Cybercrime is one of the most significant threats to a company’s financial well-being today.
When a company faces a data breach, it needs to determine whether to share that information with law enforcement. The benefits of sharing the information are that they may benefit from law enforcement’s previous experience with similar incidents which may help mitigate the situation. One of the traditional concerns of sharing data breach information has been the fear of inadvertently waving Attorney-Client privilege thus allowing that shared information to be discoverable in subsequent civil and regulatory investigations.
The Cybersecurity Information Sharing Act of 2015 (“CISA“) provides legal protections when companies share anonymized “cyber threat indicators“ or “defensive measures“ with the US government. This law has the potential to create powerful protections provided you take the proper steps to maintain privilege.
For instance, when hiring a cyber forensic investigation company after a data breach, it is important to retain that company through your outside law firm. Privilege protections can remain intact if your outside counsel provides over-arching supervision of the vendor and its investigation so that findings and reports are created in anticipation of future litigation.
The burden of proof is on the party asserting the privilege, so it is critical to think through how CISA’s legal protections interact with your other strategies to protect privileged information.
It is also possible to separate a data breach investigation into two parts. An internal investigation which addresses business concerns created by the breach could be discoverable in future actions. Simultaneously, a third-party investigation, supervised by outside counsel, would be protected.
CISA has created potentially powerful non-waiver protections for participating companies. However, it is critical to bifurcate cyber investigation and remediation functions carefully. Work done in support of legal investigations must be under the direction of counsel.
A wave of class action litigation claims involving at least 15 law firms could change how law firms, accounting firms, and all other consulting organizations approach their Data Security responsibilities. Most concerning is that these cyber-related lawsuits show no actual breach of confidential client information. Rather the allegations focus on the fact that the firms are not doing enough to address security holes that leave client data vulnerable. Perhaps even worse is that these types of claims are likely not covered by insurance thus creating potentially catastrophic monetary exposure.
The complaint by two former clients of the law firm Johnson & Bell alleged that the firm had inadequate cybersecurity procedures that could potentially compromise client data [Shore v. Johnson & Bell, Case No. 16-cv-4363 (N.D. Ill. 2016), http://bit.ly/2osxhGr%5D. Calling these procedures “a data breach waiting to happen.”
The multimillion-dollar lawsuit alleges breach of contract (legal malpractice), negligence (legal malpractice), unjust enrichment, and breach of fiduciary duty arguing that the firm did not employ adequate measures to protect the data and are therefore are owed a partial refund of fees paid.
If successful, we should anticipate a surge of professional services firms being sued for failing to employ reasonable measures to secure client data. Small firms will face significant increases in cybersecurity spending requirements or face the prospect of devastating and costly preemptive lawsuits.
So what can you do?
Consider arbitration clauses in your engagement letters with strongly written confidentiality terms.
Perform a detailed security assessment to identify current readiness and a clear roadmap detailing how to improve your cybersecurity.
Run regularly scheduled vulnerability scans and penetration testing exercises to identify known vulnerabilities and weaknesses in your Network Security.
Assess the security capabilities of your third-party vendors’ ecosystem.
Act on the results identified from these tests.
Be transparent with your clients and communicate openly and collaboratively about the modern day cybersecurity challenges old organizations face.
Data breach notification laws define the requirements of an entity that has been subject to a data breach with respect to their obligations to notify their customers and other parties about the breach. All but two states (Alabama and South Dakota) have some kind of data breach notification law. In addition, there are numerous federal laws protecting specific types of data as well.
For companies doing business in multiple States, notification obligations can be very confusing as state laws differ in definition, notification timing, and what constitutes compliance. Nevertheless, a company that has experienced a data breach must quickly determine their notification requirements.
Cost of a Data Breach
The average cost of a data breach In the U.S. is $7.35 million, or $225 per record lost or stolen. That’s more than $2 million higher than any other country, (Cost of Data Breach Study, Ponemon Institute, 2017).
There are two kinds of costs to an organization: direct and indirect.
Direct costs include cyber security and forensic expertise, lawyers, PR, hotline calls center support, free credit monitoring, and IT replacement of damaged equipment.
Indirect costs are more difficult to quantify. However, it can be argued that these costs can have a more dramatic and long-term negative consequence. Indirect costs include stock price reduction, loss of customers after a breach (“customer attrition”) and the harm to reputation and goodwill.
What We Know About Customer Loss
Studies have clearly shown that the relationship between the customer and the organization is negatively impacted after the company has experienced a data breach. This impact can range from loss of trust to customers no longer willing to do business with the affected company. Regardless of whether the customer stays, the data is clear that customers will have a very high negative perception of the breach immediately after a data incident.
How the company responds will directly and dramatically determine the level of customer abandonment.
Even a slight rise in customer attrition can translate into significant losses. Ponemon estimates organizations with less than 1% abnormal customer attrition lost an average total of $2.6 million after a breach. Organizations with more than 4% abnormal customer attrition lost an average of $5.1 million.
A Gemalto study highlighted the negative impact to a brand by surveying over 10,000 people worldwide. This study found that 70% of consumers would stop doing business with a company that suffered a data breach.
Interestingly, industries most affected by customer attrition due to a data breach were found in financial, healthcare, and service verticals. U.S. based companies’ experience the highest costs associated with lost business.
Mitigating Customer Attrition – Best Practices
Set the standard. How a company handles the data breach can have a significant, positive impact on customer attrition and brand perception over time.
A key lesson learned from companies that have handled a data breach effectively is that there is a large gap between what companies are required to do, and what they should do to retain customers and their revenue.
Below are some key takeaways that businesses can do to help prevent customer loss after a breach:
Timely notifications. Long delays can be perceived by customers as you are hiding something and/or they are not important. Strive to notify as quickly as possible with whatever information you can share at the time.
Communicate. Transparent, honest and sincere communication both internally and externally is critical. Customers want to see an organization take ownership of the breach, explain what happened, how the event could affect operations, how the problem is being fixed, and how the organization will support its customers going forward.
Trustworthiness. Developing trust by taking full responsibility is an effective approach to crisis management and will benefit the brand in the long term. Remember, the quality of information provided will be an important determinate in a customer’s decision to stay. Studies have found unbelievable or misleading statements, that fail to reduce fears, even if factual, can be harmful to the brand. Notification letters and public communication about the breach are crucial in determining customers’ reactions.
Educate. Provide customers with Explain what is being done to mitigate damages and remediate the problems, define the customers’ next steps they can or need to take, offer key information, support phone numbers, websites resources, free credit monitoring etc. At little or no cost, an organization can provide real educational value and be perceived as a trusted resource.
Consider offering free or subsidized monitoring, threat alerts or breach protection services. Over the last few years, offering identity protection services have proven to be an effective strategy for customer retention. These products are excellent for breaches that impact personal information that could lead to identity theft. New products such as CyberSafe (www.cybersafeprotect.com) provide affordable cyber threat intelligence, legal protections and breach reimbursement coverage. These products are well-suited for business to business companies where protecting the customers’ organization is the priority. Check with your cyber insurance provider to see if they cover the cost of post-breach services. It’s possible that the services are covered under your insurance policy. If they are not, in many cases, offering such services is more affordable than new customer acquisition strategies.
A customer-centric response approach
To prevent significant customer attrition following a data breach, it’s critical that you notify your customers in a timely fashion, be transparent and with as much detail as possible. Provide useful information designed to educate the customer and, if appropriate and affordable, offer free or discounted services designed to either protect customers’ identity or their organization (B2B businesses).
This customer-centric approach to breach response will help you prevent costly customer churn and, in turn, minimize revenue loss.
Cybersecurity is a relatively new and evolving field of technology, law, and regulation. The uncertainty and evolutionary state of the industry pose unique challenges to business leaders. In addition to deploying effective technical security strategies, companies prior to a data loss incident must also be prepared to mitigate the direct damages from criminal, civil, and regulatory liabilities that can flow from such an event.
Today 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted their own laws pertaining an organization’s requirement of an entity that has experienced a data breach to notify their customers and other parties about the breach and take other steps to remediate injuries caused by the breach. Each of these State laws defines the company’s obligations, what constitutes personal information, notice methods, and exemptions differently.
It is unrealistic to expect an SMB business to know all the myriad of data privacy and data breach laws. However, business leaders need to know in advance who to call if they believe a breach has occurred. Experts such as information sharing communities like the SMB iSAO, cybersecurity lawyers, and cyber insurance providers can help sort through the confusing regulatory requirements. You also need to familiarize yourself with the various data protection standards for specific industries or specific business practices. For example, the PCI Security Standards Council’s Payment Card Industry Data Security Standard and the Federal data security regulations such as HIPAA that covers how your organization needs to handle protected health information.
Today the state of cybersecurity law is unfortunately piecemeal. Statutes, regulations, and common law standards describing a corporation’s cybersecurity obligations are scattered across state and federal law. This fragmentation is a challenge for businesses in understanding what their legal obligations are.
This complicated landscape creates numerous challenges for decision-makers of companies and requires that corporate leaders educate and prepare themselves both to defend against a potential breach and how to coordinate the response that comes after.
Often times when conducting a security and privacy assessment, information about the organization’s controls, policies and procedures can be unintentionally harmful to an organization’s interests when reviewed by third parties adversaries such as regulators and plaintiff attorneys. A company embarking on such an assessment needs to develop a strategy that limits disclosure requirements in future litigation and regulatory investigations.
Today many types of information are statutorily protected by regulations that govern how an organization must handle protected information. Specific regulations require effective security programs that necessitate an enterprise-wide data security risk assessment in order to meet their fiduciary duty of care.
Without proper legal protections from disclosure, a risk assessment report may provide a very valuable roadmap for an adversary. Unfortunately, legal protections are limited when written assessments are prepared by a non-lawyer.
The most effective strategy is to retain outside law firm representation who can manage the assessment process and subsequent risk remediation strategies outlined in the report. In order to retain disclosure protection, outside counsel retains security assessment provider directly to perform the cyber security assessment and subsequent report about the organization’s vulnerabilities, threats, controls and remediation recommendations. It is critical that the report is addressed to the outside counsel and the information be incorporated into a more comprehensive report drafted by the law firm.
Courts have clearly recognized that reports generated by outside counsel are protected by attorney-client status. This strategy also requires that outside counsel is clearly providing legal advice and supervision around the assessment in order to enjoy attorney-client privilege.
While there is no guarantee that preparing the report under the guidance of outside law firms will ensure protection from discovery, carefully following the guidance of the Courts will significantly increase the odds that an organization can shield the final product from discovery.
First Chicago Int’l v. United Exchange Co., 125 F.R.D. 55 (S.D.N.Y. 1989) and US v. ISS Marine Services, 905 F. Supp. 2d 121 (D.D.C. 2012)
Did you know that new cybersecurity requirements designed to protect the Financial Services industry and their consumers go into effect on March 1? The first of its kind law requires banks, insurance companies, and other Financial Services providers that are regulated by the New York Department of Financial Services (NYDFS) to implement cybersecurity programs that meet minimal security standards. The rules require unprecedented requirements these companies must take to protect their networks and customer data from data loss and disclose cyber events to state regulators.
Adopting industry best practices, the regulations mandate such things as:
Properly funded cybersecurity programs;
Trained and qualified staff;
Standards that measure an organization’s current risk posture and deficiencies;
Data protection encryption requirements;
Continuous and ongoing monitoring and risk assessment;
Documented incident response and notification strategy; and
Annual certifications of the regulatory compliance to the NYDFS requirements.
The regulation defined “covered entities” as those organizations that operate under a license or charter regulated by New York banking, insurance for Financial Services law. Exemptions apply for companies with less than 10 employees, gross revenue under five million from their New York operations or less than ten million in total assets, as well as, National Banks, Federal credit unions, and broker dealers
A regulated entity must develop it cyber security program based on its specific risk assessment when designing its policies, infrastructure, detection, response and notification capabilities. Interestingly, the new regulations require regulated companies to assess their third party suppliers and report breaches emanating from those organizations. Third-party vendors have increasingly become the weak link in the security chain. According to a Soha Systems Security survey, 63 percent of all data breaches can be attributed to a third-party vendor.
Companies must become compliant within 180 days. The regulation does provide additional time to comply with some of its requirements (i.e., Penetration testing, risk assessment, data encryption and third-party compliance programs.
In an unprecedented move, Yahoo has placed a significant amount of blame on the company’s legal department for its handling of the massive 2014 data breach that affected over 500 million accounts. An independent Board level review found that Yahoo senior executives failed to “properly comprehend or investigate” the 2014 data breach and found serious deficiencies concerning the management and reporting of the crisis.
The company’s actions underscore a significant trend as it relates to the role of the legal department concerning cybersecurity risk. This trend continues to shift cybersecurity issues from the IT department to the legal department.
The consequences of this failure were felt both economically and politically. Economically, the company took a $350 million hit on its sales price to Verizon. Yahoo has also reported $16 million in expenses relating to the incident. Politically, Yahoo’s General Counsel, Ron Bell, resigned with no separation payments due to the data breach controversy.
According to a March 1 filing with the U.S. Securities and Exchange Commission, Yahoo reported that senior executives at Yahoo, including members of its legal department, “had sufficient information to warrant substantial further inquiry in 2014” regarding a breach of the company’s networks, but “they did not sufficiently pursue it.” The failure to disclose the 2014 data breach for almost two years raise serious questions about the company’s incident response and disclosure practices.
In response to the independent committee’s findings, Yahoo has implemented or enhanced its technical and legal information security incident response protocols, escalation policies, comprehensive risk assessments, communication plan and training and oversight.
Yahoo’s experience highlights the fact that the General Counsel must play one of the most critical roles in a high-profile Data Security event. It can be argued that going forward, legal departments have a fiduciary duty to develop, execute and lead a governance program that addresses regulatory notifications, information requests and investigation protocols. In the new world order, the General Counsel must have a significant oversight role with all the necessary authority to ensure the company develops appropriate proactive measures prior to an incident and a leadership position after an event has occurred.
The risk to the legal department is now clear. It is critical that the General Counsel embrace cybersecurity oversight and a leadership position during an incident response. The legal department must now be involved in the development of incident response plans, budgets, training, communication and escalation protocols and security assessments designed to determine current vulnerabilities and required remediation.
Proactive cybersecurity readiness has traditionally been the purview of the IT department. The Yahoo event has changed that. A yearly independent cybersecurity assessment of the organization’s readiness needs to be performed and signed off on in a similar manner to how an organization handles its annual financial audit.
Since the technical aspects of IT related functions during an incident response investigation has potentially significant legal consequences, these functions need to be guided and supervised by the legal department so as to not inadvertently waive attorney-client or work product privileges or impact other legal and compliance requirements. The involvement of outside counsel, managed by the legal department, provides further privilege protections and streamlines coordination between outside experts and internal resources.
In-house lawyers need to be able to clearly communicate risk through a chain of command. It is critical to ask questions of the board and IT staff to determine the company’s Data Security readiness, identify gaps and fill those gaps with the necessary policies, procedure, documentation, training, response plans and a third-party vendor support ecosystem.