In recent weeks, massive data breaches have dominated the headlines. The mid-December revelation that approximately 140 million customer accounts were compromised at Target was followed by similar news from Nieman Marcus. January brought new information about a data breach of customer accounts at Michaels Stores. Most recently, reports surfaced that White Lodging (which manages many Hilton, Marriott, Sheraton, and Westin hotels) suffered a breach that exposed the credit and debit card data of hotel customers.
Data breaches like these follow a broader trend of proliferating malware, cybercrime and other malicious cyberattacks over the past several years. In fact, recent reports estimate that over 95 percent of Fortune 500 companies have been infiltrated—but often don’t even realize it until they are contacted by authorities.
Intruders steal data for a variety of reasons. The most obvious is to further other criminal activity, like credit card fraud. But the motive can be more sophisticated—like stealing intellectual property or other competitive business information, or even to modify or to falsify business records or data.
What should a company do to protect itself?
In light of these developments, we recommend the following:
-
Make sure your IT solutions and procedures are updated and followed. In the first instance, cybersecurity is an information technology issue. The IT personnel at your company must take adequate steps to ensure that your business is secure from cyberthreats. If necessary, this may include retaining outside cybersecurity consultants to ensure the confidentiality, integrity, availability and resiliency of your systems. Just as important, your organization's leadership must create a culture of security by requiring and verifying that your employees follow basic security procedures, such as creating unique and strong passwords and updating them periodically. And don’t forget about your vendors and service providers; if they have access to your network, they also must adhere to stringent security procedures.
-
Formulate an incident response plan. Have a plan to respond to any data or network breaches. In formulating the plan, make sure to involve all stakeholders—including senior management, IT and IS personnel, the legal department, compliance officers, human resources and other key departments. Centralize reporting of all data and information security breaches to a single point of contact within your organization. Test your security and your plan by practicing responses to threats and engaging third-party providers to perform an assessment of your security.
-
Obtain adequate insurance coverage. Businesses should ensure that they have an appropriate cyberinsurance policy to protect against losses caused by cyberthreats. This coverage can insure against damages, statutory penalties, and other unforeseen costs—such as the costs of providing notice and credit monitoring to affected customers. According to media reports, Target has $100 million in cyberinsurance and an additional $65 million in directors and officers liability coverage. Yet some estimates of the ultimate cost to Target from the data breach range as high as $400 million. With few carriers writing policies greater than $10 to $15 million, a company might have to contact multiple carriers to assemble adequate coverage.
-
Know your local law. Companies must keep up to date on the evolving state and federal legal requirements relating to cybersecurity. State laws vary. Statutes and regulations alike are rapidly developing, and a company should keep abreast of developments that affect its business sector.
-
Act immediately if you suspect a breach. If you suspect any form of data theft or a security breach, contact a member of our White Collar Defense and Investigations Practice Group. We can help coordinate a response that integrates IT personnel, legal advisors, outside security experts, public relations consultants and law enforcement.
What legal developments lie ahead?
Companies are spending millions of dollars on cybersecurity. And yet, despite the rapidly escalating resources spent by companies on cyberthreats, and the growing impact of cybercrime on the U.S. economy, Congress has not passed any major federal cybersecurity legislation in over a decade.
The last flurry of legislative activity occurred in 2002, when Congress enacted the Homeland Security Act of 2002 ("HSA"), the Cyber Security Research and Development Act, the E-Government Act of 2002, and the Federal Information Security Management Act of 2002 ("FISMA"). Even with these statutes, which are part of a patchwork of more than 50 federal statutes that address cybersecurity issues either directly or indirectly, there still is no overarching framework cybersecurity legislation in place. In 2014, however, the legislative scheme is poised to change in dramatic and important ways.
First, it appears that Congress is finally ready to act on cybersecurity in a more comprehensive way. A bill to amend the HSA has been introduced in the U.S. House of Representatives with bi-partisan support. Coined the "National Cybersecurity and Critical Infrastructure Protection Act of 2013," or "NCCIP," among other things the bill would provide for greater sharing of information and public-private collaboration and require the development of voluntary, industry-led standards and guidelines to reduce cyber risks. The bill passed the House Homeland Security Committee on February 5.
Second, Congress is not the only branch of federal government aggressively promoting cybersecurity as a national priority. On February 12, 2013, President Obama issued Executive Order 13636, "Improving Critical Infrastructure Cybersecurity." The Order noted that the cybersecurity threat "continues to grow and represents one of the most serious national security challenges we must confront." In a policy directive released the same day, the President identified 16 "Critical Infrastructure" sectors, spanning almost every aspect of the U.S. economy. In response to these directives, last fall the National Institute of Standards and Technology ("NIST") published a preliminary framework to align policy, business and technological approaches to cyber risks. The comment period closed on December 13. NIST is scheduled to publish its final framework this month.
Third, although most of the recent legislative activity has been at the federal level, the individual states are not standing still. Currently, 46 states have statutes that require disclosure or notification when a data breach has occurred. In states without such statutes, proposed legislation is working its way toward passage. State laws vary, however, in their criteria for what triggers a notice requirement and what notice must be provided. (Wisconsin’s law may be found at Wis. Stat. § 134.98.) In addition, many state laws allow private lawsuits based on state common law. Such lawsuits pose real economic risks—as evidenced by the filing of class-action lawsuits against Target by customers whose data was stolen, and a lawsuit filed by a credit union seeking to recover from Target for the cost of reissuing cancelled debit cards.