RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Posts Tagged ‘cyber’

The Wrong Way to Respond to a Data Breach

Posted on: November 5th, 2015

By: Dave Cole

In a recent interview with Entrepreneur Magazine, the former general counsel for the National Security Agency shared his top three mistakes that businesses make when responding to a data breach.  You can read the complete article here, but these are the highlights:

1. Treating cybersecurity like it is only a “tech department” issue.  In reality, it should be a core value in every organization, which means it must originate from the top, have buy-in from everyone in the organization, and be a consideration in every facet of your business.

2. Share the right amount of information at the right time.  You need to find a balance between rushing to notify people before you know all of the details, and going in the opposite direction and losing credibility by not sharing enough or sharing it too late, and thereby losing credibility.  It is important to work with counsel who is experienced in data breach responses to help you make these decisions and find the right balance.

3. Not having all of the relevant players in the loop ASAP.  Having your response team established ahead of time is critical to ensuring that everyone on the same page and able to contribute to the response process and communicate effectivity and cohesively.

These are good tips and echo many of the points we have discussed before in this blog in and in our seminars.  They underscore the importance of having a data breach response plan in place and taking the time to prepare in advance for the potential of a data breach.  The FMG Cyber Toolkit is designed for just that reason and provides everything your organization needs from a document standpoint to be prepared. To discuss the toolkit for your organization, as well as training that is available for your workplace, please contact one of our Data Security, Privacy & Cyber Liability practice team  attorneys.


Data Breaches Expected to Fuel D&O Claims Premised on Inadequate Board Oversight Over Cyber Security Risks

Posted on: October 30th, 2015

By: John Goselin and Mike Wolak

With the recent filing of a shareholder derivative action against several directors and officers of The Home Depot following the company’s severe data breach in 2014, questions concerning the adequacy of board oversight over cybersecurity risks will be at the forefront of derivative claims that are expected to increase in frequency following data breaches at publicly-traded companies.  Indeed, with cyber-attacks growing in number and strength, directors and officers must incorporate cybersecurity management into their risk oversight functions to ensure they are adequately discharging their fiduciary duties to the corporation and its shareholders.

The derivative complaint, filed in federal court in Atlanta in August 2015, alleges that eleven current and former directors and officers of The Home Depot breached their fiduciary duties of loyalty and good faith by failing to adequately oversee the company’s cybersecurity functions and ensure that information concerning more than 50 million customers was protected.  The complaint alleges, among other examples, failure to ensure the use of sufficient firewalls and antivirus software, failure to ensure that network access was monitored, and failure to ensure that customer information was encrypted.  The complaint claims the data breach damaged the company by exposing it to massive consumer litigation, regulatory investigations, and millions of dollars in related fees and costs.

While state corporation law, such as Delaware’s which governs the Home Depot litigation, is careful not to permit shareholders to use the duty of oversight to second-guess every well-informed business decision adopted by the board of directors, inadequate oversight over corporate risk can serve as a basis for individual board member liability where (i) the directors consciously failed to implement any reporting or information system or controls; or (ii) the directors, having implemented such system or controls, consciously failed to oversee its operations and thus failed to be informed of risks.  The seminal Delaware case defining the scope of the board’s duty of oversight is In re Caremark International Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996).

The Home Depot litigation, like the derivative lawsuit filed by shareholders following the Target data breach, is premised on the “inadequate oversight” theory of liability first articulated in Caremark.  Experts expect this trend to continue as derivative actions become more common following data breaches.  In the wake of this trend, boards must proactively manage cybersecurity risks by implementing and adequately documenting procedures to prevent and prepare for data breaches.  With this in mind, companies should consider the following:

  • Educate the company’s directors and officers on cybersecurity risks, including the use of outside consultants and experts to keep the board informed and updated regularly as to new cybersecurity threats and control measures.
  • Establish a committee of directors and officers, or appoint one director, to assume responsibility for cybersecurity oversight.
  • Ensure that all activity related to cybersecurity oversight is documented and retained, including minutes of board and committee meetings.
  • Perform a cybersecurity risk assessment to evaluate the company’s current monitoring and controls regarding the security and protection of its electronic information and data, including using outside consultants and experts to assess where the current controls may be vulnerable to cyber-attacks.
  • Establish a cybersecurity management plan consisting of policies and procedures designed to prevent data breaches.
  • Establish a response plan for an actual breach that is consistent with the best practices for companies in the same industry.  FMG’s new Data Breach Toolkit is available to provide your organization with everything it needs from a document standpoint to help prevent a data breach from occurring and to respond effectively if one happens.
  • Ensure that the company has adequate cybersecurity insurance coverage, including coverage for directors and officers alleged to have breached their fiduciary duties in connection with a data breach.

With public companies facing a growing threat of cyber-attacks and resulting data breaches, directors and officers will be exposed to an increasing number of claims by shareholders alleging that the board failed to adequately oversee its cybersecurity functions.  It is thus critical that boards minimize their liability exposure by incorporating cybersecurity management into their oversight functions and document all aspects of cybersecurity oversight to help ensure that they properly discharge their fiduciary duties.

Third Circuit Affirms FTC’s Authority Over Data Security: Decision Underscores Need for Cyber Policies and Procedures

Posted on: August 27th, 2015

By: David Cole

This week, the U.S. Court of Appeals for the Third Circuit released its much-anticipated decision in Federal Trade Commission v. Wyndham Worldwide Corporation, unanimously upholding the FTC’s authority to regulate businesses’ data security practices under Section 5 of the Federal Trade Commission Act (FTC Act).  As a result, businesses can expect increased enforcement by the FTC and greater scrutiny of their data security practices.

Section 5 of the FTC Act declares it unlawful for a business to engage in any “unfair or deceptive acts or practices in or affecting commerce,” and it empowers the FTC to enforce this provision through administrative actions and civil actions in federal court.  In recent years, the FTC has taken the position that businesses with inadequate data security practices, and businesses that do not adhere to their published data security and privacy policies, engage  in unfair and deceptive practices.  This has caught by surprise many who have not thought of inadequate data security as a potential unfair or deceptive practice.

The Third Circuit’s decision originated from a lawsuit that the FTC filed in federal court alleging that Wyndham engaged in unfair and deceptive practices surrounding three data breaches that occurred in 2008 and 2009.  It alleged that Wyndham’s data security was insufficient in a number of ways, including that:

  • payment card information was stored in clear readable text (instead of encrypted);
  • simple, easily guessed passwords were used (instead of complex passwords and multi-factor authentication);
  • readily available security measures were not used to limit access between systems (like firewalls);
  • adequate information policies and procedures were not implemented;
  • measures to detect and prevent unauthorized access were not used (like intrusion detection systems); and
  • proper incident response procedures were not followed.

Wyndham moved to dismiss the lawsuit, arguing that the FTC is not empowered to regulate businesses’ data security practices under section 5 of the FTC Act.  Alternatively, it argued that the FTC had not given “fair notice” of the data security standards it would enforce, and which businesses needed to satisfy in order to comply with the FTC Act.  The district court denied Wyndham’s motion to dismiss, but allowed it to appeal to the Third Circuit.  Many had hoped that the Third Circuit would reign in the FTC’s efforts to extend itself into the field of data security, but instead got the opposite result.

The Third Circuit unanimously agreed with the FTC and rejected Wyndham’s arguments, holding that the FTC does have authority under the FTC Act’s “unfairness” prong to bring enforcement actions against businesses for having inadequate data security.  The court cited language in the FTC Act, which authorizes the FTC to declare an act or practice unfair, in violation of section 5, if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”  In Wyndham’s case, the court decided that consumers could not have reasonably avoided their injury because Wyndham’s published privacy policy misled them by suggesting that it took steps to safeguard confidential information, when, in fact, it actually did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.

The Third Circuit also rejected Wyndham’s fair notice argument, stating that it was not entitled to know with “ascertainable certainty” what cybersecurity standards the FTC would require.  Instead, it held that the requirement of fair notice is met so long as a business can “reasonably foresee that a court could construe [its] conduct as falling within the meaning of the statute.”  Since Wyndham allegedly lacked “any” firewalls, encryption for certain customer files, and password requirements, among other things, the court held that Wyndham should have been on notice of the possibility that a court could find that its data security practices were unreasonable.

It is not yet known whether Wyndham will seek further review of the decision.  In the meantime, the Third Circuit’s decision establishes precedent that may be followed by other courts and, unless and until there is further appellate review or a challenge in another circuit that is decided against the FTC, it seems that the question of the FTC’s authority to regulate the data security field is now established.  As a result, businesses can expect more enforcement by the FTC and greater scrutiny of their data security practice.

This underscores the importance that businesses must place on their data security practices.  As we have written before, it is critical that businesses implement policies regarding their data security practices and their procedures for responding to a data breach if one occurs.  To help our clients accomplish this, FMG has developed a Data Breach Toolkit, which consists of policy and form documents intended to provide your organization with everything it needs from a document standpoint to help prevent a data breach from occurring and respond effectively if one happens.  To discuss the toolkit for your organization, as well as training that is available for your workplace, please contact one of our Data Security, Privacy and Cyber Liability Practice Team  attorneys.

FMG Data Breach Response Team

To best service our clients, you have 24/7 around-the-clock access to our Data Breach Response Team. Our attorneys provide you with a single point of contact for an immediate determination of the appropriate response to the breach and, where warranted, they will dispatch appropriate support service providers to your location to begin any investigation or resolution work that is needed. The lead members of our Data Breach Response Team are:

David Cole – Cyber Team Chair
(770) 818-1287 (o)
(404) 805-6558 (c)
[email protected]John Goselin (Atlanta office)
(770) 818-1423 (o)
(678) 478-3570 (c)
[email protected]

Jonathan Romvary (Philadelphia office)
(267) 758-6009 (o)
(609) 304-2883 (c)
[email protected]

Behnam Salehi (Philadelphia office)
(267) 758-6013 (o)
(949) 294-9230 (c)
[email protected]

Kacie Manisco (San Francisco office)
(415) 689-1215 (o)
(909) 969-3757 (c)
[email protected]

FMG Cyber Toolkit Now Available to Help Prevent Data Breaches and Reduce Costs

Posted on: July 31st, 2015

By: David Cole

FMG is  pleased to announce the availability of a new FMG Data Breach Toolkit.  The toolkit consists of policy and form documents intended to provide your organization with everything it needs from a document standpoint to help prevent a data breach from occurring and respond effectively if one happens.

Included in the Toolkit are :

  1. Data Security Plan for maintaining the security of sensitive information that employees may access during their employment;
  2. Data Breach Response Plan with procedures to be followed in the event of a data breach, such as the creation of data breach response team, steps for identification and assessment of the breach, containment and recovery of the breach, and notification to affected individuals, employees, and the public; and
  3. Multiple form documents to be use during execution of the Data Breach Response Plan, including a data breach incident reporting form, data breach response checklist, chronology of events to document steps taken, chain of custody forms, and sample breach notification letters and website provisions.
  4. Access to our firm’s Cyber Emergency Response Team (see here).

Studies  consistently have shown that organizations that implement these preventive policies are less vulnerable to attacks and save a lot money when responding to a breach.  For instance, the 2015 Ponemon Cost of Data Breach Study, released in June, reported that that some of the best preventative and cost-reducing measures for any organization are to adopt a data breach response plan and train employees on it and on data security in general.  As the report stated, “[t]he most profitable investments companies can make seem to be an incident response plan . . . employee training, [and] board-level involvement[.]”   The Ponemon report found a per record cost of response in the United States of $217.  However, implementing an incident response plan ahead of time dropped the per-record cost by $12.60, conducting employee training on information security practices reduced costs by $8 per record, and having board involvement in cyber security policy development lowered costs by $5.50 per record.

If you have been reading our blog (see here and here) or attending our seminars, then you know this issue has been a point of emphasis and concern for clients.  It is essential that every organization not relegate data security and privacy to the IT department, but instead make it a “board room issue.”  In addition, just like every organization should have an employee handbook that sets forth your personnel policies, every organization should have in place a data breach response plan that is part of your training to employees.

To discuss the toolkit for your organization, as well as training that is available for your workplace, please contact one of our Data Security, Privacy and Cyber Liability Practice Team  attorneys:

David Cole – Partner in Charge (Atlanta office)
(770) 818-1287 (o)
(404) 805-6558 (c)
[email protected]

John Goselin –  (Atlanta office)
(770) 818-1423(o)
(678) 478-3570(c)
[email protected]

Joshua Lott –  (Atlanta office)
(770)-818-1283 (o)
(706) 248-6132 (c)
[email protected]

Jonathan Romvary – (Philadelphia office)
(267) 758-6009 (o)
(609) 304-2883 (c)
[email protected]

Behnam Salehi – (Philadelphia office)
(267) 758-6013 (o)
(949) 2949230 (c)
[email protected]

Kacie Manisco – (San Francisco office)
(415) 689-1215 (o)
(909) 969-3757 (c)
[email protected]

DOJ Issues Guidance for Best Practices Before, During, and After a Data Breach

Posted on: May 19th, 2015

By David Cole

In response to the increasing number of data breaches around the county, and the public attention being given to them, the Department of Justice (DOJ) recently issued a guidance document intended to help organizations prepare for and respond to data breaches. The document, titled “Best Practices for Victim Response and Reporting of Cyber Incidents,” is based on the DOJ’s experience investigating and prosecuting cybercriminals. The guidelines focus primarily on the proactive and reactive measures an organization should take with respect to data breaches.

Consistent with the NIST Cybersecurity Framework, the DOJ guidance recommends that, before any data breach occurs, organizations should conduct a risk assessment to identify and prioritize critical assets, data, and services.  In addition, the guidance recommends that organizations develop a data breach response plan that has specific, concrete procedures to follow in the event of a data breach.  Once a plan is developed, organizations should test the plan with “table top” exercises, and continually update the plan to reflect changes in personnel and structure. Organizations should also ensure that they maintain necessary technology to detect and respond to data breaches.

In the event of a data breach, the guidance recommends a number of basic steps.  It advises organizations to not use compromised systems to communicate once they become aware of a potential data breach.  After making an initial assessment of the nature and scope of the incident, the guidelines also suggest that an organization minimize continuing damage to its system by taking steps such as rerouting network traffic, blocking a denial of service attack, or isolating all or part of a compromised network. The organization also should record and collect all evidence and information that it can about the unauthorized access that occurred, which may involve imaging the affected computer and retaining all logs and records of the data underlying the incident.  Finally, the guidelines suggest that an organization notify its employees, management, law enforcement (including the Department of Homeland Security), and any potential victims.

The guidelines also warn that, in the event of a cyber-attack, that organizations should not “hack back” or intrude upon the suspect’s network.  “Hacking back” may violate a number of laws, and since many intrusions are launched from compromised systems, “hacking back” can damage or impair another victim’s system. The guidance also recommends that victim organizations continue monitoring their networks after a cyber-attack for any unusual activity to make sure that any unauthorized users are really gone.  After an incident is over, the DOJ recommends a post-incident review to identify deficiencies in planning and execution of the incident response plan.

Lastly, the DOJ suggests that before, during, and after a data breach, organizations work closely with legal counsel who is experienced in handling data breaches. The use of experienced counsel ensures that an organization will receive accurate advice from counsel who is comfortable with addressing the unique and varied issues that arise from a data breach.  To review your organization’s data breach preparedness and evaluate the best ways to implement these guidelines in your organization, please contact David Cole at (770) 818-1287 or [email protected].