2017 marked a year full of cybersecurity nightmares for big, well-resourced companies. For starters, it was revealed that a 2013 data breach at Yahoo made vulnerable every user account, including those at its subsidiaries Flickr and Tumblr. Meanwhile, a Wells Fargo lawyer inadvertently exposed financial information for some of the bank's wealthiest customers by sending unredacted discovery documents to opposing counsel. And not only did a breach into credit reporting company Equifax expose the Social Security and driver's license information of upwards of 143 million people, but the company's handling of the breach and ensuing allegations of insider trading produced public outrage and regulatory scrutiny. Even the U.S. government was subject to a major data breach, with the Securities and Exchange Commission (SEC) revealing that hackers had managed to breach the agency's Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system.

While these stories dominated headlines, identity protection company IdentityForce found that at least another 37 large corporations announced major data breaches to their customers this year. The threat of cyberattack shows little signs of slowing into 2018, prompting corporate counsel to begin thinking about how to handle the next year in cybersecurity.

Same Issues, New Year

Amar Sarwal, chief legal officer and senior vice president of advocacy and legal services at the Association of Corporate Counsel, suggests that general counsel may want to expect “more of the same” in the cybersecurity threat landscape. “It's not like we solved the issues that are in front of us now, from state-sponsored hacking or otherwise. Those issues have not been resolved yet. Those issues will continue to linger in future years,” he notes. As for a company's potential to be hacked, he adds, “It's a matter of when, not if. …  Every company from the board of directors on down should recognize that.”

Olga Mack, general counsel at sales engagement platform company ClearSlide, thinks that 2018 is likely to bring “more, not less, attacks.” While she believes attacks on large, high-profile companies are likely to continue, hackers may also target more vulnerable organizations. Smaller and mid-sized companies, for example, “have a smaller budget to protect themselves, and they have a lot of very valuable information,“ she says. “There's kind of equal opportunity for everyone” to be hacked.

Some small and mid-sized firms have turned to cloud hosting to try to ward off cyberattackers in hopes that specialized third-party vendors may be able to safeguard data better than they can. Gerald Werner, global director of information security at K2 Intelligence, says this strategy could certainly backfire in coming years. “More and more companies are moving critical systems to the cloud with the understanding that their data will be safe. Unfortunately, insufficiently secured systems bring new opportunities for hackers to access information or to lock critical systems until a ransom is paid,” he says.

Although many have noted the potential vulnerabilities inherent in internet of things (IoT) devices, 2017 saw relatively few attacks on them. However, given their increasing popularity in both the consumer and enterprise markets, Mack says the coming year may see far more exploitation of these devices. “I think it may happen next year. I think it's an even larger threat.”

Werner says IoT-enabled home assistant devices could be particularly at risk. “These systems are inexpensive devices with a microphone. Essentially, they are full-blown recording devices that will send audio to a hooked-up data center for processing,” he explains.

With the potential for expanded threat, the ACC's Sarwal notes that organizations may see more pressure to clamp down on collaborators and vendors with whom they share data. “The focus on the supply chain is only becoming more intense, with many of these hacks being on third-party vendors,” he says.

Regulatory Gambits

The regulatory stakes around cybersecurity seem slated to rise over the next year. Data breach notification laws are now in place in all but two U.S. states, many of which, along with local municipalities, are adopting additional requirements for data handling. Several bills have been proposed at the federal level, including one allowing organizations to “hack back” at cyberattackers, but so far none has gained significant bipartisan traction.

Rahul Mukhi, counsel at Cleary Gottlieb Steen & Hamilton, explains that much about regulatory policy and its potential applications is still new enough to where many of its conventions are still being hammered out. Enforcement action around the Yahoo breach, however, could signal a change in regulators' enforcement priorities. “If they bring enforcement action there, or settlement, I believe that'd be the first time they've done that based on cybersecurity risk disclosures,” he explains.

In addition, multinational companies will need to ensure their information governance structures match those mandated by the European Union's General Data Protection Regulation (GDPR), set to take effect next May. The GDPR sets forth a wide set of strict data management and retention responsibilities, coupled with a steep fine for noncompliance of up to 4 percent of annual global revenue turnover.

Although in-house counsel are working to prepare for May, many organizations are anxious about their ability to comply appropriately. Mukhi hopes that regulatory agencies enforcing GDPR can find a way to acknowledge the realities companies face in securing their data.

“It's got to be risk-based, and hindsight is 20/20. The budgets for cybersecurity are getting bigger and bigger, but the tipping point where there's only so much you can do within reasonable limits of your finances, I think there has to be sensitivity to that by the regulators,” Mukhi says.

Mack hopes new regulations address companies as partners rather than adversaries in trying to stop cyberattacks. Such policy, she says, could shape “how we have an open conversation with policymakers without fearing that our companies will be targeted. There needs to be a change in incentives in how we deal with that.”

Litigation Outlook

Some of 2017's high-profile breaches have also raised concerns among organizations about the potential for litigation. Mukhi notes that while it still may be too early to tell what kinds of litigation risks organizations dealing with cyberbreaches may face in 2018, the next year may give some stronger indicators of how well these organizations may fare.

At this point, there's fairly little precedent: Only in the last year or so have litigators taken on numerous class action questions around these data breaches, and given the lagging speed of litigation, they haven't yielded a ton of definitive judgments. “The early trend was deemed to result in dismissal of the claims on the theory that if you have a breach, but the customers can't show that the bad guys stole their information and committed fraud, there's no injury to the customers,” Mukhi says.

However, that trend may be changing, following from a California federal judge's decision to allow claims against Yahoo to move forward. “The fact that your personal information was lost in and of itself was an injury, that allowed the case to go forward,” Mukhi adds.

Litigation addressing the responsibilities of companies to safeguard data has also not moved particularly quickly through the courts. Although Mukhi sees some potential for claims against Equifax to move a little further because of the allegations of insider trading leveled against the company, he also sees a fair amount of trepidation from courts around holding companies accountable for cyberattacks. “There's a reluctance without more evidence to penalize the companies and management for the fact that there are criminals out there constantly trying to break into systems.”

Looking Ahead

Mack believes that many companies have taken this year's major cyberbreaches as a warning for what's to come and are beginning to prepare accordingly. “Crisis management policy was really not on the radar. Now, everyone is scrambling to have something along those lines, because while you can't control whether a crisis occurs, you can certainly be prepared,” she says.

Over the last few years, ideas about what practices and policies can help organizations be formally “prepared” have shifted quite a bit. Paraphrasing boxer Mike Tyson, Sarwal says, “Everyone has a plan until they're punched in the face,” adding that formulating a response plan without any real intent of using it can often leave companies exposed to harm. “When you get to the actual situation, it's sometimes more effective. It's a matter of actually testing it with real exercises, not just putting it into a notebook and putting it on a shelf.”

Mack adds response plans may rely a little more heavily on technology as part of their defensive strategy in coming years. “I think we'll increasingly rely on data sources to use predictive modeling to understand what's likely to happen. I think our models and our data are increasingly better at that.”

But even as industry cybersecurity best practices shore up, cyberattackers aren't likely to go away, nor be any less effective. “The hackers are so much more creative right now,” Sarwal says. “There are so many more things that hackers can go after. They've only touched the surface of that.”

With many organizations feeling outgunned in their ability to ward off cyberattacks, some may be forced to rethink their data retention practices. Notably, as artificial intelligence begins to work its way into nearly every industry, companies are increasingly mining large data sets to train algorithms that could help boost efficiency later on. “You think about the big data revolutions, you have to Hoover up as much data as you can to have these algorithms do their job,” Sarwal notes. “Then you have to store that data.”

Mukhi believes that storing this data could come at a cost. “Especially for companies that are in the data mining business, if you don't need the data and there's no requirement to keep it, it's just a huge risk sitting on your boat,” he says.

Given the increasing likelihood of cyberattack and potential for penalties, many are hoping that in-house counsel and state regulators can find a way to rethink the individualized and defensive ways in which organizations handle cybersecurity, and instead find ways to promote more collaboration amongst these groups.

“I think we need to start looking at it as a more communal problem,” Mack says. “Smaller companies and entities have a smaller budget. We need to find a way to address the 'tragedy of the commons' issue. I really think that individually, even Fortune 500 companies can be brought to their knees, but collectively I think we can be stronger.”

Sarwal echoes Mack's call for teamwork among companies and regulators. “I hate to be pessimistic, but there's going to be some tough times ahead. My hope is that the regulators recognize this and work together with companies, not in a blame or shame way, but to recognize that we're all in this together.”