By John Barlament
and Jennifer Rathburn
With the attack on Sony in December 2014 and the unprecedented breach involving health plan information of Anthem Blue Cross Blue Shield in early 2015, companies have recognized that cyber hacks are a real threat. Today, the question is not “if,” but rather, “when” your company or one of your vendors will get hacked. The new landscape is forcing in-house counsel to prepare for this inevitability and the following three steps are good places to start.
Implement a cybersecurity program and know your insurance coverage
In-house counsel and board members must be prepared to implement a risk-based cybersecurity program, while also understanding the limits of their company’s insurance coverage. How should a company determine where to start? A good approach is to review existing federal guidance — both mandatory requirements and voluntary “best practices.”
On February 12, 2013, President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” which mandated that several federal agencies recommend ways to improve critical infrastructure cybersecurity. The National Institute of Standards and Technology (NIST), in concert with stakeholders across industries, compiled industry standards and best practices on managing risk in “critical infrastructure sectors,” such as financial services, communications, and the energy provider industry. The final result, published February 12, 2014, is a voluntary framework providing guidance on how to create and implement a cybersecurity program.
While the federal government has declined to offer incentives for adoption of its framework, and has not mandated participation by private companies, the framework is quickly becoming the standard used when developing a cybersecurity program. Specific industries like the Federal Financial Institutions Examination Council and the U.S. Food and Drug Administration also have issued guidance on developing cybersecurity programs.
Prudent in-house counsel should advise the company’s board of directors and officers about their obligations to oversee and manage cyber risks. This is essential because in 2014 Target and Wyndham shareholders brought derivative lawsuits against individual directors and officers of the companies for breaching their fiduciary duty to protect the personal information of employees and customers.
The first decision in the matter involving Wyndham was favorable to the company. The court dismissed the shareholder derivative action, noting that the board had actively considered data security matters at fourteen board meetings held over several years. This holding doesn’t solve the issue, however, because the Wyndham decision has been appealed and the derivative action against Target is still pending.
Another way to manage risk is to insure against cyber attacks. Insurance companies have begun to exclude cyber liability from commercial general liability insurance coverage. Instead, insurers offer separate cyber liability policies that cover first-party losses when a breach occurs, such as hiring legal counsel and a cybersecurity forensic firm and paying for notification costs. In-house attorneys should discuss with their insurance colleagues whether such exclusions could apply and, if so, weigh the possible risks of such exclusions.
Know big data and the Internet of things
In-house counsel must become familiar with two new terms that do not have precise legal definitions yet: “Big Data” and the “Internet of Things.” “Big Data” has many definitions, but as summarized by the federal government in documents, it generally reflects the growing technological ability to capture, aggregate, and process an ever-greater volume, velocity, and variety of data.
Similarly, the “Internet of Things” (IoT) is a term used by the government and others to describe the ability of devices to communicate with each other using embedded sensors that are linked through wired and wireless networks. These connected devices use the Internet to transmit, compile, and analyze data. The devices can be consumer-focused (such as connected televisions or refrigerators) or business-focused (such as office printers, which can automatically order ink refills when supplies run low). Big Data initiatives and the IoT are driving the increased use and value of data, and the associated cybersecurity risks to the companies that hold it.
In May 2014, the White House issued the results of its comprehensive review of Big Data. In September, the White House announced new government initiatives, which included using Big Data in law enforcement and health care to advance best practices and research, while safeguarding personal privacy. The Federal Trade Commission followed up with its January 2015 “Internet of Things: Privacy & Security in a Connected World” report that outlines three “best practices” for companies that gather consumer information as part of the IoT. In-house counsel who work at companies which gather this information should review the FTC report, then compare its recommendations (which involve “data security,” “data minimization,” and “notice and choice”) with how the company is current using (or planning to use) such information.
Implement privacy and security policies and procedures — and follow them
In-house counsel should ensure privacy and security policies and procedures, including a security incident response plan, are implemented and followed. These policies and procedures will shape the company’s data privacy and security practices and guide the company in the event of a data breach.
There is no single federal law governing data security or data breaches, yet. Instead, in the United States, data security is regulated by a patchwork of entities and laws, such as Section 5 of the Federal Trade Commission Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996, and state law.
In January 2015, Obama proposed the Personal Data Notification & Protection Act. The act would create a single federal data breach law and preempt most state data breach notification laws. There is some bipartisan support in Congress (and among businesses) for a single, uniform federal law on data breach notifications. But, it is unclear if such a bill will actually become law.
As the sophistication and prevalence of cyber attacks grow, in-house counsel must stay abreast of current law and industry guidance to be prepared to defend its company’s privacy and security practices against government actions and litigation.
John Barlament and Jennifer Rathburn, partners at Quarles & Brady, focus on data security and privacy matters. Barlament was recently named the chair of the firm’s Data Privacy and Security Team and both are regular contributors to the firm’s data security blog Safe & Sound and related industry publications. Barlament can be reached at email@example.com and Rathburn at firstname.lastname@example.org.