Litigators and Privacy: The Last People You Want to See, or the First?
In their consideration of possible worst-case cyber attack scenarios, organizations often focus on the various types of attacks and their relative severity. But, the worst-case scenario is not the breach, it's the reputational damage, regulatory enforcement action, the business interruption, and the inevitable litigation that follows a poorly handled breach from an unprepared organization. Given this reality, it is important to adjust planning assumptions and response scenarios to focus on addressing these drivers of post-breach exposure.
March 04, 2020 at 02:30 PM
10 minute read
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
It is hardly news that cyber incidents are front of mind for companies. Whether costly data thefts, pernicious data manipulation attacks, or crippling ransomware or disruptive denial of service attacks, cyberattacks are trending toward greater frequency, severity and sophistication. Geopolitical tensions have further increased the risk. In fact, the New York State Department of Financial Services recently warned its regulated entities to be alert for an increased risk of malicious cyber activity directed at United States industries and government agencies by highly cyber-capable Iranian actors and proxies. The New York Times reports a 41% increase in 2019 in the number of files hacked in ransomware attacks, and notes that according to American authorities, several of these attackers have operated with the protection of their governments and have helped their governments by passing along hacked files.
When it comes to cybersecurity risks and breaches, organizations know they should plan for the worst, and hope for the best. In their consideration of possible worst-case scenarios, however, organizations often focus on the various types of attacks and their relative severity. In other words, they focus on the day of, not the day after.
But, the worst-case scenario is not the breach, as bad as a breach can be for the organization and its affected associates. In fact, the worst-case scenario is the reputational damage, regulatory enforcement action, the business interruption, and the inevitable litigation that follows a poorly handled breach from an unprepared organization. Given this reality, it is important to adjust planning assumptions and response scenarios to focus on addressing these drivers of post-breach exposure.
|Failure to Plan Is Planning to Fail
The military knows that failure to plan is planning to fail. Companies should take the same approach when it comes to cyber.
First, companies should survey the regulatory landscape across all jurisdictions in which they do business or maintain consumer data. A cyberattack in New York is likely also to be felt in London and Singapore, for example, and each jurisdiction will have its own requirements, including rules for the timing of regulatory notifications. The plan should call for a coordinated response across jurisdictions and it should account for a "best fit line" or "high water mark" approach. No regulator wants to read about a breach affecting their citizens in the papers.
Similarly, jurisdictions will be subject to different rules of legal privilege and how that privilege could be waived if the breach response is not handled in a certain manner. If a breach originates in Paris, for example, lawyers involved have to understand the privilege implications for, say, calling in a cyber forensics company through the IT department rather than outside counsel.
Second, while planning is critical, companies need to know what military planners also know: no plan survives contact with the enemy. Cyber-incident response plans involve facing off against a live enemy, one who will adjust to your every move and may even know your plan (or make a pretty good guess) before they launch the attack. What is therefore important in planning is that everyone knows who will manage the response, what role each member or department will play, what third parties will need to be involved, etc. Because of the worst-case scenario involving litigation and regulatory enforcement actions, the plans should involve a central role for the lawyer. Without legal involvement — especially before a notification or public statement goes out the door—a bad day can become a tragic year.
Third, when it comes to a cyberattack, planning for the worst should incorporate the low tech. Companies that maintain their incident response plan solely on a share drive are tempting fate and savvy adversaries, and also risk falling below "reasonableness" standards. Similarly, if your plan assumes that all response team members will be at their desks when the incident happens, your plan is inevitably flawed. Instead, wallet cards with key desk, mobile and even landline numbers are critical. Similarly, printing the plan out and keeping copies securely in offices and at the homes of those who will be responding is another low-tech, low-cost, and high-value precaution.
|Beware of the Apology
External communications cannot be the sole province of marketing, or even of external communication companies. Any external statements — including to Boards or third parties — need a legal review to ensure that what may work in the moment doesn't haunt the company for years in litigation. There is an inherent tension between the imperatives to disclose the basic facts quickly to control the narrative and maintain disciplined, informed communications. However, early reports are rarely accurate, and a rushed, overconfident response risks accusations of misstatements as well as loss of control over the narrative. Further, apologizing can be seen as an admission. It is a delicate balance, and sometimes a decision to prioritize the short term over the long term is wise, but the plan should ensure that those choices are deliberate.
Communications and other reputational considerations are especially important for larger companies that could be subject to shareholder derivative suits to recover for any losses in stock value. In recent years, Boards have faced shareholder litigation following cyber incidents based on alleged insufficient precautions to guard against attacks and inadequate management during the incident. Beyond any statements made by a company, it is crucial to also manage how employees publicly communicate about the incident, especially on social media. A carefully crafted response can be upended by a stray tweet by an employee that suggests a narrative contradictory to the company's. Being proactive and having clear public statement policies in advance is important.
|Hold Your Fire
In the heat of battle, strategic patience is critical. However, passions will get enflamed, and fatigue will play a role. It is important to recognize when these tendencies are likely to happen and to make sure a plan is in place to control them. For example, there may be an impulse to hack the hackers. A CEO may instruct his response team to "hack back," but under many laws, that is illegal. It also is likely ineffective, since hackers tend to hack after taking over an innocent person's computers. Hacking back against a highly sophisticated hacker may also make your hack even worse.
Another impulse is to pay the hackers during a ransomware attack. In 2019 alone, thousands of businesses were subject to a ransomware attack in which their data was encrypted and held hostage. In many cases, businesses are unable to access any of their data unless a ransom is paid to the attackers. A company may calculate that paying a ransom will result in less injury than an ongoing interruption, but ransom payment is fraught with difficulty and risk. First, there are no guarantees that paying the ransom will "unlock" your data. There are tax implications that must be accounted for regarding the payment. Further, payments may put a company at risk of both civil and criminal liability. Depending on the location and nationality of the hackers, there may be US sanctions that are implicated in making any payment. Similarly, ransom payments may violate anti-money laundering legislation. In advance of the prospect of making a ransom payment, it is important to consider these risks and have a plan in place to address them.
|After Action Reviews
After a cyberattack, conducting an after action review or internal investigation of the circumstances is an important step to understand the incident, report to stakeholders, and identify gaps to fill in the organization's cybersecurity that may have led to the incident. However, companies should be aware that an internal investigation not properly focused and managed can risk litigation and regulatory enforcement exposure. It is critical to define the scope of the investigation — as an investigation that reaches beyond its scope unnecessarily puts a company under the microscope.
When conducting an internal investigation with outside and in-house counsel, companies should be aware of issues regarding lawyer-client privilege. Communications with counsel as a part of the investigation should not be assumed to be privileged — and a false reliance on privilege could expose unflattering facts or communications down the line during litigation. In most jurisdictions, for an internal investigation to be legally privileged, one of the primary purposes of the investigation must be to provide legal advice to the organization. Relatedly, all witness employees must be given a clear and full Upjohn warning.
Following an internal investigation, companies should be careful in reporting their findings. Conclusions about the incident should not be made prematurely. Assigning fault or success before all facts are known can lead to contradictory drafts of the report. Narrowing the scope also applies to recommendations that may result from an investigation. Recommendations that are tangential or unnecessary, risk not being implemented in the aftermath, and recommendations that are not acted upon create targets for future liability.
|Conclusion
At the end of the day, hope is not a plan. It can be fatal to hope that an attack won't happen, or to hope that if it does happen, the right people will be available and everyone will remain calm.
Instead, companies should plan for the worst and hope for the best. Planning with an eye toward litigation, regulatory enforcement and reputational damage — rather than just planning around various types of specific attacks —can make all the difference.
*****
Michael Bahar, a partner at Eversheds Sutherland (US) LLP, is the co-lead of the Global Cybersecurity and Data Privacy team. He is also a Commander in the Navy JAG Corps, currently finishing a deployment to Afghanistan. He was previously Staff Director and General Counsel for the Minority Staff of the U.S. House Intelligence Committee, and prior Deputy Legal Advisor to the National Security Council at the White House.
Sarah Paul, a partner at Eversheds Sutherland (US) LLP, currently advises clients on cybersecurity and privacy law issues, and is a former federal prosecutor who served for nearly six years in the Complex Frauds and Cybercrime Unit of the U.S. Attorney's Office for the Southern District of New York.
Matt Gatewood, a partner at Eversheds Sutherland (US) LLP, is a commercial litigator who currently leads the firm's defense of putative class actions filed against a healthcare insurer alleging injuries from a cyber-attack.
Andrew Weiner, also with Eversheds Sutherland (US) LLP in New York, is not yet admitted to practice.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllA Look Back at High-Profile Hires in Big Law From Federal Government
4 minute read'Appropriate Relief'?: Google Offers Remedy Concessions in DOJ Antitrust Fight
4 minute readLife, Liberty, and the Pursuit of Customers: Developments on ‘Conquesting’ from the Ninth Circuit
8 minute readLegal Departments Gripe About Outside Counsel but Rarely Talk to Them
4 minute readLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250