[BreachExchange] Want to avoid data breach lawsuits? Get legal on your side

[Audrey McNeil]

http://searchsecurity.techtarget.com/feature/Want-to-avoid-data-breach-lawsuits-Get-legal-on-your-side

It's hard to imagine a thief stealing the paper records of thousands of
customers from a bank. It would take a truck to haul the physical folders
away. Yet today it can be done exclusively online, in minutes, and the
perpetrator does not even have to be on the same continent as the victim
organization.

Laws have accompanied the natural progression of this digital evolution as
people, groups and governments create rules and frameworks to ensure that
data is protected and responsibility for that protection is fixed. But as
the proliferation of sensitive information has exploded so, too, have
continuous data theft and the threat of data breach lawsuits.

The CISO's role as the protector of an organization's data intersects with
responsibilities of corporate counsel. Regulations, laws, rules and
contracts that involve data protection make the relationship a necessity.
An effective partnership will help a company navigate the patchwork of data
protection laws. IT security and legal can work together to both understand
and maintain best practices, and to know when to update or change breach
response to meet new standards of reasonableness.

Failure to act 'reasonably'

Cyber regulations and data protection laws have blossomed across the globe
and in the U.S., at both the federal and state level, creating a patchwork
of obligations for companies that retain and process data, particularly
personally identifiable information (PII) of employees and consumers.
Privacy laws such as the recently passed EU General Data Protection
Regulation, U.S. data protection laws such as the Gramm-Leach-Bliley Act
(GLB), the Health Insurance Portability and Accountability Act, and state
breach-response laws all have specific requirements with accompanying fines
and liability if the data steward loses control of the data and fails to
comply.

Organizations must act reasonably in both their prevention and response to
a data breach. Cybercrime victims pay a heavy price for not doing what is
considered reasonable to protect customer data. Depending on the business
and its ability to absorb financial and reputational damages, the risk of
multiple lawsuits can be a huge problem.

Home Depot agreed to a $19.5 million data-breach class action settlement in
March after a 2014 data breach that exposed up to 56 million credit and
debit cards (and 53 million customers' email information). The pre-tax cost
of the breach is $161 million, according to Home Depot's filings. The
retailer agreed to hire a CISO and improve its data security practices over
a two-year period.

Another cautionary tale is Target, which exposed 40 million credit card
numbers and 60 million customer records during a massive breach over the
2013 holiday period. The retailer's response was poorly managed, with
suggestions of an attempted cover up. Besides a dip in the stock, the
breach cost Target almost $250 million, which included a $10 million
class-action lawsuit. The CEO and CIO resigned at the request of the board
of directors; at the time, the retailer lacked a CISO, an omission that was
considered a "root cause" of the breach.

Negligence is the No. 1 cause of action in data breach lawsuits, and what
is reasonable continues to evolve as threats change, according to the
findings in the "2016 Data Breach Litigation Report," published by Bryan
Cave LLP. Roughly 5% of public data breaches result in class-action
litigation, with multiple lawsuits filed against the largest and most
publicized defendants.

Beyond that, "reasonableness is the foundation" of many U.S. privacy laws,
including GLB, the Fair Credit Reporting Act and the Children's Online
Privacy Protection Act, according to a prepared statement by the Federal
Trade Commission's Data Security Program to the Committee on Homeland
Security and Governmental Affairs in the U. S. Senate in April 2014.

The consequences of a company's failure to stay apprised of data protection
laws and implement best practices can be dire. Organizations may find
themselves not only targets of data breach lawsuits but on the receiving
end of FTC scrutiny. The FTC is the main enforcer of federal cybersecurity
laws, and while there is no overarching federal privacy law, the FTC has
seized upon Section 5 of the Federal Trade Commission Act, which prohibits
unfair and deceptive acts and practices in or affecting commerce. Companies
are thus well-advised to revisit their privacy policies and processes
frequently to assess their efficacy. If the FTC determines that a company
has not followed through with its promises regarding protection of personal
data, a lawsuit or costly settlement may not be far behind.

In addition, FTC attention after a breach can create a public relations and
reputational nightmare by turning the narrative of "company as victim" on
its head; instead, a company that has not maintained reasonable safeguards
or has violated the privacy rights of individuals will be seen as
negligent, adding to the damage caused by the breach. By pooling the
collective knowledge of the legal and IT security organizations, a company
can cover all bases in a comprehensive way by staying on top of
requirements and updating them as appropriate.

Evidence of incident handling

Sometimes, however, the partnership between IT security and legal can be
fraught with contradiction because of their differing roles and objectives.
CISOs may approach policy and process with a "thou shalt" attitude. The
resulting documentation is too unwieldy and rigid, and any departure looks
like a failure of process to a jury. Legal counsel may seek to tone down
the language to "should" to allow for the on-the-spot decision making that
happens during a data breach.

Security teams may work quickly on containment and elimination of
cyberthreats without preserving system records. In the event of data breach
lawsuits or an FTC investigation, the organization may lack crucial
evidence of how it handled the incident. This problem can be avoided if
CISOs partner with legal counsel early and often -- to work on policy and
process and co-sponsor training such as cybersecurity incident exercises.

Traditionally, corporate counsel has focused on the risks and liabilities
and not the medium that data traveled. As laws have emerged to protect
against the proliferation of cybercrime, the digital medium itself has
become a risk to a business. Failure to operate a corporation's IT
infrastructure in accordance with legal and contractual demands will
exponentially increase a company's liability if there is a data breach.
Corporate counsel can decipher those rules and laws into a language IT
security can enforce, and a CISO can provide a non-technical context to the
risk controls in place that meet the requirements.

CISOs also provide the expertise needed to explain how technology is used
to protect corporate data. Most security officers should know if or when
there is a cybersecurity incident that could be a potential data breach.
Before a potentially damaging incident happens, CISOs should reach out to
corporate counsel (or vice versa) and begin the conversation to set up the
swim lanes of a partnership.

Typically, these parameters are found within a breach response plan, which
outlines the steps the corporate legal team and the CISO will go through to
determine if there is an incident that meets the standards of a breach. It
also outlines the steps and responsibilities of each organization to handle
the incident in an expedient and legally compliant way. Breach is a legal
term that can vary depending on the law at issue.

Early involvement

To avoid making this determination in the vacuum of the IT environment,
CISOs should involve counsel as early as possible. The benefits of early
legal partnership during a cybersecurity incident are two-fold: (i) Early
involvement allows more careful analysis and characterization of an
incident as an actual breach, and (ii) counsel's participation,
particularly through the engagement of outside breach response counsel, may
also help protect the ensuing investigation and communications under
attorney-work product and the attorney-client privilege.

Together, the CISO and legal counsel should feature prominently on a
company's breach response team, even sharing leadership duties, where
appropriate. Their combined knowledge will inform and direct other crucial
stakeholders -- such as HR, finance, risk management and insurance, and
corporate communications -- and assist them in completing their tasks. Be
warned, however, that CISO and legal counsel may increasingly face personal
liability in data breach lawsuits; these roles are not covered in
cyberinsurance policies, which typically extend only to top executives.
Donna Seymour, the former CIO of the U.S. Office of Personnel Management,
was named in a lawsuit against OPM for failing to protect the PII of
millions of federal employees.

The chief security officer and legal counsel are also well-suited to team
up and engage the board of directors. Boards are facing more scrutiny than
ever on cyber issues and are expected by shareholders to have a working
knowledge of the types of cyberthreats facing the company and what measures
it has in place to combat them. If they do not, they risk shareholder
derivative suits and adverse voting recommendations from proxy advisory
firms like Institutional Shareholder Services. Directors are therefore
relying on a successful CISO-counsel partnership to keep them abreast of
the cyber landscape and prevent data loss that could result in data breach
lawsuits.

Data protection and cybersecurity are two sides of the same coin and touch
both law and technology. Legal counsel supports the former with knowledge
of what applicable law requires, while the CISO tackles the latter, using
technology to drive compliance. The legal counsel-CISO team is a guidepost
and sentry within an organization, and therefore indispensable to a
successful cybersecurity program.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160802/0d949158/attachment.html>