Cyber incident law is one of the few areas of jurisprudence where the victim of a crime may be responsible for the consequences of that crime. While there is no ability to prepare or prevent every kind of breach, organizational preparation can make a huge difference in public perception. Cyber incidents are no longer shocking to the public, and the growing split in perception is between those organizations that manage cyber incidents well and those that fail to do so.
Equifax breach case study: highlights
Equifax’s management of their 2017 breach is an excellent study of how not to manage a cyber incident. The root cause of the Equifax breach was one of the most prosaic and common cybersecurity mistakes: failure to patch against a known vulnerability (although there were many contributing factors). Equifax did not patch a server against a vulnerability in Apache Struts, leading to a hack that exposed the data of 147 million Americans. The Equifax breach appears to have been part of an ongoing international criminal conspiracy. In 2020, the U.S. Justice Department indicted, in absentia, four Chinese military officers for their role in the attack. Because the breach was so enormous, Equifax was always going to face significant consequences. However, Equifax’s response to the breach aggravated the opinion of the public and law enforcement towards Equifax.
Equifax committed four major errors in their response:
- Equifax did not publicly acknowledge the breach for six weeks
- Equifax created a breach response site separate from their own trusted domain
- Equifax accidently tweeted out a fake site, rather than the actual breach response site
- Most importantly, Equifax’s response was tone deaf, including blaming “a single individual” in front of a Congressional inquiry, and saying to the public the breach would “test the resolve of Equifax” rather than expressing remorse
Consequences of the Equifax breach included the overturning of the entire C-Suite, $1.4 billion in cleanup costs, $1.38 billion to settle class action claims with the FTC, and the CIO was indicted and sentenced to prison for insider trading (sold stock prior once he learned of the breach and before the public was notified).
Most organizations do not have to face such severe consequences in a world where cyber incidents are the new normal. Most incidents do not result in litigation, and a well-documented response plan in the event of a cyber incident can help alleviate some of the worst consequences of a breach. A plan can also help your organization avoid serious mistakes. Cyber incidents can happen fast, and an organization can lose control of the narrative quickly. For example, social media posts can inflame public response before the organization has had a chance to evaluate the incident and respond appropriately.
Step one: understand the claims
Any time there is a cyber incident, an organization may face claims of negligence. However, organizations are sometimes shocked they may face a lawsuit for violations of contract or statute, which depending on the circumstances can be easier to prove than negligence. For example, Blue Cross Anthem was not able to get contract claims against it dismissed arising out of their 2015 data breach. The Anthem plaintiffs argued in the class motion that “benefit of the bargain” damages could be based on the difference between the objectively determined market value of the health insurance as promised/represented with data security in the contract with its customers, and as actually delivered (with inadequate data security).
Another claim overlooked can be statutes. Regulations that allow the public to file lawsuits, including class actions, against companies that suffer a cybersecurity incident are evolving. For example, the Illinois Biometric Information Privacy Act (BIPA) allowed users of Facebook to sue for using face recognition software without their consent; in 2020, Facebook settled for $550 million.
Step two: understand risks presented by data
A person does not need to be an expert in technology to be effective in understanding cybersecurity risk. The important issue to understand is that some data is much riskier than others. Exposure of account or credit card information is more significant than exposure of personal email addresses, and exposure of social security numbers or biometric information is vastly more serious than credit card exposure.
Step three: understand controls
Again, understanding controls does not require expertise in firewalls, web filters, and other technology to understand your organization’s security posture. There are many resources available, several for free, that discuss the most important controls for an organization to implement (e.g. https://www.cisecurity.org/controls/cis-controls-list/). The importance of understanding security posture is to have a feel for the level of risk faced by the organization as a result of a cyber incident.
A prepared organization works with its information technology teams to educate and understand the risks of the data in the control of the organization. In addition, always review reports by external audit firms with an eye to issues raised (especially those relating to best practices). Be sure management is aware of the risk as part of their decision-making process.
Step four: have an external team ready to assist
Teams from outside the organization can be indispensable for managing a cyber incident. For example, having outside counsel to help review an incident can be valuable to get independent insights. In addition, organizations should always have available an outside IT forensics team that can provide an independent evaluation of a cyber incident.
Step five: ensure officers and directors understand management responsibilities
Officers’ and directors’ duties of care, loyalty, and good faith extend to the oversight of cybersecurity issues, and have fiduciary duties related to cyber security. Officers and Directors must be aware, educated and involved, and to meet a “reasonableness” standard akin to the business judgement rule when managing an incident. A good option to help officers and directors is to conduct boardroom tabletop exercises. The C-suite can run through a simulated cyberattack, including reviewing incidents faced by other companies.
Step six: understand the impact of communications
Communications to affected customers can make a huge difference in the severity of public reaction to a cyber incident. A company under pressure can make statements that exacerbate the issue, rather than ease public opinion.
In 2014, P.F. Chang’s was under extreme pressure to respond to accurate third-party reports that they had suffered a breach. In their announcement to the public, P.F. Chang’s mentioned they had taken their card system offline and initiated an investigation with the Secret Service. Worst of all, P.F. Chang’s said, “we encourage our guests to be vigilant about checking their credit card and bank statements …”. Unfortunately, this message told consumers that the incident was extremely serious, and implied the breach was the consumer’s problem. Not surprisingly, P.F. Chang’s suffered a class action lawsuit shortly thereafter.
Step seven: understand breach notification laws
Breach notification is difficult to understand, law enforcement and regulatory authorities may need to be notified. The patchwork of state breach notification laws is daunting, and some may not apply due to federal law supremacy, but a core understanding is critical to limit liability in a cyber incident. In addition, do not forget about contractual relationships. There may be third parties, such as vendors, that must be notified in the event of a breach.
Step eight: insurance items
Cyber insurance is maturing, and coverage can include first-party costs (such as notification and forensic costs) and third-party costs (such as losses sustained by clients). Knowing what the coverage will be can help reduce stress in the event of a cyber incident.
The most important item is knowing the exclusions. Courts have generally been willing to uphold policy exclusions in cyber insurance cases including:
- Negligence. A specific exclusion which precludes coverage for claims arising from the insured’s failure to maintain minimum/adequate security standards
- PCI. PCI related fines and assessments are often denied
- Cyber Extorsion and Ransomware. Cyber policies often limit coverage for ransomware
- Social Engineering. Insurers can deny coverage if employees override security controls or transfer funds voluntarily
Step nine: litigation holds
While most cyber incidents do not result in litigation, preserving electronic evidence can be critical in creating a defense. Organizations need to be ready to issue “litigation holds” preserving evidence that may be subject to litigation. Critical items to preserve include:
- Proper forensic preservation of compromised systems, including chain of custody
- Preservation of information related to efforts taken to prevent a security incident
- Preservation of investigations or reports of prior security incidents or breaches
- Communications (including email) relating to third-party IT contractors
- Preservation of documents related to investment in IT security and
- Preservation of communications (including email) concerning the breach
Counsel may also require additional information to be preserved as part of the hold.
Cyber incident plan checklist
- Understand cyber incident claims and where the organization is at risk
- Understand the risks presented by different types of data
- Understand where the organization is in relation to controls of sensitive data
- Ensure officers and the board understand their duties with respect to cyber incidents
- Conduct walkthroughs or tabletop exercises where officers and directors understand the responsibilities of the organization in a cyber incident
- Have third party teams such as outside counsel and forensic experts available in the event of an emergency
- Be prepared to issue communications to regulators and the public under intense pressure
- Know when law enforcement and the public need to be notified, and what is required in the communication
- Know when vendors and other third parties must also be notified
- Investigate cyber liability insurance and be certain to be aware of the exclusions
- Be prepared to issue a litigation hold