In a recent article we discussed the cybersecurity challenges for publicly traded companies with Nardello & Co. One of the issues of concern raised was the potential for insider trading to occur in the context of a cyber breach. In March, a former top executive of Equifax was charged with insider trading in connection with a breach. This raises a host of new questions about how publicly traded companies – which are almost invariably multinational – should respond to a cyber breach. Now, with the GDPR (General Data Protection Regulation) entered into force for more than a month, many companies are being overwhelmed with complaints and requests for information. If a cyber incident occurs, in addition to U.S. law implications in the securities law context, listed companies need to consider global regulation and obligations applicable to data breach issues generally.
Mark Ray and John Fitzpatrick are Managing Directors at Nardello & Co., a global investigations firm that, among other things, specializes in cybersecurity consulting, internal investigations and incident response. Ray is a former special agent with the Federal Bureau of Investigation who led global investigations involving transnational cyber-criminal organizations, and currently leads Nardello’s Digital Investigations and Cybersecurity practice from the U.S. Fitzpatrick is based in the UK, and is an international lawyer with more than 20 years of legal, compliance and regulatory experience in multiple countries in EMEA, including expertise on data privacy issues, and in particular GDPR.
Christopher P. Skroupa: When is the right time to publicly report a cyber incident?
Mark Ray: After years of dealing with data breaches, I can honestly say that I have never seen the “right” time to report a cyber incident. As history has shown, taking too long to report an incident typically leads to public scrutiny, loss of customer and investor confidence, and extra attention from regulators. Since it is difficult to quantify a breach in a timely manner, let alone contain it, early notification can lead to subsequent notifications, perpetuating bad publicity for the organization and keeping them in the headlines. Unfortunately, in many of the largest data breaches made public recently such as Equifax, the notification was neither timely nor accurate, underscoring the need to get it right the first time. This is the conundrum posed by the recent onslaught of data privacy regulation such as GDPR, New York DFS cybersecurity regulation, and the SEC’s cybersecurity disclosure guidance. The danger is that reporting will become the organization’s focus, as opposed to properly containing and eradicating the threat actor from their environment.
John Fitzpatrick: From a legal perspective, a key variable is determining when a reportable data breach has occurred. Without getting into the details, unfortunately, there are different standards under a number of potentially applicable regulations for determining when a breach has occurred and when it is serious enough to require reporting. For example, in the EU, the GDPR has a very broad definition of breach and a very short deadline for reporting, which could require a notice before a duty to notify in the U.S. arises. When deciding on the approach to notice obligations, multinational companies are in the awkward situation of choosing between different approaches for different jurisdictions. This choice and how these issues are resolved can not only have legal implications, but can have a serious public relations impact, and ultimately impact the company’s brand and sales. We always work together with in-house lawyers, outside counsel, the business and technical teams to find the right approach.
Skroupa: How can a company determine whether or not they should report?
Ray: By default, organizations should assume up front that they do (or should) report a cyber incident to both clients and regulators. First and foremost, it’s the right thing to do. In matters pertaining to the loss or exposure of consumer data, companies need to remember that personal data doesn’t belong to them. It’s the consumer’s data, and if it’s mishandled, they have the right to know, regardless of the circumstances. That being said, a proper investigation needs to be conducted, regardless of the size of the incident, to determine what happened and what was exposed. As a part of the overall response, a data quantification workstream should occur, where the investigative team determines the type, quantity, and location of the information exposed. In the US, usually with the assistance of outside legal and forensics services, organizations need to notify the appropriate state and industry regulators. Obviously, with GDPR and New York DFS, that notification window has collapsed greatly to 72 hours. However, these regulations do not require companies to tell them exactly whose data was exposed, just that there was an incident that could have affected personal data.
Fitzpatrick: Again, in addition to the technical analysis which must be done to determine a company’s legal obligations, more generally that legal analysis should be in tandem with the technical analysis. If we are involved in a breach scenario, we always recommend that our clients bring outside legal counsel into the analysis as soon as possible. Unfortunately, many companies fail to get their lawyers involved in the early stages. Without lawyer involvement, the analysis and deliberations relating to it may be accessible to regulators at a later stage. Unless the company can claim privilege, the forensic reports, including detailed and sensitive information and internal discussions relating thereto could be discoverable. Also, companies should keep in mind that the notion of legal privilege is applied very differently around the world. This has important implications for how information flows and the teams involved in the incident are put together and operate.
Skroupa: How should companies report, and who should they reach out to?
Ray: Any cyber incident that requires notification should have the assistance of a Cybersecurity & Privacy attorney and a cybersecurity expert to help guide the company through the process. Typically, we work with outside counsel as a “breach coach” for the company, guiding them through the crisis, conducting the technical incident response, managing the notifications, and will bring the right resources to the table to assist. As John has raised, there is a wide array of regulatory bodies that will need to be notified depending upon the industry and geographies that the company operates in. However, as a rule of thumb, companies should consider a policy of always notifying their clients. Even if they’re not legally required to. Again, as history has shown us, public opinion tends to favour the organization that gets out in front of a data breach, notifies customers, and takes ownership of the problem.
Fitzpatrick: If the business of a company is international, in addition to the array of federal, state and sector-specific notification obligations in the U.S., multinational companies must be prepared to respond in compliance with the data breach notification obligations imposed by a range of countries where they are subject to those countries jurisdiction for data protection purposes. This evolving and inconsistent landscape requires that the incident response plan consider the legislation of all jurisdictions relevant to the breach. As our business is global, and data breaches for a multinational rarely have single jurisdiction implications, we are keenly aware of these international issues and take them into consideration in our work with a company and its counsel.
Skroupa: How will GDPR affect future cases like Equifax?
Ray: For every “Equifax-like” data breach, there are tons of cyber incidents we never hear about. I think GDPR will change that, and we will see and are seeing reporting of incidents that may have typically been swept under the rug by companies large and small. I also think we will see technology and network instrumentation play a bigger role in the notification process. Many of the largest breaches in history were reactive, meaning that the company found out they were breached from security researchers, financial institutions, or even the media. Today, companies are doing a better job establishing processes and implementing tools to actively “hunt” for threats within their network and proactively identify data loss. I think this will lead to more timely and accurate data breach reporting going forward.
Fitzpatrick: There are many issues relating to the GDPR that multinational companies need to consider. As alluded to in your prior questions, the EU requirements should be taken into consideration in the analysis of the appropriate response. In particular, companies need to take into consideration the need for speed. In short, the GDPR has a 72-hour notification requirement. It is not certain whether that requirement will be strictly construed given that there are caveats to the 72-hour obligation. However, where there is sensitive data involved as in the Equifax case, it is highly probable that the Equifax response time of 40 days would not be sufficient under the GDPR which is now force. If you are a multinational processing the personal data of EU citizens, in addition to U.S. obligations, you need to be ready for the worst-case scenario. Such companies should be prepared to deal with in 72-hour deadline, or be prepared to deal with consequences of a failure to comply. Those consequences could be onerous. In the Equifax case, the penalty potentially could have been in the tens of millions of dollars had the GDPR been applicable. In short, the impact of the GDPR will go well beyond the EU and it will force higher standards on US multinationals doing business processing data in Europe.
Check out our upcoming conferences here: https://skytopstrategies.com/conferences/
Follow us on twitter @SkytopStrat, and on Facebook @SkytopStrategies. Find us on YouTube, too, for exclusive interviews, panel discussions and debates that are prime examples of the market moving dialogue held at our various conferences and summits around the world.