Though it has made headlines for years – see Dropbox (in 2012 and 2016), Evernote (2013), Target (2013), Apple (2014), Home Depot (2014), Ashley Madison (2015), LinkedIn (2016) – hacking rarely affected our day-to-day lives. Then came reports of the 2016 hack of the Democratic National Committee, which possibly shifted the outcome of a presidential election and placed the very real implications of inadequate cybersecurity at the forefront of every American’s mind. In its recent article, Policy Ideas for a New Presidency, the Center for Long-Term Cybersecurity notes “Cybersecurity needs to be thought of as an existential risk to core American interests and values, rising close to the level of major armed conflict and climate change.”
The increase in connectivity across all industries has drastically increased the potential for data breaches. Post data breach consumer lawsuits, which typically assert breach of contract or negligence theories, are on the rise. Shareholder lawsuits, which typically assert claims for breach of fiduciary duty due to lack of adequate data security measures, are seeing some success. Investigations by government agencies, like the FTC, FCC, and SEC, are now common. Finally, while rare, some companies have faced criminal charges for egregious security lapses.
The damages available to plaintiffs in cybersecurity litigation depends on the nature of the company’s business and the type of personal information the company possesses. But, proving causation between the breach and actual harm is more difficult than it appears because it may be unknown how or whether customer information is actually used. Companies have successfully argued that there was no identifiable harm caused by the intrusion. However, some courts have allowed cases to proceed on a lower evidentiary burden of “substantial risk of future injury.”
But is it general counsel’s job to police such risks? And when the potential for breach turns into reality, what can be done to prepare for the resulting litigation? If a lawsuit or investigation results from a data breach, your company’s internal policies and procedures will be thoroughly scrutinized. Although acting with commercial reasonableness and in accordance with industry standards will not prevent litigation, it will assist with a more favorable resolution.
General Counsel’s Duties Include the Protection of Company Data: The days when data protection was solely the IT department’s role are long gone. The risk that your company’s data could fall into the wrong hands warrants an all hands on deck approach, and legal must lead the way for at least two reasons. First, the Texas Disciplinary Rules of Professional Conduct require lawyers to “not knowingly…[r]eveal confidential information of a client or a former client to [third parties],” “protect their clients’ confidences,” and “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Tex. Disciplinary R. Prof. Conduct, §§ 1.05(b), 1.6(a), and 1.6(c). Second, cybersecurity in our connected world involves evaluating legal risks for all aspects of the company’s business.
General counsel’s first priority is to identify the company’s “digital assets,” which typically fall into two major categories: (1) trade secrets, competitive advantage data, and data essential to day-to-day operations and (2) customer data, which, if released, could expose the company to liability.
Once the company’s digital assets are identified, you must understand the digital structure of your organization. Where is the data located on your system? How is it stored? Who has access and why? What protections are in place? Are these protections sufficient to prevent a potential breach and the damages that may follow? Create a written explanation of the digital assets, structure, and protections within your system so that every department understands their role in the context of the whole, and incorporate that into your incident response plan. Finally, look externally to determine whether your agreements with third-party vendors include procedures that are consistent with the company’s internal data protection policies.
What Internal Policies and Procedures Protect The Company’s Digital Assets?
Although adequate internal security is now light-years beyond passwords, security at many companies has not evolved to meet new risks. Determine where your data is physically stored and what access points exist to that data. Personal, proprietary, and confidential data should not be stored locally on hard-drives or on a single server. While non-critical data may remain on local hard drives or stored on a main server or cloud, vital data should be segregated onto monitoring servers with the ability to disconnect in the event of an intrusion, or on air-gap storage devices which are only connected at designated times. Data storage should be layered like an onion to prevent hackers from stumbling into your most-sensitive data the moment they gain access. This layering may give your company a critical buffer needed to detect the intrusion and take counter-measures.
Also, consider minimizing retained data. Not only is storing unnecessary data costly, but it is also risky. Hackers cannot steal data you do not have.. Learn how to securely purge your drives and cloud of data when it becomes obsolete or no longer needed. If your company is required to retain data for regulatory or other purposes, consider storing the data on a secured “dead drop” computer with no internet capability. But, no matter where your data is stored, it should be encrypted. While this may sound contrary to the above advice, consider this: if all your data looks identical, how will hackers know if they are looking at something important or unimportant? Data breaches do not usually involve stealing a company’s entire system, but only what the thief determines is valuable – so make it much harder for that determination to be made. While encryption five years ago was an arduous task, today entire systems can be encrypted and unencrypted in real-time.
Evaluate who has access to your data. Every additional employee with access to sensitive data is another variable of risk, so take steps to limit those variables. An employee who has historically had access to certain data, or who needed access to certain data at one point in time, may not need access today. Consider limiting access to only the time it is needed, or, making such access device-sensitive. Additionally, multi-factor authentication (MFA) should be the standard for all employees with access to sensitive company data. MFA is a simple best practice that adds an extra layer of protection on top of a user’s name and password by requiring an authentication code from a device.
General counsel must also consider physical security measures. While the ultimate goal is to create commercially reasonable levels of data security, the appearance that the company is taking all appropriate steps to maintain a secure physical environment is equally important. Examples of physical security include accessencoded keycards for all employees, continual monitoring of secured areas where sensitive data resides, biometric tokens, and access-point sensors for data-sensitive machines to prevent the unauthorized use of external hardware such as thumb drives.
Procedural security measures must also be in place, including management, operational, and administrative controls to reduce potential human-factor risks. The company’s employee handbook and policies should contain procedures regarding the safe use of electronic devices, the latest advice for avoiding phishing and other intrusion scams, and consequences for non-compliance. An easy-to-use system for contacting IT and raising red flags should be implemented and communicated to all. In addition to mandatory “classroom” training, internal, active testing should be a top priority for the entire company. Instruct your IT department to send disguised phishing emails with links or attachments and see who reports them, or better yet, who attempts to access the potentially harmful links.
Conduct frequent office audits and look for passwords written on Post-it notes, unlocked computers, and forgotten thumb drives. Provide incentives to create a positive learning experience and develop employee vigilance. Within any organization, there will be extremely varying levels of computer savvy. As less savvy employees make improvements, reward them.
Are Third Parties Protecting Your Digital Assets?
In addition to ensuring that internal data security controls are in place, general counsel should review all external agreements to ensure that third-party vendors are serious about data security. Do not assume that third-party vendors adequately protect your company’s digital assets. PwC’s 2016 Data Risk in the Third-Party Ecosystem Report found that 60 percent of respondents do not monitor the security and privacy practices of the vendors with which they share sensitive or confidential information. The data security measures implemented externally should be at least as stringent as those implemented internally. Thus, similar initial questions should be asked of thirdparty vendors at the outset of the relationship: Where is your data located on their system? How is your data stored on their system? Who has access to your data and why? What protections are in place and will these protections prevent a potential breach and the damages that may follow?
Do not do business with third-party vendors who refuse to incorporate data security measures into their agreements, and consider incorporating cooperation clauses to make clear the high levels of transparency and assistance that are expected. Include provisions that allow you to monitor the vendor’s actual compliance with your own data security requirements, including periodic audits and assessments, audit logs, and security incident reports. For vendors who protect your company’s most critical digital assets, require audits of their entire system once a year, and performance reviews every six months. These audits and performance reviews may be handled by independent auditors, or in-house if your company has the capability. The results should be discussed with your vendor, and if not already covered in the cooperation clause, the parties must agree to changes to the vendor’s procedures in response to the findings. The foregoing procedures cannot ensure against a data breach, but they can provide much needed assurances that your company’s third party vendors are not the weak point in your cybersecurity framework.
The cybersecurity threats companies face are evolving at a breakneck pace. Stay one step ahead of the hackers by working directly with your IT professionals and thirdparty vendors to maintain clear internal and external policies and procedures. By following these procedures internally and externally, general counsel can vastly improve their cybersecurity framework and reduce the risk of potential litigation in the event of a data breach.
Jenny Martinez is Co-Chair of the Commercial Litigation Section of Godwin Bowman PC PC in Dallas. She represents businesses in disputes involving finance, software, real estate, employment, and insurance.
Michael Holmes is an attorney in the firm’s business law and commercial litigation sections. Mr. Holmes represents companies ranging from entrepreneurs to Fortune 500 businesses in transactional and litigation matters involving contracts, cybersecurity, employment, corporate, securities, financial institutions, and real estate