The future of commerce is no longer coming; it has arrived. Every single industry is driven by the internet and data, even industries like pipeline[1] and railroad[2] operations. In common parlance, “Data is the new oil.” As a result, attorneys and companies no longer have a choice in adopting and adapting to new technologies. They either do, or they go extinct. Technology, however, is something many people, including industry leaders and attorneys, loathe. Has anyone ever purchased a printer and been able to get it to work without troubleshooting it first? I doubt it.

But the practical frustrations that stem from technological implementation shy in comparison to the legal liabilities. Given that virtually every single business touches data, attorneys counseling companies on … well, really anything, need to appreciate that there is a labyrinthine set of regulations and laws governing the cyber realm. The aim of this article is to provide six practical lookouts that corporate attorneys need to consider when advising their clients from the inception of a business to a data breach. Obviously, an entire volume of books can be written about these topics, but this primer provides, in general, the common issues attorneys come across in 21st-century commerce. Hopefully, each lookout will at least provide a general direction from which attorneys can begin their own research.

LOOKOUT NO. 1: TRADITIONAL THEORIES OF LIABILITY STILL EXIST

Even though cyber issues may be “unique” in some aspects, at the end of the day, many legal claims are simply new spins on already existing theories of recovery. For example, in Oklahoma, simple negligence may be sufficient to state a viable claim for damages resulting from a data breach.

In Cook v. McGraw Davisson Stewart,[3] a real estate client sued his former real estate broker for negligence. Allegedly, a hacker accessed the broker’s email and used it to cause the client to send a fraudulent wire transfer to the hacker, thinking the client was sending it to the broker for closing. The client claimed the broker “failed to maintain proper security” on their email. The broker in Cook got lucky because the client did not present evidence sufficient to demonstrate a question of fact on his negligence claim because “he could not present evidence that [the broker’s] email had been hacked, as opposed to his own.”[4]

Similarly, in In re McDonald’s Corporation Stockholder Derivative Litigation,[5] the Delaware Court of Chancery extended the duty of oversight found in In re Caremark International, Inc., Derivative Litigation[6] to officers of companies. The extension of the Caremark duty to officers now means that officers, such as chief privacy officers, chief information security officers or others, may be held liable if they fail to oversee proper implementation and operation of cyber-security protocols.[7]

Both Cook and McDonald’s show that simply because data is involved does not mean the rules of general liability have changed. As a result, just as an attorney would make sure that their client has adequate general liability insurance, attorneys advising corporate clients need to ensure that adequate cyber insurance is in place as well.

LOOKOUT NO. 2: CYBER INSURANCE IS NO LONGER OPTIONAL

Generally speaking, general liability policies do not cover damages arising from cyber incidents.[8] Nor do errors and omissions or directors and officers coverage.[9] That is why cyber coverage is a must-have. For example, while the figures vary, the average cost of a ransom for a ransomware attack can easily reach hundreds of thousands of dollars, and that does not account for ancillary damages, such as business interruption, reputational damage or costs of remedies. Could your client afford a six-figure hit today?[10]

Cyber applications and coverages vary widely. Some cyber insurance applications ask for very minimal information from the applicant, choosing instead to simply determine – as a potential hacker would – how many external vulnerabilities are publicly detectable and approximating risk off that. Other applications are fairly detailed and may require governance and/or technical controls.

For example, some applications require specific company positions, such as data privacy officers or chief information security officers. Others require certain internal policies and procedures, including business interruption plans, cyber incident response plans, data privacy notices, etc. Almost all applications require at least annual training on cyber incident response plans and data privacy policies. Some even require penetration testing (pen-testing), where private companies are hired to attempt to hack into the client’s system.

Common examples of technical controls required by insurance applications are backup systems,[11] firewalls,[12] multi-factor authentication[13] and endpoint detection and response.[14] Knowing a good technical team that can help implement these and other technical controls is extremely important.

Another common lookout where technical controls and governance play a crucial role is the use of personal devices for work. If a company permits employees to use personal devices for work, then that company should absolutely have a bring-your-own-device (BYOD) policy. A good BYOD policy ensures that employees know what they can and cannot do with their own devices while utilizing them for work and how to use them in such a way that limits exposure to potential threats (i.e., limiting what apps can be downloaded). Companies utilizing a BYOD policy should also ensure they have technical controls in place for the management of mobile devices.[15] A solid BYOD policy and mobile management program can help shield an employer from liability from a litany of angles ranging from employment to negligence claims.

LOOKOUT NO. 3: WHAT IS ADEQUATE COVERAGE FOR CYBER POLICIES?

Again, the estimates vary, but according to IBM, the average cost of a data breach worldwide is $4 million.[16] Even if one assumes that those numbers are artificially inflated as an average, the costs to a small business for a data breach can still easily exceed $100,000, especially if lawsuits follow, as they often do. And that is setting aside the very plausible six-figure cost of a ransomware ransom. At this point, one should easily see the importance of adequate coverage.

What constitutes adequate coverage for a business would be difficult to quantify in general terms because it all comes down to the type of enterprise and risk tolerance of the company. (Unless, of course, your client has entered into a contractual agreement requiring a specific coverage amount, which is not uncommon.) One of the easier items to consider and quantify under a cyber insurance policy is business interruption coverage, given that it is a function of revenue and expenses. Other considerations would include the number of unique individuals who might need to be notified in a breach, the size and complexity of the network, the number of vendors to whom the client may end up owing notification and/or indemnification obligations, etc.

In addition to understanding the amount of coverage necessary for the client, it is also important to understand what is and is not covered. For example, does the policy cover conduit risk?[17] Does the policy cover the ransom payment? Does the policy provide for a cyber incident response team?[18]

But the entire reason insurance companies ask for policies and procedures, trainings and technical controls is because, in all reality, insureds need them anyway. Here’s just one example as to why: If a company is experiencing a ransomware attack and the perpetrators are on a sanctions list, then insurance companies cannot legally pay the ransom. The point being, prevention is the best medicine because even with all the right coverage in place, the client can still be left holding the bag. Indeed, nearly 60% of small businesses fail following a cyber-attack.[19]

LOOKOUT NO. 4: POLICIES AND PROCEDURES ARE BORING BUT IMPORTANT

Policies and procedures are only as good as the paper they are written on. In order to realize their value, businesses must actually operationalize their policies and procedures. This is especially true in the cyber realm. If companies do not think through their cyber policies and procedures, they can face regulatory fines in a growing number of states and countries – and that is disregarding the fact that failing to operationalize data policies and procedures increases the risk of a cyberattack.

Standard data privacy policies and procedures inform individuals what categories of data are being collected about them, how that data is being used and with whom the information is being shared.[20] Similarly, data privacy policies and procedures also typically inform individuals that they have a right to know what personal data the company has in its possession, how to correct the data, whom the data has been shared with and, in certain cases, how to have the data deleted.[21] These are common terms and conditions, because nearly every state and international law requires these sorts of provisions.[22]

Notice the last sentence omitted “federal law.” This is because the federal government does not have a comprehensive data privacy law requiring anything. Rather, up to now, the federal government’s approach has been sectoral. For example, your data privacy rights with healthcare providers are generally governed by the Health Insurance Portability and Accountability Act (HIPAA).[23] Your data privacy rights with banks are generally governed by the Gramm-Leach-Bliley Act.[24] But if you share your health information with a general tech company, via your wristwatch, for example, that enterprise does not fall under HIPAA scrutiny; therefore, that information can be bought, sold and traded at will by the company.[25]

As a result, many states have stepped in to regulate the data privacy realm. The first state was California, but since then, a total of nine states have gone on to pass some form of comprehensive data privacy legislation.[26] While state laws vary, they generally require the information contained in the aforementioned privacy policies. To determine whether any given state or country’s data privacy law applies to a company, you generally have to ask two questions: 1) Is the client collecting data on persons within the state or country? and 2) Does the company fall within the scope of the law? For example, in California, the company must gross a certain amount of money or possess data on a certain number of households or derive a certain percentage of its revenue from the buying and selling of data before the law applies.[27] Corporations generally disapprove of this patchwork regime; as a result, there has been a sincere push to federally regulate data privacy in recent months – if for no other reason than to reduce administrative costs to companies. What the federal law will look like and to whom it will apply is unclear. As a result, attorneys may be asked how to prepare for a federal law. At this stage, compliance with California’s, Colorado’s and Virginia’s data privacy laws would likely be safe starting points for compliance with federal law. Alternatively, compliance with the European Union’s General Data Protection Regulation (GDPR)[28] would likely meet the bar of any federal law because the GDPR is considered to be one of the most, if not the most, onerous of data privacy laws.

LOOKOUT NO. 5: IT IS NOT IF YOU’LL BE HACKED BUT WHEN

Every client will want to know what they can do to ensure they will not be hacked. The answer is, “Nothing.” There are, however, best practices. For example, cyber insurance and data privacy policies often limit access to data on a “need-to-know” basis. Limiting access to data can be accomplished in a myriad of ways, ranging from passwords to tokenization.[29] By limiting who can access what data, companies are able to lower the risk of unauthorized access.

Technical controls, such as tokenization or encryption,[30] achieve both data privacy goals and cybersecurity goals. If data privacy policies are done well and actually operationalized, then if a breach occurs, the amount of data that could be gathered is ostensibly lowered as well. Other common technical cybersecurity controls that decrease risk and can limit damage in the event of a breach include multi-factor authentication, firewalls and endpoint detection and response (EDR). Quality EDR programs utilize artificial intelligence to monitor networks and detect odd patterns that could indicate an infection within the system. This type of monitoring is crucial because viruses can live on networks for months before being detected or deployed.

Still, no system is perfect, and a breach of some type may occur even with the most rigorous of cybersecurity programs. As a result, attorneys advising corporations on cyber-related events need to bear in mind two overarching concepts: First, the scope of attorney-client privilege during a cyber event is currently in debate.[31] Streamlining communications and controlling communications during a cyber event is therefore critical to provide the best shot at retaining the privilege in the event of litigation. Second, simply because a computer has been “hacked” does not necessarily mean there has been a breach. For example, Oklahoma’s data breach notification statutes state that a breach occurs if there is unauthorized access to “unencrypted and unredacted” data.[32] Thus, if the data is encrypted and redacted, even though it has been extracted, there is no “breach” for the purposes of Oklahoma’s reporting statute. Therefore, understanding a particular state or federal law’s definition of “breach” is critical because it may trigger certain reporting requirements and other obligations.

Finally, cyberattacks come in a variety of forms and accomplish different goals.[33] However, common approaches and attacks can be linked to various organizations. As a result, certain cyberattacks may require you to work with a computer forensics team and/or the FBI. Working with experienced professionals in these areas can help to ensure that your client does not pay a ransomware ransom to an organization that will not actually send the decryption key, thereby resulting in more damage to your client.

LOOKOUT NO. 6: DIRECT LEGAL LIABILITIES

Failure to abide by state data privacy laws or federal privacy laws (such as HIPAA) can result in regulatory action.[34] But even if your client is exempt from these laws because they operate in states without data privacy laws and are unregulated by federal law, simply using policies that do not accurately reflect the company’s collection, protection and use of data can also result in actions by the Federal Trade Commission.[35]

Since many data privacy laws and cybersecurity laws do not provide private rights of action, cyber litigation is usually pursued under traditional theories of liability, such as negligence, and can be ripe for class certification. Similarly, traditional defenses, like standing, often serve as the basis for dismissal of private cyber claims.[36] This is because it can often be hard to determine whether the breach actually resulted in harm.

Important pre-litigation attention should be paid to contractual agreements that contain cyber-related provisions. Standard provisions found in data sharing agreements (and other cyber-related agreements) include indemnification requirements, cyber insurance coverage, compliance with state and/or federal laws and ownership/usage rights. While these concepts may be generally familiar, the technical side of cyber law is where the problems creep in.

For example, suppose you have a client who has a data privacy policy that states the data it holds is kept in an “anonymized” fashion. The term “anonymized” is a technical term of art that means the data being held cannot, under any circumstances, be linked back to the original provider of the data. However, given the amount of data that is available through the internet and/or data brokers, it can often be very easy to relink an individual’s data through the use of multiple data sets. As a result, it is extremely difficult for many companies to claim that they use only “anonymized” data, as opposed to “pseudonymized” data. But it is just this sort of technical difference that could result in the FTC coming down on your client.[37]

THE VIEW FROM THE TOP

Hopefully, these lookouts show the interrelated nature of corporate liability in relation to cyber events, ranging from HR law to simple negligence claims for a data breach. Further, one should be able to see how each of these areas is interrelated with the other. Data privacy minimizes damages from a cybersecurity breach, and with good cyber insurance, many of the out-of-pocket costs can be recouped. But a company cannot get good cyber insurance without good data privacy and cybersecurity protocols in place.

Hacking is becoming democratized. For example, just as customers can buy software as a service (SaaS), where you simply pay a monthly subscription fee for software (versus installing it with a disk), people can now buy ransomware as a service (RaaS) off the dark web, meaning even people with no technical skills can now become hackers through the use of RaaS.

The flattening of the hacker realm means more hacks are coming. It is, therefore, more critical than ever that companies get ahead of the curve now. Otherwise, technical debt[38] and administrative inertia will make it more difficult to properly implement cybersecurity and data privacy protocols after the fact. The time to act is not tomorrow, it’s today.

---

ABOUT THE AUTHOR
Collin R. Walke leads Hall Estill’s Cybersecurity and Data Privacy Practice Group. He earned his J.D., magma cum laude, from the OCU School of Law and is a graduate of Harvard’s Business Analytics program, where he was nominated for distinction in programming and data systems.

 

 

 

 

---

ENDNOTES

[1] See, e.g., “The Attack on Colonial Pipeline: What We’ve Learned & What We’ve Done Over the Past Two Years,” https://bit.ly/3rCZkal (last visited May 19, 2023).

[2] See, e.g., Rogers v. BNSF Railway Company, https://bit.ly/3K75t5a (wherein BNSF was ordered to pay $228,000 for violation of the Illinois Biometric Information Privacy Act) (last visited May 19, 2023).

[3] Cook v. McGraw Davisson Stewart, L.L.C., 2021 OK CIV APP 32, 496 P.3d 1006 (2021).

[4] Id., at ¶18, 1011.

[5] In re McDonald’s Corporation Stockholder Derivative Litigation, 289 A.3d 343 (Del.Ch.2023).

[6] In re Caremark International, Inc., Derivative Litigation, 698 A.2d 959 (Del.Ch.1996).

[7] Aside from civil liabilities, officers can also face criminal liability if they fail to disclose a data breach. See, e.g., “Former Chief Security Officer of Uber Convicted of Federal Charges for Covering Up Data Breach Involving Millions of Uber User Records,” https://bit.ly/3O2t205 (last visited May 19, 2023).

[8] See, e.g., “What is Cyber Liability Insurance and Why is it Important?” https://bit.ly/3Y9818G (last visited May 19, 2023).

[9] See, e.g., “What Does D&O Insurance Not Cover?” https://bit.ly/3q02btq (last visited May 19, 2023).

[10] The reason we ask if the business is prepared for an attack today is because all code has some form of an undiscovered exploit. As a result, software is inherently subject to what is called a “zero-day attack,” meaning there are zero days between the discovery of the exploit and the ability to patch it.

[11] Backup systems exist in order to allow clients to immediately restore any data that was lost during an attack. Companies should consider whether on-site, off-site or cloud backup systems are the best route for the company. Each has its benefits and drawbacks. For example, an on-site backup system has the benefit of being within immediate reach and control, but an on-site backup system also means that if a tornado comes through, the company could lose its backup data.

[12] A firewall is a network security device that monitors traffic to or from your network and allows or blocks traffic depending on the security rules in place. In other words, it’s a fence that tries to keep the bad stuff out.

[13] Multi-factor authentication requires a user to provide at least two verification factors to gain access to data. For example, it may require the user to respond with a specific code from the user’s phone in order to access an account, in addition to the user’s password.

[14] Endpoint detection and response (EDR) monitors network endpoints to determine if there is a potential security threat. For example, an EDR program will know if a particular employee is on their computer at 3 a.m. If that is an atypical time for that employee to be on the system, the EDR might notify the IT department of suspicious activity so that further investigation can ensue. Similar to when you use your credit card in an odd place and subsequently receive a phone call to ensure it is not fraudulent.

[15] Mobile management tools are extremely important. For example, if an employee is using their phone to access their email applications, when the employee leaves, they may retain access to the email application. However, with proper mobile management tools, the employer could remotely shut off access to the email application from the phone.

[16] “Cost of a Data Breach 2022,” https://ibm.co/43z6lWY (last visited May 22, 2023).

[17] Cowan, D., “Some Considerations in Insuring Against Cyber Loss” (2017), https://bit.ly/3QspaIH (last visited May 22, 2023).

[18] A cyber incident response team is the technical team that investigates and assists in the event of a breach.

[19] “How to Address the Top 7 Objections to Cyber Insurance,” https://bit.ly/43EO9v1 (last visited May 19, 2023).

[20] See, e.g., New York Times Privacy Policy at https://nyti.ms/46WkQHn or Google’s Privacy Policy at https://bit.ly/3Y8qH8A.

[21] See id.

[22] See, e.g., California Consumer Privacy Protection Agency FAQ, https://bit.ly/3DpNx1K; see also, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, at Articles 12-23.

[23] 42 U.S.C., §1320d et seq.

[24] 15 U.S.C., §§6801-6809, 6821-6827.

[25] See, e.g., “Smartwatch Data Act Introduced to Improve Privacy Protections for Consumer Health Data,” HIPAA Journal, https://bit.ly/3K7MrLV (2019) (last visited May 22, 2023).

[26] California, Utah, Colorado, Iowa, Indiana, Virginia, Tennessee, Connecticut and Montana.

[27] See: Cal.Civ.Code 1798.140(d).

[28] See: Note xviii, supra.

[29] Tokenization is the act of masking data. For example, you could change the word “Name” to “15&*.” Only people with authorization are then able to unmask “15&*” to reveal the word “Name.”

[30] Encryption is similar to tokenization in that a password or key is necessary to decrypt information. A major point of concern is that the market is currently developing quantum computing. At this stage, there is no quantum-proof encryption technology – meaning, if quantum computing develops faster than encryption technology, we may reach a point where no one is protected via encryption (or anything else for that matter).

[31] See, e.g., Yannella, P., Dickens, T., “Attorney-Client Privilege in Data Breach Investigations,” https://bit.ly/3K7OzDp (2022) (last visited May 22, 2023).

[32] Okla. Stat. tit. 24, §162(1).

[33] For example, an attack may limit functionality of certain systems. Or an attack could have multiple layers of encryption, where you pay to decrypt one ransomware attack only to find another underneath it.

[34] See, e.g., $2 million fine against cosmetic company Sephora (https://bit.ly/476pNgD) and consent order against BetterHelp (https://bit.ly/3Y78JmL) (last visited May 22, 2023).

[35] See, e.g., In the Matter of Flo Health, Inc., C-4747, United States of America Before the Federal Trade Commission (https://bit.ly/3rF0WR4) (last visited May 22, 2023).

[36] See, e.g., Beck v. McDonald, 848 F.3d 262 (4th Cir.2017), Whalen v. Michaels Stores, Inc., 689 F.App’x 89 (2nd Cir.2017), and Reilly v. Ceridian Corp., 664 F.3d 38 (3rd Cir.2011).

[37] See, e.g., Gigliarolo, B., “FTC suddenly gets very stern about not-really-anonymized anonymized data,” https://bit.ly/474CRDq (last visited May 22, 2023).

[38] Technical debt is the term used to describe the costs associated with delaying or failing to keep software and cyber policies up to date. If cyber policies and technical controls are not implemented early, it creates extreme problems down the road because it is more difficult to corral data and correct problems.