Jennifer Archie is a litigation partner in the Washington, D.C. office of Latham & Watkins. She possesses broad investigations, litigation, and counseling experience advising clients from emerging companies to global enterprises across all market sectors in matters involving computer fraud and cybercrime, privacy/data security compliance and program management, advertising and marketing practices, information governance, consumer fraud, employment, and trade secrets. Archie has particular experience defending clients in Federal Trade Commission (FTC) and state consumer protection investigations and preparing for and leading the response to complex and large-scale data breach incidents.
Serrin Turner is a partner in the New York office of Latham & Watkins and a member of the firm’s White Collar Defense & Government Investigations Practice and Financial Institutions Industry group. He leverages his extensive government litigation experience and background in cybercrime and data protection issues to represent clients in their most critical cyber security matters.
Christopher P. Skroupa: How has the cyber threat environment changed over the past several years?
Jennifer Archie: Over the last two or three years, companies in every industry segment and tier have confirmed they have suffered cyber attacks, whether they be data thefts, ransomware, denial of service or insider attacks. Healthcare providers, consumer products, entertainment companies, energy corporations, telecommunications carriers, insurance providers, political organizations, law firms and other professional services organizations, social-networking sites—the list keeps growing. Virtually any company that stores personal or proprietary information, or any other type of sensitive data, is a potential target. Experts have been hitting the “every company is a target” point for many years, but recent headlines have really driven that point home, certainly in board rooms, and within legal and IT departments.
Serrin Turner: We’ve also seen a blurring of the lines that have traditionally distinguished different sets of threat actors and their methodologies. Organized crime groups, which in the past have typically focused on theft of credit card data and personal identity information, are increasingly using “advanced persistent threat” tactics that are traditionally associated with nation-states—burrowing into corporate networks to steal trade secrets or other information that can be quietly monetized through insider trading or other means. Meanwhile, nation-state actors are not just snooping for economic-espionage or foreign-intelligence purposes anymore. They’re growing increasingly brazen and employing tactics traditionally associated with “hacktivists”—leaking data stolen from private companies or organizations into the public domain to further political agendas. The upshot of all this is that a broader range of institutions are at risk of a cyber attack, from a broader set of threats, than ever before.
Skroupa: How has the cyber security regulatory environment changed over the past several years?
Turner: Regulatory interest in cyber security has grown considerably and shows no signs of stopping. The FTC, which has been in this space since at least 2001, continues to pursue an active enforcement agenda, and has brought or settled more than 60 data security matters—often in the wake of data breaches—based on allegations that the company involved failed to reasonably protect consumers from data loss. Other U.S. agencies have followed suit, bringing similar actions within their sector-specific jurisdictions. The Securities and Exchange Commission, Consumer Financial Protection Bureau, Commodities and Futures Trading Commission, Department of Defense, Health and Human Services and Federal Communications Commission have all begun to flex their muscles in this area, just to name a few.
Archie: Unfortunately, the long-building trend continues toward overlapping—and potentially conflicting—breach notification requirements. Companies can face a complex web of such requirements under federal and state law, as well as private contracts. Regulators in Europe and Asia have promulgated breach notification requirements as well, such as the General Data Protection Regulation recently enacted by the European Union. And E.U. regulators appear quite serious about enforcing rules and expectations for immediate notification following an event, not merely following a reasonably prompt investigation. In the U.K., for example, TalkTalk recently lost its appeal of a monetary penalty imposed for failure to notify regulators of a personal data breach within 24 hours after the detection of that breach, on grounds that it was feasible for TalkTalk to have done so based merely on information provided by a complaining consumer. All of these developments increase the likelihood that a company suffering a data security incident may need to self-report and respond to immediate regulatory inquiries, even before forensic experts have a handle on the nature and scope of the incident. If that happens, the company will want to be in the best position possible to demonstrate that it met or exceeded governing—often shifting—regulatory expectations to protect its systems from attack, and reasonably respond to the attack on behalf of affected parties.
Skroupa: What should corporate boards be doing to address cyber security risks?
Archie: Boards must address cyber security on a continuing basis as part of their overarching risk-management responsibilities, which include adequately overseeing and administering essential IT processes. A severe cyber incident can materially disrupt a company’s business, by causing serious harm to its brand, reputation or goodwill, or by imposing significant secondary harms on customers or business partners, for example. It’s an enterprise-wide risk that has to be tackled throughout the organization, starting from the top. The board needs to ensure that cyber security receives sufficient attention and priority from management, that adequate staff and resources are allocated to the issue, and that the company has appropriate plans and policies in place to mitigate threats and respond to incidents.
Turner: Agreed—it’s not just a matter of good corporate practice. Boards have a fiduciary duty of care to protect a company’s assets against cyber risk just as much as any other threat to its business. Regulators expect to see boards actively involved in approving and overseeing compliance with a company’s information security program, and will look for evidence of that in audits and examinations. Those in charge of information security are expected to have unfettered access to the Board. If the company suffers a serious cyber attack, shareholders, customers, regulatory authorities, and class action plaintiffs will all question whether board members did enough to protect against the risk. As awareness of the cyber security threat has increased, cyber security has evolved into a legal and compliance issue as much as a technology issue—and boards are ultimately accountable for it.
Skroupa: What is the role of in-house counsel in responding to a cyber security incident?
Turner: In-house counsel should play a central role in any cyber security incident that poses significant legal or reputational risks for a company. In many situations, in-house attorneys supervise a privileged, internal investigation to determine what went wrong, assess damage (to the corporation and affected parties) and recommend steps to minimize any liability or regulatory risks for the company going forward. That requires working hand-in-glove with the IT department, often in consultation with outside legal counsel and cyber-forensic experts.
Archie: In addition, counsel is needed to handle a wide range of other tasks, for example, ensuring that evidence is preserved in anticipation of possible litigation or regulatory proceedings; analyzing whether notifications to regulators, contractual parties, customers, or others are required or prudent under the circumstances; counseling on internal and external communications strategies about the incident; and advising on any benefits that should be offered to affected parties. Given the rapidly expanding and evolving legal landscape in this area, it is more important than ever that companies have trained in-house counsel available, as well as pre-staged outside counsel with cyber security expertise, and include them in any response effort from the outset.
Skroupa: When should a company involve law enforcement in responding to a cyber incident?
Archie: It’s not always necessary or appropriate to contact law enforcement about a cyber security incident, but it’s often a good idea. Law enforcement has investigative resources unavailable to the private sector and can follow the digital trail from a cyber attack beyond the confines of the company’s own network. Short of potentially apprehending the attacker, law enforcement may be able to pass on information from its investigation (or its investigation of related incidents) that can help the company better protect itself, such as additional indicators of compromise associated with the suspected attack group.
Turner: Working with law enforcement can also be important from a PR perspective in the event that the cyber attack eventually becomes public. It sends a reassuring message if the company promptly enlisted the help of the authorities upon learning of the attack – not only to consumers but to regulators as well. Indeed, the FTC has advised in informal guidance that companies that report a data breach to law enforcement will be viewed more favorably in the event the FTC subsequently investigates the breach and weighs any enforcement action. Companies should consult their cyber security counsel about whether to engage with law enforcement. It helps to have counsel with good, preexisting relationships with the relevant law enforcement agencies, who understand how a criminal investigation is likely to proceed and who can facilitate effective information sharing with the investigative personnel involved.
Christopher P. Skroupa is the founder and CEO of Skytop Strategies, a global organizer of conferences.