The menace of litigation is sufficient to maintain any enterprise chief up at night time, and the rising prevalence of data safety, privacy, and cybersecurity laws and regulation is piling on the stress for CISOs.
According to Norton Rose Fulbright’s newest Annual Litigation Trends Survey of greater than 250 common counsel and in-house litigation practitioners, cybersecurity and data safety can be among the many high drivers of latest authorized disputes for the following a number of years. Two-thirds of survey respondents stated they felt extra uncovered to these kind of disputes in 2021, up from lower than half in 2020, whereas extra refined assaults, much less oversight of staff/contractors in distant environments, and considerations concerning the quantity of shopper data had been all cited as mitigating elements.
Clearly, the dangers of litigation are very actual for CISOs and their organizations, however what are the best areas of concern and what can they do about it?
Data breaches draw lawsuits
In the final 18 months to 2 years, the possibilities of a corporation dealing with litigation following a data breach have elevated considerably, significantly when an organization is perceived to haven’t dealt with a breach nicely, says lawyer and Cordery companion Jonathan Armstrong, who makes a speciality of know-how and compliance authorized issues. “With a big data breach now, litigation is a probability, not a possibility,” he provides.
While propensity for authorized motion varies by geography, the persevering with scale of cyberattacks has resulted in additional specific assertions from authorities, business, and regulatory our bodies on what constitutes poor safety, opening the door to extra authorized motion, Alex Jinivizian, vp technique and company growth at eSentire, tells CSO. “Some of the most high-profile data breaches—Equifax, Marriott, Target, the U.S. Office of Personnel Management—resulted in significant lawsuits against those companies related to losses of confidential employee or customer data caused by poor standards around security hygiene,” he says.
The implications will be appreciable for companies, Armstrong warns. “Damages sought in different cases are high at the moment. As just one example, TikTok is facing an action in the Netherlands for €1.5bn, and there are similarly high value claims in other countries, too, including the UK and Germany. Data related litigation has been a feature of U.S. corporate life for many years as well.”
CISOs beneath fireplace
The threat of litigation shouldn’t be restricted to firms. CISOs themselves face being topic to authorized motion for breach of obligation the place inadequate steps had been taken to stop a breach, or the aftermath of the breach was dealt with badly, says Simon Fawell, companion at Signature Litigation LLP.
Jinivizian agrees: “The role of the CISO has never been more critical for mid/large enterprises, and potentially more in the crosshairs and held accountable for security incidents and data breaches, as illustrated by the ongoing class action against SolarWinds’ CISO and other executives following the devastating supply chain attack in 2020,” he states.
This can be evidenced by the expenses towards Uber’s CSO for allegedly attempting to cowl up a ransomware cost regarding the 2016 assault that compromised data of hundreds of thousands of customers and drivers, Armstrong provides.
If a CISO acts as an organization director, then they might face shareholder actions for breach of obligation following data and privacy breaches based mostly on harm to firm worth, says Fawell. “Shareholder actions against directors have been on the rise in the UK and, where a data breach has led to a drop in value for shareholders, claims against directors are increasingly being considered. This mirrors the trend in other jurisdictions such as the U.S. where CISOs have already been the subject of high-profile claims for breach of duty.”
Loss of commerce secrets and techniques and reputational harm
The potential fallout from data breach or privacy litigation contains important fines, civil and legal penalties, reputational harm, and adversely affected inventory worth. All can influence organizations and CISOs individually and together. Where essential data is misplaced, the harm will be extraordinarily excessive, provides Alasdair Marshall, affiliate at Signature Litigation LLP. “For example, were an intermediary or agent to have a breach incident and lose trade secrets or information that is potentially very damaging to another company’s reputation, that could lead to major litigation. In recent years, the Panama Papers and Credit Suisse incidents have highlighted a growing number of individuals seeking to obtain sensitive information and publish it to the market.”
What’s extra, defending litigation will be each pricey and time-consuming, Marshall says. “While the English system allows for the winning party to recover legal costs from the loser, it is rare that the amount spent on legal fees and ancillary costs are clawed back in full. Litigation also requires significant CISO and board level attention which would be more productively focused on growing and protecting the business for the future.”
Litigation can have direct implications on cyber insurance coverage issues, too, impacting issues like protection exceptions, renewals, and new enterprise. The corporations and CISOs that bounce again the quickest are those who put their prospects first by being clear, doing no matter it takes to assist impacted prospects decrease the influence, and sharing the steps they plan to take to make sure it doesn’t occur once more, says Russ Kirby, CISO at ForgeRock.
Regulations and necessities
Geographical elements are significantly essential in relation to litigation dangers CISOs and their organizations face, consultants agree. For instance, the specter of mass class actions for big scale breaches has diminished considerably within the UK following the Supreme Court choice in Lloyd vs Google which halted an “opt-out” class motion beneath the present procedural frameworks and highlighted the difficulties in bringing mass data claims beneath the English guidelines, says Fawell. “Whilst the decision hasn’t completely blocked the possibility for class actions in data privacy cases and there remain a number of claims running through the English courts that are framed differently and could yet have success, it is a fairly major set-back for claimants,” he provides.
That stated, the stress for people impacted by data breaches to be compensated is rising and it might not be stunning to see some type of opt-out class motion regime being launched for data privacy circumstances within the comparatively close to future, Fawell says. “An opt-out regime has already been introduced in the UK for competition claims and data privacy would be the next logical area for a similar approach.” Although the specter of mass class actions has diminished within the UK in the interim, the specter of particular person litigation stays very obvious, significantly the place excessive worth company data is probably compromised, he continues. “The GDPR (and related UK legislation) has led to a much greater awareness of data privacy issues and increased focus on contractual clauses in commercial deals.”
As for the U.S., issues can get simply as or much more convoluted, says former CISO Jack O’Meara, who leads litigation assist providers at consultancy Guidehouse. “For example, a CISO working at a U.S. Defense Industrial Base Contractor needs to comply with Defense Federal Acquisition Regulations (DFARS) 252.204-7012 safeguarding covered defense information and cyber incident reporting, while a CISO working for a financial institution in New York needs to comply with New York State Department of Financial Services 23 NYCRR 500 cybersecurity requirements for financial services companies.”
Meanwhile, a decide just lately permitted a $17.6 million class settlement introduced on by plaintiffs of Kemper Insurance, who alleged violations of California’s Consumer Privacy Act, whereas the Securities and Exchange Commission (SEC) has proposed new obligatory cybersecurity disclosure guidelines for publicly traded companies, together with written cyber insurance policies and procedures, enhanced reporting, and information administration for personal fairness and funding companies.
Ultimately, U.S. CISOs have to have data of particular cybersecurity necessities contained throughout the contracts their corporations maintain, O’Meara provides. “There are too many regulations and requirements to mention in this article, but a CISO needs to be knowledgeable of the ones applicable to their industry and geographic regions.”
Mitigating the dangers of litigation
To mitigate and cut back the dangers of litigation, CISOs should first study whether or not their safety program is “defensible” beneath harsh scrutiny and in a position to change and adapt to new threats, Kirby says. “For example, if it can’t stand up to questions about whether your protocols follow local laws and industry standards, you need to act fast to address those gaps.”
Fawell cites 5 questions which can be helpful in gauging the effectiveness of a breach response plan from a litigative perspective:
- Who are the important thing service suppliers to name?
- What are the inner traces of communication? Who makes the decision on instructing legal professionals and different key advisors? Is it the CISO or does it require different approvals?
- If the system is down, how do key personnel dealing with the breach talk securely?
- What sort of breach is almost definitely to influence the corporate and who’re the counterparties almost definitely to be affected?
- What do the data privacy clauses in contracts with counterparties require? Are there notification necessities in these contracts?
“Planning can range from, at a minimum, ensuring the answers to the questions above and others have been considered and the answers are known to the key individuals who will be handling a breach, to having a full simulated breach to stress test processes,” Fawell provides.
O’Meara says CISO ought to be capable to present documented insurance policies and procedures together with artifacts of compliance, screenshots of safety configuration settings, firewall logs, entry audit logs, person pc system and software entry request types, and worker safety coaching information, when requested.
Armstrong recommends that CISOs interact with legal professionals who’re used to dealing with these kind of dangers and litigation earlier than an incident happens. “When you do have an incident, it is important not to try and deal with it as a lone cowboy,” he says.
In the identical vein, O’Meara suggests U.S. companies companion with in-house counsel to know litigation dangers and the related impacts and ramifications.
It can be important that CISOs are acquainted with the phrases of an organization’s cyber insurance coverage insurance policies—mainly what’s/shouldn’t be lined and the notification necessities within the occasion of a breach, Fawell says. “Insurers should generally be one of the first ports of call. Not only is it important to ensure that the cover bites, insurers are often also a good source of information and advice on how to handle certain aspects of a breach.”
Furthermore, safety leaders have to be cautious about what data is (and isn’t) recorded within the quick aftermath of a breach, Fawell continues. “It is important to keep a clear audit trail of the decisions taken and why. However, while dealing with an immediately challenging situation, it is not unusual for ill-judged comments (often from high level personnel) to be recorded in writing, which can be unhelpful in later legal proceedings. It is particularly important that everyone understands which communications are likely to have the protection of legal privilege in relevant jurisdictions and which will not.”
Armstrong has seen this play out. “Privilege is critical. Commonly, litigants are making very early requests to see internal memos, communications, and forensic reports. If you don’t set up privilege properly, you are likely to have to disclose all materials.”
It is smart, the place potential, to have an in-person assembly amongst key personnel to determine clear traces of communication and make sure that the audit path precisely and clearly particulars the response course of, Fawell advises.
Copyright © 2022 IDG Communications, Inc.