Cybersecurity and data protection are expected to become top drivers of legal disputes. What litigation risks should CISOs be most concerned about and what can they do about it?

The threat of litigation is enough to keep any business leader up at night, and the increasing prevalence of data protection, privacy, and cybersecurity legislation and regulation is piling on the pressure for CISOs.
According to Norton Rose Fulbright’s latest Annual Litigation Trends Survey of more than 250 general counsel and in-house litigation practitioners, cybersecurity and data protection will be among the top drivers of new legal disputes for the next several years. Two-thirds of survey respondents said they felt more exposed to these types of disputes in 2021, up from less than half in 2020, while more sophisticated attacks, less oversight of employees/contractors in remote environments, and concerns about the amount of client data were all cited as mitigating factors.

Clearly, the risks of litigation are very real for CISOs and their organizations, but what are the greatest areas of concern and what can they do about it?

Data breaches draw lawsuitsIn the last 18 months to two years, the chances of an organization facing litigation following a data breach have increased significantly, particularly when a company is perceived to have not handled a breach well, says lawyer and Cordery partner Jonathan Armstrong, who specializes in technology and compliance legal matters. “With a big data breach now, litigation is a probability, not a possibility,” he adds.

While propensity for legal action varies by geography, the continuing scale of cyberattacks has resulted in more explicit assertions from government, industry, and regulatory bodies on what constitutes poor security, opening the door to more legal action, Alex Jinivizian, vice president strategy and corporate development at eSentire, tells CSO. “Some of the most high-profile data breaches--Equifax, Marriott, Target, the U.S. Office of Personnel Management—resulted in significant lawsuits against those companies related to losses of confidential employee or customer data caused by poor standards around security hygiene,” he says.

The implications can be considerable for businesses, Armstrong warns. “Damages sought in different cases are high at the moment. As just one example, TikTok is facing an action in the Netherlands for €1.5bn, and there are similarly high value claims in other countries, too, including the UK and Germany. Data related litigation has been a feature of U.S. corporate life for many years as well.”

CISOs under fireThe risk of litigation is not limited to corporations. CISOs themselves face being subject to legal action for breach of duty where insufficient steps were taken to prevent a breach, or the aftermath of the breach was handled badly, says Simon Fawell, partner at Signature Litigation LLP.

Jinivizian agrees: “The role of the CISO has never been more critical for mid/large enterprises, and potentially more in the crosshairs and held accountable for security incidents and data breaches, as illustrated by the ongoing class action against SolarWinds’ CISO and other executives following the devastating supply chain attack in 2020,” he states.

This is also evidenced by the charges against Uber’s CSO for allegedly trying to cover up a ransomware payment relating to the 2016 attack that compromised data of millions of users and drivers, Armstrong adds.

If a CISO acts as a company director, then they could face shareholder actions for breach of duty following data and privacy breaches based on damage to company value, says Fawell. “Shareholder actions against directors have been on the rise in the UK and, where a data breach has led to a drop in value for shareholders, claims against directors are increasingly being considered. This mirrors the trend in other jurisdictions such as the U.S. where CISOs have already been the subject of high-profile claims for breach of duty.”

Loss of trade secrets and reputational damageThe potential fallout from data breach or privacy litigation includes significant fines, civil and criminal penalties, reputational damage, and adversely affected stock price. All can impact organizations and CISOs individually and in combination. Where important information is lost, the damage can be extremely high, adds Alasdair Marshall, associate at Signature Litigation LLP. “For example, were an intermediary or agent to have a breach incident and lose trade secrets or information that is potentially very damaging to another company’s reputation, that could lead to major litigation. In recent years, the Panama Papers and Credit Suisse incidents have highlighted a growing number of individuals seeking to obtain sensitive information and publish it to the market.”

What’s more, defending litigation can be both costly and time-consuming, Marshall says. “While the English system allows for the winning party to recover legal costs from the loser, it is rare that the amount spent on legal fees and ancillary costs are clawed back in full. Litigation also requires significant CISO and board level attention which would be more productively focused on growing and protecting the business for the future.”

Litigation can have direct implications on cyber insurance matters, too, impacting things like coverage exceptions, renewals, and new business. The companies and CISOs that bounce back the fastest are those that put their customers first by being transparent, doing whatever it takes to help impacted customers minimize the impact, and sharing the steps they plan to take to ensure it doesn’t happen again, says Russ Kirby, CISO at ForgeRock.

Regulations and requirementsGeographical factors are particularly important in relation to litigation risks CISOs and their organizations face, experts agree. For example, the threat of mass class actions for large scale breaches has diminished somewhat in the UK following the Supreme Court decision in Lloyd vs Google which halted an “opt-out” class action under the existing procedural frameworks and highlighted the difficulties in bringing mass data claims under the English rules, says Fawell. “Whilst the decision hasn’t completely blocked the possibility for class actions in data privacy cases and there remain a number of claims running through the English courts that are framed differently and could yet have success, it is a fairly major set-back for claimants,” he adds.

That said, the pressure for individuals impacted by data breaches to be compensated is growing and it would not be surprising to see some form of opt-out class action regime being introduced for data privacy cases in the relatively near future, Fawell says. “An opt-out regime has already been introduced in the UK for competition claims and data privacy would be the next logical area for a similar approach.” Although the threat of mass class actions has diminished in the UK for the time being, the threat of individual litigation remains very apparent, particularly where high value corporate data is potentially compromised, he continues. “The GDPR (and related UK legislation) has led to a much greater awareness of data privacy issues and increased focus on contractual clauses in commercial deals.”

As for the U.S., things can get just as or even more convoluted, says former CISO Jack O’Meara, who leads litigation support services at consultancy Guidehouse. “For example, a CISO working at a U.S. Defense Industrial Base Contractor needs to comply with Defense Federal Acquisition Regulations (DFARS) 252.204-7012 safeguarding covered defense information and cyber incident reporting, while a CISO working for a financial institution in New York needs to comply with New York State Department of Financial Services 23 NYCRR 500 cybersecurity requirements for financial services companies.”

Meanwhile, a judge recently approved a $17.6 million class settlement brought on by plaintiffs of Kemper Insurance, who alleged violations of California’s Consumer Privacy Act, while the Securities and Exchange Commission (SEC) has proposed new mandatory cybersecurity disclosure rules for publicly traded firms, along with written cyber policies and procedures, enhanced reporting, and records management for private equity and investment firms.

Ultimately, U.S. CISOs need to have knowledge of specific cybersecurity requirements contained within the contracts their companies hold, O’Meara adds. “There are too many regulations and requirements to mention in this article, but a CISO needs to be knowledgeable of the ones applicable to their industry and geographic regions.”

Mitigating the risks of litigationTo mitigate and reduce the risks of litigation, CISOs must first examine whether their security program is “defensible” under harsh scrutiny and able to change and adapt to new threats, Kirby says. “For example, if it can’t stand up to questions about whether your protocols follow local laws and industry standards, you need to act fast to address those gaps.”

Fawell cites five questions that are useful in gauging the effectiveness of a breach response plan from a litigative perspective:

1. Who are the key service providers to call?
2. What are the internal lines of communication? Who makes the call on instructing lawyers and other key advisors? Is it the CISO or does it require other approvals?
3. If the system is down, how do key personnel handling the breach communicate securely?
4. What type of breach is most likely to impact the company and who are the counterparties most likely to be affected?
5. What do the data privacy clauses in contracts with counterparties require? Are there notification requirements in those contracts?

“Planning can range from, at a minimum, ensuring the answers to the questions above and others have been considered and the answers are known to the key individuals who will be handling a breach, to having a full simulated breach to stress test processes,” Fawell adds.

O’Meara says CISO should be able to provide documented policies and procedures including artifacts of compliance, screenshots of security configuration settings, firewall logs, access audit logs, user computer system and application access request forms, and employee security training records, when requested.

Armstrong recommends that CISOs engage with lawyers who are used to handling these types of risks and litigation before an incident occurs. “When you do have an incident, it is important not to try and deal with it as a lone cowboy,” he says.

In the same vein, O’Meara suggests U.S. firms partner with in-house counsel to understand litigation risks and the associated impacts and ramifications.

It is also essential that CISOs are familiar with the terms of a company’s cyber insurance policies—chiefly what is/is not covered and the notification requirements in the event of a breach, Fawell says. “Insurers should generally be one of the first ports of call. Not only is it important to ensure that the cover bites, insurers are often also a good source of information and advice on how to handle certain aspects of a breach.”

Furthermore, security leaders must be careful about what information is (and is not) recorded in the immediate aftermath of a breach, Fawell continues. “It is important to keep a clear audit trail of the decisions taken and why. However, while dealing with an immediately challenging situation, it is not unusual for ill-judged comments (often from high level personnel) to be recorded in writing, which can be unhelpful in later legal proceedings. It is particularly important that everyone understands which communications are likely to have the protection of legal privilege in relevant jurisdictions and which will not.”

Armstrong has seen this play out. “Privilege is critical. Commonly, litigants are making very early requests to see internal memos, communications, and forensic reports. If you don’t set up privilege properly, you are likely to have to disclose all materials.”
​
It is sensible, where possible, to have an in-person meeting among key personnel to establish clear lines of communication and ensure that the audit trail accurately and clearly details the response process, Fawell advises.

Proggio is focused on Companies that Need Clarity with +500 People, Multiple Projects and Cross-Dependancies. Unlimited Users & Easy-to-Use Tools for Company-Wide Adoption and Alignment. Get a Demo.

OnePlan Strategic Portfolio Management Solutions

​Organizations wish to adapt, innovate, and compete. In reality, they are like the people in them: complex, full of potential, and with old habits. Business agility means adopting the mindset, practices, and tools to become more value-focused and customer-obsessed. The OnePlan team’s purpose is to help your organization on its path to innovation, flexibility, and speed by offering technology and consulting services to suit your needs at different stages of your journey.

Want to do your career the best service as fast is possible? Get Cheetah Agile Certified. I've done the research - trust me. It's the best possible thing you can do for your tech career today. Fast, makes a difference not only for Project Managers, but for all and will help you learn faster and retain.

And don't forget to use "BRADAGILE" for 10% off you certification. As a 20+ year PM, I know what I am talking about. Signup today.

Cheetah Agile Projects - Quick Start

In just 20 minutes with their free webinar, learn what it takes to become Cheetah Agile Certified and complete significant projects in two weeks using the Cheetah Agile Project approach. 

When you become Cheetah Agile Certified, you earn a credential that you can connect on your Linked in Profile. 

This opens you up to recruiters who are filling over 5800 jobs for Agile Project Managers at salaries of $110,000.

Cheetah Delivers

"I've used Cheetah's accelerated approaches to doing projects for years and have accomplished so many more things in both my personal and professional life from having these skills. You'll be delighted what this can do for you."
Barb S., PMP

Cybersecurity and risk executives are adopting new ways to attract talent, in part by looking outside degree requirements and traditional technology backgrounds.

Organizations such as the International Information System Security Certification Consortium, or ISC2, say the demand for cybersecurity workers is far outstripping the available workforce.

The nonprofit training organization estimates in its latest annual workforce study that around 2.72 million more cybersecurity workers are needed globally.

While that figure is down from 3.12 million in the previous year’s study, hiring remains a slog, especially for companies looking to expand their cyber teams during a period of heightened threats from hackers.

Shaun Marion, chief information security officer at fast-food chain McDonald’s Corp. , is in the midst of bringing many contracted cybersecurity roles in-house, especially those at the entry level, he said. Mr. Marion also plans to hire another 30 to 40 cyber professionals this year.

The shift will help improve prospects for people who want to build cyber careers at McDonald’s, Mr. Marion said. “Once I get people here, I can expose them to all the opportunities they have,” he said. “It’s not hard to retain. But getting them in is hard.”

At payments provider Visa Inc., which has around 1,150 staff working on cyber-related roles globally, Chief Risk Officer Paul Fabara said he is keenly aware that losing employees without the ability to replace them can be just as disruptive as not being able to fill the roles in the first place.
“You have to start planning way in advance,” he said. “If you start by the time attrition hits you, if you don’t have three or four people in the pipeline for a single role, you’re going to fall short of meeting the demands of that job.”

That can have real consequences for companies, and for the remaining employees who still have to run security operations centers, fusion centers and other cyber operations at peak performance levels.

“The worst thing you can do in this type of environment, because you’re operating on a 24x7 basis, is to burn people out,” Mr. Fabara said.

Thinking broadly about candidates is key for Steven Babb, CISO at Mitsubishi UFJ Financial Group’s investor services business. Mr. Babb said he supports initiatives that aim to increase gender representation in the workplace, and he’s also interested in candidates who aren’t necessarily from straight cybersecurity backgrounds but may have relevant experience in other departments.

“We give people the opportunity to come in to learn about the business, to learn about our technology and to apply what they know, such as transferring skills from other areas into security as well,” Mr. Babb said.


At McDonald’s, Mr. Marion says the help desk can feed the general roles in the cybersecurity group because technicians there know how to handle ambiguity and solve problems in real time. Serious online gamers make good staff for the security operations center, he said, where the ability to work odd hours, cooperate and think quickly are required.

“I search for attitude and aptitude and lay security training on top of that,” he said.

The idea of considering candidates with nontraditional backgrounds is gaining traction for external hires, as well as existing employees. For Mr. Marion, looking only for college graduates is “myopic.” Not only don’t the numbers support that route, but requiring a degree eliminates good candidates, he said.

The cybersecurity industry has come under criticism in the past for its unrealistic requirements for entry-level positions, with some banks and other organizations asking for advanced degrees and professional certifications that require years of experience to achieve.
​
“College is not for everybody, and not everyone has access to college because they lack the financial wherewithal or community support,” Mr. Marion said, which often excludes people who could help round out the gender and ethnic diversity he seeks in his staff.

Some senior roles need a degree, such as in cyber and privacy risk assessment. But many positions don’t, he said. Stripping mentions of degrees and professional certifications from many cyber job descriptions took some convincing of the human-resources group, he said.


And the numbers favor his approach. According to the most recent figures from the National Center for Education Statistics, just about 2 million bachelor’s degrees were conferred in 2021.


“The point is, you won’t get all your talent from college,” he said. “Even if you could, I don’t know that I’d want to.”
​

Write to James Rundle at james.rundle@wsj.com and Kim S. Nash at kim.nash@wsj.com


By 
James Rundle and Kim S. Nash