Tommi - Fotolia
Adam Rice, Lisa Borsotti
Published: 02 Aug 2016
It's hard to imagine a thief stealing the paper records of thousands of customers from a bank. It would take a truck to haul the physical folders away. Yet today it can be done exclusively online, in minutes, and the perpetrator does not even have to be on the same continent as the victim organization.
Laws have accompanied the natural progression of this digital evolution as people, groups and governments create rules and frameworks to ensure that data is protected and responsibility for that protection is fixed. But as the proliferation of sensitive information has exploded so, too, have continuous data theft and the threat of data breach lawsuits.
The CISO's role as the protector of an organization's data intersects with responsibilities of corporate counsel. Regulations, laws, rules and contracts that involve data protection make the relationship a necessity. An effective partnership will help a company navigate the patchwork of data protection laws. IT security and legal can work together to both understand and maintain best practices, and to know when to update or change breach response to meet new standards of reasonableness.
Failure to act 'reasonably'
Cyber regulations and data protection laws have blossomed across the globe and in the U.S., at both the federal and state level, creating a patchwork of obligations for companies that retain and process data, particularly personally identifiable information (PII) of employees and consumers. Privacy laws such as the recently passed EU General Data Protection Regulation, U.S. data protection laws such as the Gramm-Leach-Bliley Act (GLB), the Health Insurance Portability and Accountability Act, and state breach-response laws all have specific requirements with accompanying fines and liability if the data steward loses control of the data and fails to comply.
Organizations must act reasonably in both their prevention and response to a data breach. Cybercrime victims pay a heavy price for not doing what is considered reasonable to protect customer data. Depending on the business and its ability to absorb financial and reputational damages, the risk of multiple lawsuits can be a huge problem.
Home Depot agreed to a $19.5 million data-breach class action settlement in March after a 2014 data breach that exposed up to 56 million credit and debit cards (and 53 million customers' email information). The pre-tax cost of the breach is $161 million, according to Home Depot's filings. The retailer agreed to hire a CISO and improve its data security practices over a two-year period.
Another cautionary tale is Target, which exposed 40 million credit card numbers and 60 million customer records during a massive breach over the 2013 holiday period. The retailer's response was poorly managed, with suggestions of an attempted cover up. Besides a dip in the stock, the breach cost Target almost $250 million, which included a $10 million class-action lawsuit. The CEO and CIO resigned at the request of the board of directors; at the time, the retailer lacked a CISO, an omission that was considered a "root cause" of the breach.
Negligence is the No. 1 cause of action in data breach lawsuits, and what is reasonable continues to evolve as threats change, according to the findings in the "2016 Data Breach Litigation Report," published by Bryan Cave LLP. Roughly 5% of public data breaches result in class-action litigation, with multiple lawsuits filed against the largest and most publicized defendants.
Beyond that, "reasonableness is the foundation" of many U.S. privacy laws, including GLB, the Fair Credit Reporting Act and the Children's Online Privacy Protection Act, according to a prepared statement by the Federal Trade Commission's Data Security Program to the Committee on Homeland Security and Governmental Affairs in the U. S. Senate in April 2014.
The consequences of a company's failure to stay apprised of data protection laws and implement best practices can be dire. Organizations may find themselves not only targets of data breach lawsuits but on the receiving end of FTC scrutiny. The FTC is the main enforcer of federal cybersecurity laws, and while there is no overarching federal privacy law, the FTC has seized upon Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive acts and practices in or affecting commerce. Companies are thus well-advised to revisit their privacy policies and processes frequently to assess their efficacy. If the FTC determines that a company has not followed through with its promises regarding protection of personal data, a lawsuit or costly settlement may not be far behind.
In addition, FTC attention after a breach can create a public relations and reputational nightmare by turning the narrative of "company as victim" on its head; instead, a company that has not maintained reasonable safeguards or has violated the privacy rights of individuals will be seen as negligent, adding to the damage caused by the breach. By pooling the collective knowledge of the legal and IT security organizations, a company can cover all bases in a comprehensive way by staying on top of requirements and updating them as appropriate.
Evidence of incident handling
Sometimes, however, the partnership between IT security and legal can be fraught with contradiction because of their differing roles and objectives. CISOs may approach policy and process with a "thou shalt" attitude. The resulting documentation is too unwieldy and rigid, and any departure looks like a failure of process to a jury. Legal counsel may seek to tone down the language to "should" to allow for the on-the-spot decision making that happens during a data breach.
Security teams may work quickly on containment and elimination of cyberthreats without preserving system records. In the event of data breach lawsuits or an FTC investigation, the organization may lack crucial evidence of how it handled the incident. This problem can be avoided if CISOs partner with legal counsel early and often -- to work on policy and process and co-sponsor training such as cybersecurity incident exercises.
Traditionally, corporate counsel has focused on the risks and liabilities and not the medium that data traveled. As laws have emerged to protect against the proliferation of cybercrime, the digital medium itself has become a risk to a business. Failure to operate a corporation's IT infrastructure in accordance with legal and contractual demands will exponentially increase a company's liability if there is a data breach. Corporate counsel can decipher those rules and laws into a language IT security can enforce, and a CISO can provide a non-technical context to the risk controls in place that meet the requirements.
CISOs also provide the expertise needed to explain how technology is used to protect corporate data. Most security officers should know if or when there is a cybersecurity incident that could be a potential data breach. Before a potentially damaging incident happens, CISOs should reach out to corporate counsel (or vice versa) and begin the conversation to set up the swim lanes of a partnership.
Typically, these parameters are found within a breach response plan, which outlines the steps the corporate legal team and the CISO will go through to determine if there is an incident that meets the standards of a breach. It also outlines the steps and responsibilities of each organization to handle the incident in an expedient and legally compliant way. Breach is a legal term that can vary depending on the law at issue.
To avoid making this determination in the vacuum of the IT environment, CISOs should involve counsel as early as possible. The benefits of early legal partnership during a cybersecurity incident are two-fold: (i) Early involvement allows more careful analysis and characterization of an incident as an actual breach, and (ii) counsel's participation, particularly through the engagement of outside breach response counsel, may also help protect the ensuing investigation and communications under attorney-work product and the attorney-client privilege.
Together, the CISO and legal counsel should feature prominently on a company's breach response team, even sharing leadership duties, where appropriate. Their combined knowledge will inform and direct other crucial stakeholders -- such as HR, finance, risk management and insurance, and corporate communications -- and assist them in completing their tasks. Be warned, however, that CISO and legal counsel may increasingly face personal liability in data breach lawsuits; these roles are not covered in cyberinsurance policies, which typically extend only to top executives. Donna Seymour, the former CIO of the U.S. Office of Personnel Management, was named in a lawsuit against OPM for failing to protect the PII of millions of federal employees.
The chief security officer and legal counsel are also well-suited to team up and engage the board of directors. Boards are facing more scrutiny than ever on cyber issues and are expected by shareholders to have a working knowledge of the types of cyberthreats facing the company and what measures it has in place to combat them. If they do not, they risk shareholder derivative suits and adverse voting recommendations from proxy advisory firms like Institutional Shareholder Services. Directors are therefore relying on a successful CISO-counsel partnership to keep them abreast of the cyber landscape and prevent data loss that could result in data breach lawsuits.
Data protection and cybersecurity are two sides of the same coin and touch both law and technology. Legal counsel supports the former with knowledge of what applicable law requires, while the CISO tackles the latter, using technology to drive compliance. The legal counsel-CISO team is a guidepost and sentry within an organization, and therefore indispensable to a successful cybersecurity program.
About the authors:
Adam Rice is the CISO of Cubic Corp. An Infosec professional with 17 years of experience, he has served as CISO of Alliant Techsystems, CSO of a global telecommunications company, general manager and vice president of a managed security services business, director in several network consulting companies, and is a retired U.S. Army noncommissioned officer. He is also a regular contributor to several information security publications.
Lisa Borsotti is the senior counsel and data privacy officer at Cubic Corp. She leads data privacy initiatives in the United States and abroad for a midsize, publicly-traded multinational defense and transportation company, working on development of policies, procedures and training.
Data breach litigation becoming a costly trend
Cyber liability insurance, lawsuits may improve security
How CISOs can keep their jobs after a data breach