New complexities for corporate counsel around cyberattacks

Posted: October 20, 2017

A cyberattack can rain pain onto businesses that are victimized. The crime ruins reputations, shatters relationships, and drains resources as you struggle to contain the crisis.

Although a breach clearly makes you a crime victim, regulators, credit card issuers, consumers and courts may consider you something of a perpetrator, as Joseph Facciponti and Joseph V. Moreno of Cadwalader, Wickersham & Taft LLP detail here.

“The recent trend has been for federal regulators, such as the Federal Trade Commission (FTC) and, more recently, the Securities and Exchange Commission (SEC), to treat hacked corporations less like victims and more like potential wrongdoers,” Facciponti and Moreno say. “When companies find themselves to be victims of a data breach, they must navigate an ever-expanding minefield of complex reputational, regulatory, and legal challenges.”

The stakes

The average total organizational cost of a data breach in the U.S. is already $7.35 million, according to the Ponemon Institute and IBM [PDF, registration required].

The minefield

Federal Trade Commission: The FTC has acted aggressively against companies who have failed to protect customers’ data even when there hasn’t been a breach. Facciponti and Moreno cite a $100 million penalty against a company that failed to establish a comprehensive security program as required by a prior settlement.

Securities and Exchange Commission: If you’re a financial institution or have financial institution clients, the “Safeguards Rule” may apply to you. Morgan Stanley Smith Barney LLC agreed to pay a $1 million penalty to settle charges related to its failures to protect customer information, some of which was hacked and offered for sale online.

States: New York is leading the way in stringent cybersecurity regulations for banks, insurance companies and other financial institutions. It requires regulated institutions to have a cybersecurity program designed to protect consumers’ private data; written policies approved by the board or a senior officer; a chief information security officer to help protect data and systems; and controls and plans to help ensure the safety and soundness of New York’s financial services industry. Other states can be expected to follow suit.

Countries and Continents: European Union data privacy regulations go into effect next May and will apply to U.S. companies soliciting customers in Europe. The General Data Protection Regulation will allow EU consumers to ask why personal data is collected, how it is being used and how long it is retained, and that companies erase and stop processing their personal data.

Fines for non-compliance are reportedly up to 4 percent of global annual turnover, or €20m, whichever is greater. FTSE 100 companies could face fines of up to £5 billion ($6.6 billion) a year if they don’t comply, according to analysis by global management consultancy Oliver Wyman.

Consumers: Standing can be an issue for a consumer whose data was merely jeopardized. “Even in cases where plaintiffs have suffered direct losses from identity theft or fraud, it can be difficult, if not impossible, to establish that the fraudulent losses at issue were caused by the breach,” write David Cohen and Ani-Rae Lovell, Ropes & Gray LLP. “Moreover, where the breach is of payment card data, consumers tend to be fully reimbursed for fraudulent charges, due to the card brands’ zero liability policies. And many plaintiffs have experienced no fraud at all.”

However, plaintiff success happens, and consumers whose personal information has been breached have collectively recouped millions in class action, Facciponti and Moreno write.

Credit card issuers: They’ve had luck suing retailers, with one paying more than $100 million in various settlements, according to Facciponti and Moreno.

What a corporate legal department can do

As authorities begin viewing victimized companies as equal part perpetrator, the risks around information security only grow larger. If you’re in a corporate legal department, you could suddenly find yourself on the defensive.

So protect yourself from attackers, disgruntled employees and third parties who can jeopardize your future. We’ve blogged about the assurance you should demand of third-party partners like deposition services providers.

As data security risks soar, the only thing worse than being a victim is being a culprit, too.

Jim Ballowe

Jim is a veteran information technology professional, having worked with several global technology pioneers including Digital Equipment Corporation, HP & Lucent. His areas of expertise include enterprise architecture, infrastructure, information security, and product development and is helping Esquire and its clients navigate Litigation 2.0.