No More Narrow Focus: Is 2016 the Year of Cyber-Risk?

No More Narrow Focus: Is 2016 the Year of Cyber-Risk?

As 2015 came to a close , cybersecurity topped the news. Terrorist attacks in Paris and California fueled the debate over whether law enforcement ought to be given access to encrypted communication. Data breaches also continued to impact companies and government agencies throughout the year.

Cybersecurity promises to remain a major risk for all organizations in 2016. “We’ll likely see continued massive data breaches, unfortunately, as companies, governments, and other organizations holding data continue to lag behind hackers and identity thieves in both technologies and good practices,” Joe ‘Chip’ Pitts III, a lecturer at Stanford Law School and former chief legal officer at Nokia, says to Legaltech News about his predictions for 2016.

Yet despite all the talk of “how quickly things are changing” in the cybersecurity arena for companies, “things really aren’t moving that fast,” says Matthew F. Prewitt, an attorney at Schiff Hardin. “The more talk about how things are going to change, the more things stay the same.”

Pitts agrees, saying, “Boards of directors and C-suites have been taking greater cognizance of these issues, but understanding the nature of the risk remains deficient, as do the required cybersecurity measures to manage the risk.”

The Business Case

Breaches are impacting many companies. Some 31 percent of in-house counsel said in 2015 that either their current or former company has experienced a data breach, according to a study from the Association of Corporate Counsel (ACC).

However, what is emerging on cybersecurity is how businesses are moving away from the “very narrow focus” on personal privacy and data breaches, which are “headline grabbing,” to broader issues such as the impact on the protection of business assets and intellectual property, Prewitt says.

But what will be the impact if a company loses a plan for the launch of a flagship product two years before a launch? It may be “much harder” to bounce back from that kind of cyber theft, Prewitt says. There is also a concern that business operations can be disrupted after cyber attacks, and there can also be a significant loss of revenue.

On the federal level, despite a challenge from Wyndham Worldwide Corp. that the Federal Trade Commission (FTC) did not have the authority to go after companies which did not sufficiently protect consumer information, the U.S. Court of Appeals for the Third Circuit sided with the FTC and validated the commission’s enforcement authority (more on this case can be found on page 36).

Another noteworthy case in 2015 was a ruling from the 7th Circuit involving a large data breach at Neiman Marcus. Remijas et al. v. The Neiman Marcus Group addressed the issue of standing and whether customers impacted by the data breach are likely to be injured despite that they did not yet experience identity theft or other kinds of fraud. But there is an “‘objectively reasonable likelihood’ that such an injury will occur,” Judge Diane Wood wrote in the appellate ruling.

That decision could make it “likely to see a lot more litigation in the future,” says Allison J. Bender, an attorney at Hogan Lovells who formerly worked at the Department of Homeland Security.

Looking at the state level, there could be some cases related to cybersecurity coming from appeals courts in states, if cases are brought regarding negligence and the fiduciary duties of company boards. Prewitt says the issue could be seen in such states as Delaware, California, Massachusetts and New York. In the meantime, Prewitt advises general counsel to expect “in the future your company’s current level of cybersecurity is going to be second-guessed by persons you cannot currently anticipate by issues you don’t expect.”

That means regulators or plaintiffs can challenge companies on cybersecurity issues. Therefore, responsible companies need to evaluate, investigate and make diligent efforts to understand what they should be doing on cybersecurity, Prewitt adds.

Into the Future

However, there may be some new wrinkles in 2016. Billions of more products will be able to communicate among each other as part of the Internet of Things “with the net result of burgeoning cybersecurity risks from this new segment,” Pitts says.

In addition, because of the increasing popularity of the cloud, even small companies are likely using the cloud now for systems such as human resources or accounting “one way or another,” says Michael R. Overly, an attorney with Foley & Lardner. “It’s incredibly hard to avoid it.” But be forewarned: in contracts cloud providers “are not going to assume much in the way of responsibility” if there is a breach, he adds.

Looking ahead, doxing, which is the hacking of computers followed by the publishing of documents in order to embarrass the target, “is on the rise,” Pitts says. Previous examples took place at Sony and Ashley Madison, and there were additional instances involving celebrities who stored sensitive photos, and even CIA Director John Brennan, according to Prewitt.

“We can expect it to increase further in the U.S. during [2016],” Pitts says, pointing out that the risk is higher especially because it is a Presidential election year. There also is likely to be more pressure on tech companies to provide “back doors” so law enforcement officers can unravel encrypted communications. “We’re seeing stepped-up support at the moment for private and government hacking and computer network and product backdoors in government bills and laws, but as the immediate aftermath of the Paris and San Bernardino attacks fades more reasoned and deliberate approaches will again assert themselves,” Pitts says. He warns that “adding vulnerabilities and backdoors to technology networks and products threatens to expose all of us to greater hacking, identity theft, privacy violations and other tangible as well as intangible harms on the misguided theory that allowing government access will somehow fail to also allow access by terrorists and cyber-criminals and prevent determined terrorists from communicating securely with each other as they plan attacks.”

Course of Action

When it comes to the NIST Cybersecurity Framework—which was released 2014—Bender says it is “likely to continue to have major influence on how companies are assessing and organizing their cybersecurity.” She describes it as being a “very flexible” framework which draws on existing standards and best practices. But critics argue the NIST framework is of limited value.

Prewitt points out the NIST framework is “vague by design.” A new version of the framework may be proposed in the near future. In fact, in December the NIST published a request in the Federal Register for feedback on how the framework “is being used to improve cybersecurity risk management, how best practices for using the framework are being shared, the relative value of different parts of the framework, the possible need for an update of the framework, and options for the long-term governance of the framework.”

As for now, Bender recommends companies respond appropriately to cyber-risks by:

  • Spending time assessing a company’s current cybersecurity program and involve a counsel to have attorney-client privilege;
  • If there is a data breach, make sure the first call is to an attorney;
  • Adequately invest time and resources to be “responsible cybersecurity citizens”; and
  • Have drills and policies in place proactively before a data breach takes place.

Companies need to continue to be proactive in 2016 and prepare for whatever cyberattacks that are directed at them. Otherwise, they are more legally and technologically vulnerable than their well-prepared peers.