The threat of litigation is enough to keep any business leader up at night, and the increasing prevalence of data protection, privacy, and cybersecurity legislation and regulation is piling on the pressure for CISOs.
According to Norton Rose Fulbright’s latest Annual Litigation Trends Survey of more than 250 general counsel and in-house litigation practitioners, cybersecurity and data protection will be among the top drivers of new legal disputes for the next several years. Two-thirds of survey respondents said they felt more exposed to these types of disputes in 2021, up from less than half in 2020, while more sophisticated attacks, less oversight of employees/contractors in remote environments, and concerns about the amount of client data were all cited as mitigating factors.
Clearly, the risks of litigation are very real for CISOs and their organizations, but what are the greatest areas of concern and what can they do about it?
Data breaches draw lawsuitsIn the last 18 months to two years, the chances of an organization facing litigation following a data breach have increased significantly, particularly when a company is perceived to have not handled a breach well, says lawyer and Cordery partner Jonathan Armstrong, who specializes in technology and compliance legal matters. “With a big data breach now, litigation is a probability, not a possibility,” he adds.
While propensity for legal action varies by geography, the continuing scale of cyberattacks has resulted in more explicit assertions from government, industry, and regulatory bodies on what constitutes poor security, opening the door to more legal action, Alex Jinivizian, vice president strategy and corporate development at eSentire, tells CSO. “Some of the most high-profile data breaches--Equifax, Marriott, Target, the U.S. Office of Personnel Management—resulted in significant lawsuits against those companies related to losses of confidential employee or customer data caused by poor standards around security hygiene,” he says.
The implications can be considerable for businesses, Armstrong warns. “Damages sought in different cases are high at the moment. As just one example, TikTok is facing an action in the Netherlands for €1.5bn, and there are similarly high value claims in other countries, too, including the UK and Germany. Data related litigation has been a feature of U.S. corporate life for many years as well.”
CISOs under fireThe risk of litigation is not limited to corporations. CISOs themselves face being subject to legal action for breach of duty where insufficient steps were taken to prevent a breach, or the aftermath of the breach was handled badly, says Simon Fawell, partner at Signature Litigation LLP.
Jinivizian agrees: “The role of the CISO has never been more critical for mid/large enterprises, and potentially more in the crosshairs and held accountable for security incidents and data breaches, as illustrated by the ongoing class action against SolarWinds’ CISO and other executives following the devastating supply chain attack in 2020,” he states.
This is also evidenced by the charges against Uber’s CSO for allegedly trying to cover up a ransomware payment relating to the 2016 attack that compromised data of millions of users and drivers, Armstrong adds.
If a CISO acts as a company director, then they could face shareholder actions for breach of duty following data and privacy breaches based on damage to company value, says Fawell. “Shareholder actions against directors have been on the rise in the UK and, where a data breach has led to a drop in value for shareholders, claims against directors are increasingly being considered. This mirrors the trend in other jurisdictions such as the U.S. where CISOs have already been the subject of high-profile claims for breach of duty.”
Loss of trade secrets and reputational damageThe potential fallout from data breach or privacy litigation includes significant fines, civil and criminal penalties, reputational damage, and adversely affected stock price. All can impact organizations and CISOs individually and in combination. Where important information is lost, the damage can be extremely high, adds Alasdair Marshall, associate at Signature Litigation LLP. “For example, were an intermediary or agent to have a breach incident and lose trade secrets or information that is potentially very damaging to another company’s reputation, that could lead to major litigation. In recent years, the Panama Papers and Credit Suisse incidents have highlighted a growing number of individuals seeking to obtain sensitive information and publish it to the market.”
What’s more, defending litigation can be both costly and time-consuming, Marshall says. “While the English system allows for the winning party to recover legal costs from the loser, it is rare that the amount spent on legal fees and ancillary costs are clawed back in full. Litigation also requires significant CISO and board level attention which would be more productively focused on growing and protecting the business for the future.”
Litigation can have direct implications on cyber insurance matters, too, impacting things like coverage exceptions, renewals, and new business. The companies and CISOs that bounce back the fastest are those that put their customers first by being transparent, doing whatever it takes to help impacted customers minimize the impact, and sharing the steps they plan to take to ensure it doesn’t happen again, says Russ Kirby, CISO at ForgeRock.
Regulations and requirementsGeographical factors are particularly important in relation to litigation risks CISOs and their organizations face, experts agree. For example, the threat of mass class actions for large scale breaches has diminished somewhat in the UK following the Supreme Court decision in Lloyd vs Google which halted an “opt-out” class action under the existing procedural frameworks and highlighted the difficulties in bringing mass data claims under the English rules, says Fawell. “Whilst the decision hasn’t completely blocked the possibility for class actions in data privacy cases and there remain a number of claims running through the English courts that are framed differently and could yet have success, it is a fairly major set-back for claimants,” he adds.
That said, the pressure for individuals impacted by data breaches to be compensated is growing and it would not be surprising to see some form of opt-out class action regime being introduced for data privacy cases in the relatively near future, Fawell says. “An opt-out regime has already been introduced in the UK for competition claims and data privacy would be the next logical area for a similar approach.” Although the threat of mass class actions has diminished in the UK for the time being, the threat of individual litigation remains very apparent, particularly where high value corporate data is potentially compromised, he continues. “The GDPR (and related UK legislation) has led to a much greater awareness of data privacy issues and increased focus on contractual clauses in commercial deals.”
As for the U.S., things can get just as or even more convoluted, says former CISO Jack O’Meara, who leads litigation support services at consultancy Guidehouse. “For example, a CISO working at a U.S. Defense Industrial Base Contractor needs to comply with Defense Federal Acquisition Regulations (DFARS) 252.204-7012 safeguarding covered defense information and cyber incident reporting, while a CISO working for a financial institution in New York needs to comply with New York State Department of Financial Services 23 NYCRR 500 cybersecurity requirements for financial services companies.”
Meanwhile, a judge recently approved a $17.6 million class settlement brought on by plaintiffs of Kemper Insurance, who alleged violations of California’s Consumer Privacy Act, while the Securities and Exchange Commission (SEC) has proposed new mandatory cybersecurity disclosure rules for publicly traded firms, along with written cyber policies and procedures, enhanced reporting, and records management for private equity and investment firms.
Ultimately, U.S. CISOs need to have knowledge of specific cybersecurity requirements contained within the contracts their companies hold, O’Meara adds. “There are too many regulations and requirements to mention in this article, but a CISO needs to be knowledgeable of the ones applicable to their industry and geographic regions.”
Mitigating the risks of litigationTo mitigate and reduce the risks of litigation, CISOs must first examine whether their security program is “defensible” under harsh scrutiny and able to change and adapt to new threats, Kirby says. “For example, if it can’t stand up to questions about whether your protocols follow local laws and industry standards, you need to act fast to address those gaps.”
Fawell cites five questions that are useful in gauging the effectiveness of a breach response plan from a litigative perspective:
- Who are the key service providers to call?
- What are the internal lines of communication? Who makes the call on instructing lawyers and other key advisors? Is it the CISO or does it require other approvals?
- If the system is down, how do key personnel handling the breach communicate securely?
- What type of breach is most likely to impact the company and who are the counterparties most likely to be affected?
- What do the data privacy clauses in contracts with counterparties require? Are there notification requirements in those contracts?
O’Meara says CISO should be able to provide documented policies and procedures including artifacts of compliance, screenshots of security configuration settings, firewall logs, access audit logs, user computer system and application access request forms, and employee security training records, when requested.
Armstrong recommends that CISOs engage with lawyers who are used to handling these types of risks and litigation before an incident occurs. “When you do have an incident, it is important not to try and deal with it as a lone cowboy,” he says.
In the same vein, O’Meara suggests U.S. firms partner with in-house counsel to understand litigation risks and the associated impacts and ramifications.
It is also essential that CISOs are familiar with the terms of a company’s cyber insurance policies—chiefly what is/is not covered and the notification requirements in the event of a breach, Fawell says. “Insurers should generally be one of the first ports of call. Not only is it important to ensure that the cover bites, insurers are often also a good source of information and advice on how to handle certain aspects of a breach.”
Furthermore, security leaders must be careful about what information is (and is not) recorded in the immediate aftermath of a breach, Fawell continues. “It is important to keep a clear audit trail of the decisions taken and why. However, while dealing with an immediately challenging situation, it is not unusual for ill-judged comments (often from high level personnel) to be recorded in writing, which can be unhelpful in later legal proceedings. It is particularly important that everyone understands which communications are likely to have the protection of legal privilege in relevant jurisdictions and which will not.”
Armstrong has seen this play out. “Privilege is critical. Commonly, litigants are making very early requests to see internal memos, communications, and forensic reports. If you don’t set up privilege properly, you are likely to have to disclose all materials.”
It is sensible, where possible, to have an in-person meeting among key personnel to establish clear lines of communication and ensure that the audit trail accurately and clearly details the response process, Fawell advises.