Editor: Describe your cybersecurity practice.
Sumner: My practice is actually broader than just cybersecurity. It includes privacy, data management and information security, but cybersecurity is a very large part of those areas. Cybersecurity has received a great deal of focus because of the increasing volume and sophistication of cyber threats that impact our clients. Our firm provides soup-to-nuts counseling, responding, and defending.
On the front end, I help our clients set up appropriate security measures to combat cybercrime. I also counsel clients who may have experienced a security incident and evaluate their legal obligations as well as work with consultants to help our clients through the difficult process of forensically analyzing what occurred. As it is an issue that can become public, we also work with a public relations firm to protect our clients’ brands and reputations. If it is a data breach that triggers reporting obligations, then we assist the client in working through that process, which may include not just notifications to consumers, but to state and federal agencies. That may lead to inquiries and/or investigations, and we also counsel our clients through that process. As a former federal prosecutor, I have been on the opposite side of the fence of those types of investigations.
I should mention that in addition to government agency investigations, our clients may also face third-party investigations. For example, card processors or card brands may have issues with respect to the incident, and we counsel our clients concerning that as well. Occasionally, data breaches evolve into litigation, and we defend our clients if that occurs.
Editor: That’s quite a broad area. Why do perpetrators launch cyber attacks? Are these just kids having fun?
Sumner: Well, there certainly are some smart kids involved, and we often refer to them as “hacktivists.” Hacktivists can have a criminal intent to steal information from a company, which often is financial or credit card information. There are also those referred to as “white hat hackers,” or hackers whose goal is to prove that they have the capability to obtain access to information within a company or even a government agency and then to let the world know that they had the capability of doing that. Bloggers also follow cybersecurity and cyber threats and may bring them to light. They may call companies to inform them that they have been breached before a company is aware that a security breach occurred.
There are a number of different motivations as to why hackers try to access information, and they can range from stealing corporate secrets to accessing customer credit card information in order to use it for personal gain. Sometimes it may just be that they are trying to disrupt the business or to receive attention, as I mentioned.
There are other adversaries who are cyber threat actors. They may be nation states that are interested in trade secrets or sensitive business information. The motivations can be economic, political, or even military advantage. We also see a lot of organized criminal activity in the U.S. and in other countries where the motivation is financial gain. They target financial information, payment systems, personally identifiable information and protected health information. You can glean an incredible amount of information about individuals from receiving health information.
Of course, there are insiders. They can gain access through a company’s electronic system for personal advantage, revenge or monetary gain. Sometimes, it is because they are in essence stealing information to provide to the government because they believe a crime is being committed at the company level.
Editor: Why is it important to know as soon as data security has been breached?
Sumner: Well, it is important for several reasons. One, clearly you need to be able to stop the breach, remediate and take action. Oftentimes, companies bring in a third party to help them analyze forensically what occurred and to immediately remediate. Two, companies may also need to bring in law enforcement if criminal activity is involved. In addition, there are legal obligations to promptly notify the individuals whose information was obtained within the time required by law. Finally, from a PR perspective, companies’ reputations suffer if they react so slowly that there is the perception that their security was insufficient, that they were unprepared, or that they did not respond quickly enough to be able to address the problem.
Editor: Is it possible to contain a breach while it’s happening?
Sumner: It is possible, but that is very technical and depends on the scenario. Oftentimes, when a company discovers that there has been a breach, that breach may be ongoing. So not only is it trying to determine how much information it has lost, but it is also trying to close the door in order to keep information from continuing to be exfiltrated outside of their company. The difficulty sometimes in securing that information is that evidence can be lost that may be needed in order to later determine how much information was actually accessed or stolen. It is important in trying to stop a breach to preserve evidence that could later assist the company or law enforcement.
Editor: Do cyber attacks target particular industries or organizations?
Sumner: I would say they target industries with particular types of information. As a result of that, financial companies or companies that have significant financial information about consumers or hold credit card or debit card data are possible targets in order to obtain information that can be sold on the black market. Companies with significant trade secrets or assets can easily become targets. Part of the responsibility of the company is to identify what information they have that is valuable to them or their customers and potentially valuable to others and to ensure that it is appropriately protected.
Editor: I know that your firm has a very active group that helps with e-discovery. If sensitive information is swept up in the course of e-discovery, can it be protected?
Sumner: Yes, we would most likely seek a protective order to ensure use of that information would be very limited. If it is, for example, personally identifiable information of individuals, then we would also be concerned about how that information is transmitted to assure that it’s done in a protected manner so that it would not be subject to a security incident in its transmission. We would want to have protections around how that kind of information is used as well. Information such as Social Security numbers and other sensitive information about individuals should be redacted unless it is necessary for purposes of the litigation.
Editor: Is a company exposed to liability if it fails to discover an intrusion in a timely manner and notify those affected?
Sumner: If a security breach has occurred and a company fails to provide appropriate notification, then it could at a minimum be subject to a government investigation. For example, a state AG’s office may investigate and potentially file an action against a company if it suffered a loss of consumer information relating to consumers residing in that state and either the company did not provide a notification or the notification was inadequate. The FTC is also active in this area.
A recent case that continues to get a good bit of coverage is the Wyndham Worldwide Corporation case in which the FTC brought an action against Wyndham in part because of inadequate security. It suffered hacking on several occasions by Russian hackers. Wyndham challenged the FTC’s authority to file an action under those circumstances. An opinion in that case was just issued out of the District Court of New Jersey in April that basically rejected Wyndham’s argument that the FTC did not have jurisdiction to bring an action under those circumstances. I think we will continue to see the FTC involved in enforcement actions when it comes to security issues as well as privacy issues.
Editor: Is insurance available to cover losses a company may incur as a result of a data breach?
Sumner: Insurance is available, although cybersecurity insurance has not been around long enough for us to fully understand how those policies will play out. There are exclusions in cyber policies and there are limits on various costs that can be covered under the policies. I think more and more companies are considering cybersecurity insurance, but I don’t think that we have seen enough policies play out to fully understand how effective they will be.
Editor: The chairman of a well-known company involved in a security breach just resigned. Would he be protected by a D&O policy?
Sumner: Although we have experts in this area, I’m not an expert in insurance. Just from my experience in this particular area it’s my understanding that D&O policies typically would exclude coverage for that type of data breach.
Editor: Are there laws and regulations governing what must be done in the event of a data breach?
Sumner: In addition to the role of the FTC, many states have laws relating to actions that must be taken in the wake of a data breach. Most recently, Kentucky came into the fold with a data breach notification law making it the 47th state to act.
This issue also is receiving attention at the executive level. President Obama issued an executive order a little over a year ago requiring NIST to develop a cybersecurity framework. It came out in February of this year. It will provide opportunities for companies to demonstrate that they have put a great deal of thought into protecting against cybercrime. In addition, it may provide a platform for enforcement. For example, if a company represented that it was using the NIST cybersecurity framework when in fact it was not, then that could provide some opportunity for the FTC to come in from an enforcement perspective.
Editor: What is the situation with respect to say consumer class actions brought in situations involving a breach of security?
Sumner: We probably will continue to see additional consumer class actions based on data breaches. Just recently, a putative class action was filed in Pennsylvania federal court alleging a data breach put thousands of employees at risk of identity theft. The difficulty is determining when a consumer has actually suffered harm by a data breach. Most courts have agreed that mere loss of data does not constitute a sufficient injury. That theory will continue to be tested and will likely play out in the many class actions filed against Target in the wake of that high-profile breach.