Cybercriminals have never been stronger. A May 2016 study reported that two-thirds of large UK businesses were the subject of cyberattacks in 2015.[1] UK Minister for the Digital Economy Ed Vaizey MP recently stated that ‘Too many firms are losing money, data and consumer confidence with the vast number of cyber attacks.’ And it is not just about personal information. The Obama Administration has characterized the cyber threat as a ‘national emergency’ that threatens the integrity of critical infrastructure, such as water, energy and healthcare.[2]
As a result, governments across the world are taking a greater interest both in protecting industry and customers and in setting out plans to increase cyber preparedness.[3] In addition to significant financial investments in improving cybersecurity (the UK pledged over £1.9 billion over the next five years), in 2016, the forthcoming EU Network Information Security (NIS) Directive will require implementation of cybersecurity standards for companies in critical infrastructure, cooperation on cybersecurity and information sharing between government and industry, and establishment of government computer security incident response teams to respond to attacks. In a strong effort to increase consumer protections, the GDPR will require notification to individuals (and government) in the event of a cybersecurity attack that compromises personal data unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Failure to give notice will carry potentially significant penalties, up to €10 million or 2% of annual worldwide turnover. In addition, data subjects may empower third-party bodies, such as consumer protection agencies, to claim damages. This kind of collective action—similar to class actions in the USA—may significantly increase data privacy/cybersecurity related litigation.
All this means is that a sea change is coming that will likely expose EU companies to painful public scrutiny regarding cybersecurity preparedness and attacks, as well as regulatory enforcement proceedings and consumer litigation that have characterized the US landscape for years where similar rules—specifically breach notification—have been in effect for some time. If history is any indication, what is at stake is not just the staggering financial costs to investigate and recover from a major breach, but the more valuable reputation, brand image and customer goodwill. And, too few firms are really well-prepared for what awaits them. As Minister Vaizey explained, ‘We see a steady stream of breaches and attacks on firms which assume they are on top of security, but still haven’t got a good understanding of the possible impact on their business or what they should do about it.’
Nature and Scope of the Threat
While companies in the USA have received the bulk of media and news coverage on cyberattacks to date, organizations throughout the EU have, in recent years, seen more than their fair share of data breaches. A 2014 study reported that there were at least 229 breaches involving European targets, which resulted in the compromise of over 640 million records affecting Europeans. It is a staggering number given that the total number of individuals living in the study countries was just 523 million,[4] with Germany, Greece, the Netherlands, Norway and the UK leading the way with unusually high numbers of incidents and large volumes of records breached.
And the incidence of attacks is on the rise. For example, PwC’s 2015 report, ‘The Global State of Information Security Survey,’ states that the total number of security incidents grew at a compound annual growth rate of 66% from 2009 to 2014.[5] Japan’s National Institute of Information and Communications Technology, for example, recorded 25.6 billion attempts to compromise or scan systems in Japan for vulnerabilities in 2014;[6] this compares with a reported 12.8 billion attacks in 2013 and 7.8 billion attacks in 2012.[7]
Data Breach Notification
When the first data breach notification law was passed in California in 2001, it fundamentally changed the landscape. No longer could organizations keep cyberattacks and data breaches under cover. Unauthorized acquisition of personal information (as defined by statute) required companies to provide affected individuals and certain regulators with information about the incident. Over the next 15 years, these laws not only evolved in scope, but became ubiquitous throughout the USA. Correspondingly, the number of data breaches reported each year grew, and, more importantly, so did public and regulatory scrutiny and focus of companies that were the victims of these attacks. Whether any of these companies would have voluntarily reported a data breach absent a requirement that they do so is hard to say.
But one thing has become very clear. The legal obligation to notify affected individuals and regulators of a data breach has transformed cybersecurity into a multidisciplinary team sport that requires careful and practiced coordination between IT-Security, Legal and Communications teams, as well as other internal key stakeholders within an organization. No one functional group can respond on its own to an attack and manage the myriad risks and work flows that necessarily arise.
· Legal must work in partnership with IT-Security to conduct an internal investigation (preferably protected by confidentiality and attorney-client privilege) to understand the nature of the intrusion, what data elements were compromised and the scope of the affected population so that it can determine legal notification obligations. This is a particularly difficult challenge given how adept hackers have become at covering their tracks and how the evidentiary record needed to investigate thoroughly is always incomplete.
· Human resources must coordinate with Legal and IT-Security, especially when the breach was the result of an insider threat or compromised employee information.
· Communications must work closely with Legal to develop notifications and messaging that balance the desire for transparency, the need to instill customer/employee confidence, and the need to make admissions that increase legal risk. And the value of the Communications team should not be understated. According to a recent survey, respondents indicated that they would be ‘very unlikely’ or ‘never again’ to do business with a company after a data breach involving financial or sensitive information 53% of the time in Germany, 52% in the USA, 68% in the UK and 72% in Australia.[8]
· Finance and Risk must also work with the incident response teams because the average financial losses due to data breaches is also increasing. For example, PwC reports that organizations reporting financial losses of $20 million or more as a result of breaches increased 92% over 2013, and the average loss resulting from cybersecurity incidents increased 34% over 2013 to $2.7 million.[9] For organizations with more than $1 billion in revenues, the average cost increased from $3.9 million to $5.9 million. Organizations with revenues of $100 million to $1 billion experienced an average cost increase from $1.0 to 1.3 million.[10]
What to Do? Four Key Takeaways from the USA
Given the sophistication of cyberattackers and the multidimensional risk landscape, one may well ask, what should we be doing? Fortunately, over the last 15 years, US firms have developed strategies that companies facing new data breach notification and cybersecurity regulations can look to for guidance in responding to a data breach.
1. Implement Technology and Protocols to Actively Monitor Networks, and Develop (and Test) an Incident Response Plan
One of the most important parts of a strong security posture is having protocols and technology for network monitoring that can be used to detect an attack, and a current and relevant written security policy that incorporates those protocols. A critical part of the security policy should be an incident response plan (IRP), which should guide an organization in responding quickly and coherently in the event of a data breach.
Organizations that respond best to a crisis are ones that developed a plan, assembled a team and practised. There is simply no substitute for solid preparation. A comprehensive IRP must be detailed enough for the individuals responsible for responding to a breach to have sufficient guidance on how to respond to different types of events, but flexible enough to allow the response to adapt to a fast-developing crisis. Often, a response plan should consider the following phases:
· pre-incident assessment and preparation;
· initial detection, assessment, containment and severity assessment;
· forensic investigation and remediation;
· notification of victims and authorities where needed and internal and external communications;
· post-incident final remediation, reporting and self-evaluation.
2. Treat an Incident Like an Internal Investigation – Hire Outside Experts
Because organizations that are the victims of a cyberattack will inevitably face consumer, regulatory and/or public scrutiny, they should approach their response effort like an internal investigation that is aimed at uncovering the facts and circumstances that lead to the attacker’s success. Independence is key, and organizations should strongly consider hiring outside cybersecurity forensics experts and experienced outside counsel to conduct the investigation. An investigation conducted solely by internal security, no matter how careful, risks being perceived as lacking independence and will always be subject to the criticism that the fox was left to guard the henhouse. Deciding whom to notify and whom not to notify should be based on independent analysis by outside experts, whose work will shield the organization against such criticisms. There is nothing worse than having a regulator accuse a company that suffered a data breach of hiding or covering up the scope of the individuals affected; it not only creates unnecessary (and extraordinary) legal risk, but it will destroy already eroded consumer confidence.
Moreover, in many jurisdictions, an investigation directed by outside counsel, where outside counsel also retain outside forensic experts to assist with technical analysis necessary for outside counsel to provide legal advice, is protected by attorney-client privilege. Such increased confidentiality protections can be valuable (and have been extraordinarily so in the USA) in preventing regulators and/or plaintiffs who have legal process available to them from obtaining internal company documents in connection with an enforcement action or litigation. Indeed, in the USA organizations that have conducted attorney-client privileged investigations have successfully fought back against regulators and/or plaintiffs that sought to obtain forensic reports they hoped to use to identify internal failures that contributed to a breach to demonstrate negligence or recklessness.
3. Be Careful About What You Say Before, During and After an Incident
The greatest mistake that companies make—and the one most easily avoided—is in what they say, whether it is before, during or after an incident.
· Before. Too often, companies have put a target on their back by making absolutist statements about their cybersecurity programs, or succumbing to sales/marketing pressures that result in overstatements about the quality of their cybersecurity programs. For example, several institutions in the USA have faced significant fines in high-profile regulatory investigations for making false or misleading statements about their encryption solutions or that they have ‘bank-level security.’ The result has been an ‘easy’ case for regulators or claimants to make out that the company engaged in deceptive practices for making false and/or misleading statements about the state of its cybersecurity.
· During/After. In the midst of a cybersecurity incident, companies have similarly fallen prey to the pressure to make a statement quickly to placate anxious customers. Because of genuine regret and sympathy for customers after an incident, organizations often take too much responsibility for causing the harm—even when they are the victim—which is later used to demonstrate fault. Moreover, these early announcements can be precarious because the information available and the attendant analysis change dynamically and, despite best efforts, there is a tremendous amount of speculation and theorizing that often proves to be incorrect in the final analysis.
4. Get the Board and/or Management Involved
Both experts and regulators (e.g., the US Securities and Exchange Commission and the Federal Trade Commission) have placed enormous emphasis on board governance and cybersecurity. In general, board members bear a fiduciary responsibility to understand and manage cybersecurity risk. Creating awareness and getting board members involved in cybersecurity provides them with certain legal protections against claims that they failed in their fiduciary duties. More importantly, organizations that have a top-down culture of security are better protected against cyberattacks and better equipped to respond to an incident. Employee training, in particular, is most effective when security is a mandate from management and part of organizational culture. It has been said that the greatest threat to any organization’s security is located between the keyboard and the back of the chair. That is to say that unwary and untrained employees are particularly vulnerable to phishing or spear-phishing attacks, and are more likely to be irresponsible when managing sensitive company/customer information and network resources. Recent studies on ‘social engineering’ in the context of phishing exploits are sobering: (a) on average 23% of recipients will open phishing e-mails and 11% of them will click on malicious attachments; (b) if you send out ten phishing e-mails , there is a greater than 90% chance that at least one person will provide access into a network environment; and (c) 82 seconds is the median time it takes for the first phishing e-mail to be clicked by a recipient.[11]
Conclusion
In summary, cost of a breach can be staggering. Not only in terms of the money required to investigate and recover from a major breach, but also in terms of the harder-to-quantify—but no less important—loss of reputation, brand image and customer goodwill. Against that background, forthcoming legal requirements to notify affected parties and regulators will require a coordinated and practiced response that involves IT-Security, Legal and Communications teams, among others. But European companies need not make (repeat) the mistakes that US companies have made over the last 15 years. Thoughtful study of successful strategies employed there can save companies’ brand, reputation, time and money in responding to a data breach.
Aravind Swaminathan is the Global Co-Chair of Orrick’s Cybersecurity & Data Privacy Group in the Seattle, Washington office. https://www.orrick.com/Lawyers/Aravind-Swaminathan/Pages/default.aspx
Kolvin Stone is the Global Co-Chair of Orrick’s Cybersecurity & Data Privacy Group in the London office. https://www.orrick.com/Lawyers/Kolvin-Stone/Pages/default.aspx
Dr. Christian Schroder is the Head of Orrick’s Germany IP/IP & Data Privacy Practice Group in the Dusseldorf office. https://www.orrick.com/Lawyers/Christian-Schroeder/Pages/default.aspx
[1] ‘Cyber Security Breaches Survey, 2016,’ Dr. Rebecca Klahr, Sopie Amili, and Jayesh Navin Shah of Ipsos MORI Social Research Institute and Professor Mark Burton and Dr. Victoria Wang of Institute for Criminal Justice Studies, University of Portsmouth. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/521465/Cyber_Security_Breaches_Survey_2016_main_report_FINAL.pdf
[2] See, e.g., April 1, 2015 Executive Order re Blockiong the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities, available at https://www.whitehouse.gov/briefing-room/presidential-actions/executive-orders.
[3] See, Cybersecurity Strategy for Germany of the Federal Ministry of Interior, available at: http://www.cio.bund.de/SharedDocs/Publikationen/DE/Strategische-Themen/css_engl_download.pdf?__blob=publicationFile
[4] ‘Data Breaches in Europe: Reported Breaches of Compromised Personal Records in Europe, 2005-2015,:’ Phillip N. Howward, Center for Media, Data and Society, CEU School of Public Policy, http://cmds.ceu.edu/sites/cmcs.ceu.hu/files/attachment/article/663/databreachesineurope.pdf
[5] PwC’s The Global State of Information Security Survey, 2015, available at http://www.pwc.com/gsiss2015
[6] Japan Today, Japan Sees 25 Bil Cyberattacks in 2014; 40% from China,’ Feb. 18, 2015
[7] International Business Times, Japan Faced 12.8 Billion Cyber Attacks in 2013, Feb. 11, 2014, available at Japan Faced 12.8 Billion Cyber Attacks in 2013
[8] SafeNet, Global Survey 2015, http://www2.gemalto.com/email/2014/dp/GlobalCustomerSentiment/index.html
[9] PwC, The Global State of Information Security Survey, 2015, available at http://www.pwc.com/gsiss2015 s
[10] Id.
[11] Verizon, 2015 Data Breach Investigations Report at 13.
