Companies must take steps to safeguard information and develop a response strategy to avoid costly security breaches.
A recent survey by the Identity Theft Resource Center showed that US companies and agencies suffered a record 1,093 data breaches in 2016, a 40% increase over 2015. And for the last two years, FTI Consulting’s “Law in the Boardroom” survey has identified cyber-risk as the top issue keeping directors and general counsel up at night.
“These figures are in line with what we are seeing on a weekly, and even daily, basis,” said Morgan Lewis partner W. Reece Hirsch, who co-heads the firm’s privacy and cybersecurity practice. “Security breaches have become increasingly common due to a combination of factors, including the increasing sophistication of cybercriminals and the proliferation of large databases of high-value personal information.”
We recently asked Reece about the latest global developments related to cybersecurity and privacy, how data breaches could cost companies dearly, and what businesses can do to prevent and respond effectively to breaches.
How much of a concern should cyberattacks be for companies today?
Most breaches are small-scale incidents causing limited damage to the company, but a major breach involving a large number of consumers and actual data exploitation for fraud or identity theft can be a catastrophic event for a company, especially if it is mishandled. The consequences include class action lawsuits, a stock plunge for a public company, action by regulators, and, perhaps most significantly, damage to brand and customer relationships. Our clients implement security breach response plans in part to demonstrate that they have made reasonable efforts to prevent breaches and to respond to them promptly and effectively.
What companies/industries are the most common targets of cyberattacks?
Major retailers were targets of some of the earliest large-scale hacks. In recent years, the healthcare industry has also been in the crosshairs of cybercriminals, who are targeting health plans and hospitals that maintain large databases of medical information that can be used to commit medical identity theft and fraud.
What are some of the US laws requiring companies to implement systems to protect privacy? What is the reality in the enforcement of these laws, and what should companies expect in 2017?
State security breach laws are “reactive,” imposing notification requirements after a security incident has occurred. However, a growing number of laws are “proactive,” imposing obligations on companies to develop security compliance programs before they experience a breach. These include the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in healthcare; the Gramm-Leach-Bliley Act “safeguards” rule in financial services; state insurance “safeguards” regulations; and state security mandates in California, Connecticut, Maryland, Massachusetts, Nevada, Rhode Island, and Maryland.
Levels of enforcement vary among these regimes, but the Federal Trade Commission and the Office for Civil Rights at the US Department of Health and Human Services (which enforces HIPAA) have both been very active in recent years in pursuing data security enforcement actions.
It’s difficult to predict how President Donald Trump’s administration will influence future cybersecurity enforcement, but the president often emphasized cyber-defense and cyber-offense during the campaign. Thomas Bossert, who was appointed as assistant to the president for homeland security and counterterrorism, endorsed a “cyber doctrine that embraces the wisdom of free markets,” which could indicate a lessening of government regulation in this area.
How common are cyberattacks worldwide? Is global enforcement similar to US enforcement?
High-profile cyberattacks are certainly not unique to the United States, but the legal/regulatory landscape has differed in the European Union because the European Union Data Directive was silent on the issue of data breach. That will change in 2018 when the General Data Protection Regulation (GDPR) replaces the directive. The GDPR includes new “personal data breach” notification obligations to supervisory authorities and affected data subjects, which will likely increase breach-related enforcement activity.
What can companies do to protect the privacy of their employees and customers?
Companies must develop formal, written compliance programs to demonstrate that they have taken reasonable steps to safeguard the personal information of consumers and employees. A thoughtful privacy and security compliance program can prevent security breaches and prepare a company to take prompt corrective action if it is unfortunate enough to experience a major breach. The damage from a massive security breach can occur very quickly, and companies cannot afford to develop their response strategies on the fly.
What is the role of the general counsel, the board of directors, and top management in enhancing cybersecurity? And how can Morgan Lewis help in this area?
Most corporate legal departments have lawyers with some degree of privacy experience, but few have the breadth to effectively advise on the entire complex patchwork of state, federal, and international privacy and security laws. Morgan Lewis’s privacy and cybersecurity practice has the deep bench necessary to fill in those knowledge gaps for general counsel.
The role of boards of directors in managing cyber-risks has been emphasized by the US Securities and Exchange Commission (SEC) in recent years, and we have seen a number of shareholder derivative lawsuits following major breaches. Last month, the National Association of Corporate Directors released an annual survey showing that 89% of companies discussed cybersecurity issues at board meetings, with a median of three cybersecurity discussions per year. If a corporation board is not addressing cyber-risk at least three times a year, it risks falling out of step with current best practices.
Morgan Lewis’s privacy and cybersecurity practice helps clients build practical compliance solutions to address this complex and rapidly evolving area of law. Given the variety and sophistication of cyber threats today, no client can completely insulate itself. However, all companies are well served by implementing reasonable privacy and security compliance programs that are scaled to their resources and risks. Our privacy and cybersecurity practice provides that practical guidance.