By Kimberleigh Dyess, University of Maryland
Overview
In our increasingly technology-reliant world, where digital security must be constantly evolving to defend against equally relentless hackers, businesses must be prepared to handle the risks and consequences of storing large quantities of customer and client personal information digitally. Many major corporations have already fallen prey to hackers' cyberattacks -- one of the most notable instances being the infamous Target data breach from winter 2013. Unfortunately, despite the prevalence of digital information storage and the necessity for cybersecurity, there is a significant lack of formal and uniform legal guidance for corporations at present. As such, the best thing that a company dealing with digitized information can do is to be constantly vigilant in its security, and to have a plan in place for managing a breach before one happens, so that the company is not scrambling to come up with a plan to manage and mitigate the damage after one occurs.
The Cybersecurity Landscape
Cybersecurity is a new and still-developing field of technology, law, and regulation that poses a practical minefield for corporate entities that face the risk of cyberattacks. Not only must companies defend against constantly-evolving technologies and cyber attacks as best they can, but they must also be prepared before a breach occurs to mitigate the direct damages from the criminal, civil, and regulatory liabilities of a cyber attack. Possible harms include the loss of financial data or the personal data of customers, interruptions to websites and servers that interfere with the flow of commerce, and the reputational damage that comes with being a company that is also a cybersecurity victim. As far as the law goes, the state of cybersecurity is unfortunately in piecemeal. Statutes, regulations, and common law standards describing a corporation's cybersecurity obligations are scattered across state and federal law. The fragmented state of the law at present, with almost every state and territory in the nation having enacted its own legislation about notifying potential victims of security breaches, is an obstacle to the legislative efforts to create a sole United States federal data breach notification law that would aid corporations in understanding what their legal obligations are.
The Target Security Breach
Perhaps the most well-known example of a cybersecurity breach is that of retail giant Target just a few years ago. During the 2013 holiday season, from November 27 to December 15 according to an official statement, nearly all of Target's 1,797 stores were involved in a credit and debit card security breach. Investigations came to the conclusion that Target's security team had disabled a function that automatically deletes malicious software, and additionally chose not to act in response to an early alert of a cyber breach detected by their FireEye security system. As a result, Target experienced a major cyberattack that resulted in millions of shoppers' personal data being compromised, in the form of approximately 40 million payment card records and 70 million other types of customer records, including names, phone numbers, and email addresses. According to an unnamed source at a data investigation firm, the Target breach would "put its mark up there with some of the largest retail breaches to date."
The Nation's Response
Target ended up firing their CEO within just a few months of the cybersecurity attack. Target's official statement also suggested that the CEO, Gregg Steinhafel, was moving too slowly to upgrade its technology and security systems, despite knowing of the company's vulnerabilities. Since the disclosing the attack, Target has been fielding dozens of class action lawsuits, over 40 before the end of the December 2013. Many of the lawsuits focused on the pace at which Target chose to disclose the incident and claimed that their clients could have done more to mitigate the damage if they had known immediately. In March 2015, a federal judge in Minnesota approved Target's offer to settle the class action lawsuit for $10 million.
Target's Board and senior managers are also facing a shareholder derivative suit for their handling of the breach, and Target is further facing action from banks seeking reimbursement for their losses due to fraud and replacing millions of compromised payment cards. On top of the lawsuits, the DOJ has stated that they are looking into criminal charges, several states' attorneys general have instituted actions over security breach notification laws, and Congressional inquiries began in early 2014 in both the House and Senate.
The incident and its repercussions have sent a message to the executives and board members of other companies not only of the importance of both understanding and doing their best to defend against the threat, but that, until a uniform statutory definition of a corporation's legal obligations is established, they too bear personal risk if cybersecurity attacks are not responded to "adequately."
Considerations When Deciding What Cybersecurity Measures to Take
The Target case is an excellent demonstration of the fine line that corporations must walk when a cybersecurity breach occurs - namely, the balance between investigating and assessing the severity and scope of the breach while taking steps to disclose the breach to affected, or potentially affected, parties in a timely manner and institute appropriate mitigation.
However, regardless of how a company chooses to handle the situation, it still faces potential liability from a myriad of different cyber actors and institutions within the United States who take responsibility for the field, including the SEC, FTC, and states' attorneys general. What makes the decision of how to handle cybersecurity and defend against liability so difficult for companies is that each of these entities has a different focus, motive, and method. Organized criminal cybersecurity attacks designed to steal and sell personal information for profit, as was demonstrated in the Target breach, generally affect large numbers of people, many of whom choose to become plaintiffs and thus are a liability corporations must be prepared for. Other organizations with more of a national security focus, such as the DHS, FBI, and Secret Service, generally have a different relationship with companies who are victims of a cybersecurity attack, because their goal is instead to address threats to national security, intellectual property, or trade secrets, which do not always lead to a harm outside the company and thus do not generally result in lawsuits like those filed against Target.
This complicated landscape creates numerous challenges for the decision-makers of companies, namely the directors and officers charged with managing the company's affairs. Their task, which is not an easy one, involves according appropriate weight to the concerns of state and federal agencies, lenders and business partners, and customers, while meeting their fiduciary obligations to the company and its shareholders.
Recommended Approach: Better Safe than Sorry
Our world is becoming increasingly technological, and the liabilities that companies face as a result of not just cybersecurity breaches themselves, but the organization's handling of the incidents, are both wide-ranging and serious. Corporate leaders whose businesses deal with personal data or any other materials that may cause them to be the target of a cybersecurity attack need to educate and prepare themselves both to defend against a potential breach and how to coordinate the response that comes after.
The best offense is a good defense, so the first step that corporations should take is trying to prevent the breaches from happening in the first place. There are many monitoring and compliance requirements readily available that are necessary to meet various statutory standards, so a good starting point for any corporation is to ensure that their current security is up to par according to these metrics. As a result of the increasing number of cyberattacks in the last few years, many technology experts have been offering advice to corporations, and others have been working with federal organizations to come up with best practice suggestions to assist corporations in shoring up their defenses.
In dealing with such a complex system of administrative, regulatory, and enforcement entities under a piecemeal set of laws that vary by state, however, it is also important for companies to remember collaboration. Corporate executive, legal, technical, and security teams need to work together to stay on top of the security situation before, during, and after any incidents occur. This approach is particularly helpful when it comes to deciding whether, when, and how to cooperate with the government when incidents occur, as a united front and a uniform understanding among the company can be crucial. Much of an effective cybersecurity attack response requires cooperation amongst these parties, which necessitates not only internal communication, but that all parties be generally fluent in cybersecurity and able to comprehend all of the potential liabilities to facilitate a productive conversation on how best to handle any incident that may arise.
Conclusion:
What happened to Target is unfortunately not an isolated incident. Since 2013, numerous other major retailers have experienced similar cybersecurity breaches, with their customers' credit and debit card information showing up on cybercrime stores such as rescator.cm, owned by a Ukrainian hacker who appears to dominate the stolen credit card trade. In September 2014, nearly every Home Depot store across the nation was hit using the same malware used in the Target breach. Other hacked retailers include Sally Beauty, P.F. Chang's and Harbor Freight, as well as Michaels, Neiman Marcus, UPS, Goodwill, JP Morgan, and many, many others.
With cyber attacks becoming demonstrably commonplace, it is of the utmost importance for the leaders of corporations to acknowledge the risks of this new means of data storage and prepare appropriately. Security software that constantly evolves and updates, more frequent checks to try to catch data breaches earlier, and developing a clear and thorough plan of action for handling a breach long before one occurs are all crucial, as is communication with customers and clients as quickly as is feasible. The public is becoming increasingly aware of the cybersecurity risks that companies today are facing, but history has shown time and time again that these incidents are far more likely to be forgiven by the public when a company is honest and transparent, as in Johnson & Johnson's 2009 Tylenol recall, and far less so when the company tries to cover the mistake up, like Toyota did in 2009 and Volkswagen did in 2014.
Region:
United States
The information in any resource collected in this virtual library should
not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.