In the not-so-distant past, when hackers breached a company's cybersecurity defenses and pilfered data, including sensitive customer information, the government and public alike often viewed the company as one of the victims. Not anymore. A confluence of cybersecurity developments is changing the game: highly publicized corporate network intrusions impacting large swaths of the U.S. population (Equifax, Yahoo and Target, to name just a few); a wave of aggressive new regulations (both currently in effect and proposed) at the state and federal levels, with the looming threat of regulatory enforcement and sizable penalties; and growing exposure to legal liability for data breaches under existing consumer protection laws. As the dust settles, an emerging legal and regulatory standard of care for cybersecurity is coming into sharper focus. Global financial firms, in particular, should pay close attention to this quickly evolving cybersecurity compliance landscape—or risk getting crushed under the weight of stiffening regulations and class action lawsuits.

Cybersecurity Regulations On the Rise

State and federal government agencies are increasingly pushing to regulate cybersecurity compliance, especially for financial services companies that routinely handle sensitive customer information. Cybersecurity has long been a mostly unregulated affair: stakeholders have operated pursuant to industry best practices and voluntary guidelines, such as the National Institute of Standards and Technology's “Framework for Improving Critical Infrastructure Cybersecurity.” In March 2017, though, New York state's financial watchdog, the Department of Financial Services (DFS), issued cybersecurity requirements for financial services companies. This is the first such set of regulations at the state level and easily the most ambitious cybersecurity compliance regime to date. Codified in Section 500 of the New York Code of Rules and Regulations, the suite of regulations applies to any corporation with more than 10 employees subject to New York's Banking Law, Insurance Law, or Financial Services Law (with some exemptions). “Section 500,” as it's simply known, mandates that covered companies, among other things:

• Designate a chief information security officer who is responsible for overseeing and enforcing the company's cybersecurity policy;
• Create a cybersecurity program that includes monitoring and testing, developed in accordance with the company's cybersecurity risk assessment; and
• Implement and maintain written policies addressing 14 areas, including information security, data governance and classification, and customer data privacy.

DFS is not alone. In September 2016, shortly after DFS proposed the original iteration of the above regulations, three federal bank regulators—the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corp.—issued a joint notice of proposed rulemaking. These proposed rules (the comment period ended in February 2017) would convert historically voluntary standards for cybersecurity controls into federal regulations, requiring implementation of enhanced standards in the five following areas:

• Cyberrisk governance;
• Cyberrisk management;
• Internal dependency management;
• External dependency management and incident response; and
• Cyberresilience and situational awareness.

Moreover, as recently as January 2018, Sens. Elizabeth Warren and Mark Warner introduced a bill that would provide the Federal Trade Commission with punitive powers that match the enormity of a firm's data breach. The proposed law would set potential fines for breaches at a base penalty of $100 for each consumer with one piece of personal identifying information stolen, plus $50 for each additional piece of personal identifying information compromised per consumer. Under current law, consumer awards for stolen personal data are normally in the range of only $1 to $2.

Mounting Legal Exposure

Risk of legal liability for cyber intrusions is ballooning as well. In the federal courts, plaintiffs are making headway in holding companies financially accountable for data breaches that compromised sensitive customer information. In particular, litigants are finding it easier to gain standing, with appellate courts showing greater concern for consumer interests in this area.

“Standing” is a threshold hurdle for all civil litigants: a plaintiff must demonstrate, in essence, that the alleged wrongdoing led to an actual injury. Historically, establishing standing for a cause of action arising from a data breach has been challenging. That is because “injuries” in this context are often future injuries, such as prospective damage to a consumer's credit score or the risk of identity theft at some future point in time.

But the legal tide began to turn in 2015. The case involved a class action against Neiman Marcus by a group of customers whose credit card information had been hacked. The plaintiffs alleged standing based on two “future” injuries: increased risk of future fraudulent charges and greater susceptibility to identity theft. Notwithstanding their speculative nature, the U.S. Court of Appeals for the Seventh Circuit sided with the plaintiffs in concluding that these injuries were sufficiently imminent to create standing. In a subsequent class action against the insurer Nationwide for a large data breach, the Sixth Circuit followed suit in reversing the district court's dismissal for lack of standing, reasoning that the plaintiffs had established an adequate risk of future fraud and identity theft. Next, in January 2017, the Third Circuit held that certain data breach incidents alleging violations of federal statutes provided standing—even if the plaintiff did not allege tangible, personal harm arising from the breach. And in August 2017, the D.C. Circuit widened the circuit split, overturning a district court's dismissal of a complaint for lack of standing in a data breach case. These decisions are greasing the wheels for similar class actions going forward.

The infamous Equifax data breach will further clarify the state of the law. As widely reported several months ago, Equifax announced an unprecedented infiltration of its network that compromised the sensitive personal identifying information of more than 143 million people. In the wake of the breach, media and public sentiment have not looked kindly on Equifax. But the firm's challenges go beyond just reputational: two proposed class actions have already been filed in different federal courts that claim the company's negligent failure to protect consumer data. Plaintiffs' attorneys say the class could seek up to $70 billion in nationwide damages, and Equifax stock has plummeted. As of November 2017, consumers had filed more than 240 total class action lawsuits against the company in federal, state, and Canadian courts. Whether U.S. courts will find that the Equifax plaintiffs carry standing remains to be seen, although the momentum seems to be on their side.

Cybersecurity Crossroads

As this drumbeat of legal and regulatory change shows, cybersecurity compliance is approaching an inflection point—not unlike the rapid growth and prioritization of financial crime compliance nearly two decades ago. Absent preparation and proactivity in the near term, including making informed decisions about how to build a sustainable, technology-enabled compliance program to meet these new challenges, companies will find themselves late to the game, struggling to catch up, and vulnerable to unmitigated risk of every stripe. Instead, firms should take the opportunity to be at the forefront of the cybersecurity movement. This begins with the basics: performing an enterprise-wide risk assessment to take stock of a company's cybersecurity risks and controls, and then using that risk assessment as the foundation for remediating any gaps. Firms that act fast and get ahead of the curve will be thankful that they did.

N. David Neeman is an attorney and independent consultant.

Timothy C. Stone is a director in the New York office of Exiger, the global compliance firm.