Holland & Knight LLP
Abernathy MacGregor Group, Inc.
FTI Consulting, Inc.
The ongoing pandemic has reiterated what we already know regarding cyber risk and, more specifically, cyber actors. They evolve their methodologies to leverage the status quo in their favor, exploiting new developments to find additional points of entry. As workforces rapidly shifted to remote environments, malicious actors pounced at the opportunity to infiltrate vulnerable home networks, less secure mobile devices that were increasingly relied on to conduct business operations, and employees not adhering to proper security practices.
New scams emerged, aimed at stealing credentials or gaining access to systems via phishing campaigns using fraudulent emails created to look like legitimate messages from health organizations. While the information in these messages may have been accurate, they also contained malware and could infect networks with a single click of a URL or through downloading an attachment.
Beyond relatively simple social engineering cyber attacks, more advanced measures quickly developed. New strains of ransomware, nation-state spear-phishing attacks, unemployment fraud, and misinformation campaigns all reared their heads during the pandemic. As fast as new developments arose regarding the pandemic, cyber actors designing new ways to exploit the situation moved faster. As a result, cybersecurity—already a board-level concern—became even more essential to protect an organization’s reputation, financial standing, and viability.
The cyber threat landscape was growing quickly prior to the pandemic, fueled by the Internet of Things and the rollout of the 5G network, but the size of the attack surface has exploded and will remain a significant concern in a post-COVID world. Organizations who decide to pivot to a full-time or even partially remote workforce will permanently have more access points to their networks and databases, and thus to their sensitive or proprietary information and data—in other words, additional ways for savvy cyber actors to gain unauthorized access and cause significant damages if not properly safeguarded.
Personal data is everywhere—in smart phones, with employers, in electronic health charts, in cars, at the gym, and at the grocery store. The collection, use, and storage of personal information is a necessary component for businesses to compete in the modern world. The question is how, and with what level of care, companies should protect personal, and often sensitive, data obtained in the course of doing business. This question is normative and legal, and courts have been struggling with the issue for at least 15 years.
Take the following hypothetical, for example. A major online vendor suffers a ransomware attack and a list of millions of users that includes usernames, passwords, and credit card information is stolen. The vendor conducts an internal review and discovers credit card information has appeared on the dark web, where it can be bought and sold by malicious actors. In turn, the affected users file a class action negligence suit. The appointed judge is then tasked with applying a four-element negligence analysis—duty, breach, causation, and damages—to determine whether the vendor should be liable.
Duty is the first, and often most important, question. It is primarily legal in nature, while the other elements are more likely to pose mixed questions of law and fact. It is up to the judge, who typically does not have a deep technical background, to determine the applicable standard of care before determining whether the company breached the same by failing to take appropriate steps.
What the judiciary and litigants lack is the precise source of this claimed duty. Plaintiffs variously allege it comes from industry standards or specific regulations, private contracts, consent decrees, settlements, and, of course, judge-made law.
Further muddying the waters, states are filling a perceived void in federal leadership and passing cybersecurity-related laws or enacting full data privacy regimes on their own. California and Virginia have already done so, and New York is considering its options. And Utah, after Ohio, just became the second state to establish affirmative defenses for data breaches.
There are many permutations of the above hypothetical. A company can suffer a cyber attack but find that no user information has been stolen and accessed. Lawsuits arising from this scenario likely turn on whether the users were sufficiently “injured” to incur legal standing to bring a claim. While standing is not the focus of this article, it is an equally important topic in the cybersecurity legal landscape.
Given the challenges of tracking quickly evolving technical and legal landscapes, in-house counsel seeking to mitigate risk exposure from a cyber attack or other data-related incidents might encounter analysis paralysis. Every major industry would do well to consider the technology training, risk management, and resource investments needed to prepare for the threat of a data breach or other cyber incident, and lawsuits arising from the same, especially considering the lack of uniform law.
Along with important legal considerations when managing a cybersecurity incident is the major question: How should we announce that this has happened? Further, how do we manage the press, our customers, our competitors, our vendors, and everyone who is counting on us?
In the cybersecurity world, it is often said that breaches are not a question of “if” but a question of “when.” The issue is not that it happened, it is how prepared the affected company is to manage the aftermath. We find the optimum way to consider the associated communications issue is to think from the inside out. The central question is typically one from the customer’s perspective: what does this mean for me?
The most important communications tool is the letter to customers, which should be crafted with input from the affected company and the legal and forensic teams. While it is tempting to begin the letter with an apology for the incident, followed by an explanation of what happened and where to get help, we recommend a different approach.
Given that it is difficult to gain the public’s attention and hold it, we suggest that the letter begin with a short summary statement followed by exactly what action we are asking customers to take. These actions vary greatly depending on the incident, so the legal and forensic specialists will be of great value in balancing the need to inform with operational requirements. If every word is seen through the lens of "how does this help my customer?" the letter will be short, concise, and truthful.
However, there is no room for error. If a company decides to direct customers to a call center for assistance, it is essential to test the system in advance and ensure that the call center reflects the company’s tone, concern, and values. The call center is an extension of the company during this time.
So much of the management of these issues is not what we say. It is what we do, along with all-important timing. In general, speaking too soon, for example, before a call center is in place and tested, can be worse than not speaking at all. And the letter to customers is the centerpiece of outreach to every other audience—from regulators to community and legislative leaders, trade associations, employees, and vendors. This approach allows the letter to spread naturally through social media channels without excess commentary from the company. The more consistent the messaging, the better the results will be, meaning the company manages the data breach and returns to business as usual with its reputation intact.
For more information about emerging cybersecurity laws and regulations, check out the authors’ Cybersecurity and Emerging Legal Standards program segment, available from PLI Programs On Demand.
Mark Melodia is a privacy, data security and consumer class action defense lawyer in Holland & Knight’s New York office. Mark focuses his practice on governmental and internal investigations, putative class actions and other “bet-the-company” suits in the following areas: data security/privacy, mortgage/financial services and other complex business litigation, including defamation.
Rhonda Barnat is one of the country’s leading crisis management advisors and head of Abernathy MacGregor’s crisis management practice. Rhonda is an expert in helping companies and non-profits move through an issue and return to normal with their reputations intact. She is often called upon to assemble the specialized teams that are required when a major crisis befalls an institution.
Jordan Rae Kelly is Head of Cybersecurity, Americas and Senior Managing Director of FTI Consulting, Inc. Jordan advises clients on a broad range of cybersecurity and data privacy matters involving breaches, insider threats, intellectual property, crisis communications, vendor management, compliance, regulation, risk management, and forensic investigations.
Also available from PLI Programs:
Also available from PLI Press:
Disclaimer: The viewpoints expressed by the authors are their own and do not necessarily reflect the opinions, viewpoints and official policies of Practising Law Institute, Holland & Knight LLP, Abernathy MacGregor Group, FTI Consulting, or their clients. FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
To submit an article for consideration, please contact the editor at: email@example.com
This article is published on PLI PLUS, the online research database of PLI. The entirety of the PLI Press print collection is available on PLI PLUS—including PLI's authoritative treatises, answer books, course handbooks and transcripts from our original and highly acclaimed CLE programs.
Sign up for a free trial of PLI PLUS at pli.edu/pliplustrial.