discovery with an angry client or third party who claims to have been harmed, and, perhaps, lose at trial because documents that otherwise might have been protected from discovery had to be produced. Indeed, the alternative to receiving advice and counsel from a trusted cyber lawyer could be fatal, especially for a business that trades on its reputation and goodwill. Some businesses already have made the mistake of not doing so and paid the price. Literally. Your company should not be among them.
i Although there are almost as many attacks on the attorney-client privilege as there are on data, and while there are no guarantees that it will be enforced, the privilege does exist and is enforced when appropriate.
Disclaimer: The views and opinions expressed in this article are those of the individual sources referenced and do not reflect the views, opinions or policies of the organizations the sources represent.