410 likes | 648 Views
Cybersecurity: Risks, Responsibilities, Corporate Governance. Ed McNicholas eMcNicholas@Sidley.com www.Sidley.com/Infolaw. Cybersecurity Outline. What does cybersecurity cover? Recent incidents that c ould worry companies
E N D
Cybersecurity:Risks, Responsibilities, Corporate Governance Ed McNicholas eMcNicholas@Sidley.com www.Sidley.com/Infolaw
Cybersecurity Outline What does cybersecurity cover? Recent incidents that could worry companies Laws, regulations, policies and US Government expectations on cybersecurity Data security and data breach laws regarding personal information Enhancing cybersecurity governance and internal controls What should GCs do about legal exposure?
New York Times: “Universities Face a Rising Barrage of Cyberattacks” July 16, 2013 By RICHARD PÉREZ-PEÑA “America’s research universities, among the most open and robust centers of information exchange in the world, are increasingly coming under cyberattack, most of it thought to be from China, with millions of hacking attempts weekly. . . .” “University officials concede that some of the hacking attempts have succeeded. . .” “They acknowledge that they often do not learn of break-ins until much later, if ever, and that even after discovering the breaches they may not be able to tell what was taken. . .”
Explaining Cybersecurity • “National security” dimension includes: • Defense industrial base • Critical infrastructure (finance, communications, power, food, supply chain transport, etc.) • Well-ordered functioning of society (government, police, hospitals, commuting transport, schools, etc.) • Economic strength and competitiveness (business) • Corporate IP, trade secrets and company data • Company websites, networks and databases • “Data security” dimension includes: • Personal information of consumers, employees, etc. • Customer account information • Data breach notifications
What’s at Stake? • Valuable IP assets, proprietary information, business, transaction and negotiating records, financial data, electronic funds, business functionality and continuity • Account information; personal information; access to accounts • Disruption of business; denial of service; cyber-extortion • Derailed acquisition when deal team at law firm is hacked • Debilitating impact on critical infrastructure and essential services • Communication systems • Supply chain management • SCADA (supervisory control and data acquisition): • industrial control systems (ICS): computer systems that monitor and control industrial, infrastructure, or facility-based processes
What Data and Information Need Protecting? Students / Consumers Employees Account holders Online advertising and e-commerce data Credit cards Company IP, secrets and networks Transactional, negotiations and corporate records Cross-border data Corporate reputation
Who Could Hurt You? Cyber-crooks State-sponsored actors and foreign agents Social hacktivists Faithless insiders and former employees Consumer activists Careless colleagues not complying with policies Colleagues bringing their own devices (BYOD) Careless service providers and vendors Competitors?
Who Wants to Hold You Accountable? FTC, State AGs, CFPB, HHS/OCR, Education SEC White House, DHS, FBI NLRB, unions, worker councils Congress Class action lawyers Audit committees Shareholders Media European regulators and “DPAs”
Cyber-attacks Continue March 2013: South Korean banks and broadcasters attacked (North Korea suspected) Feb. 2013: Facebook, Apple, Microsoft and Twitter disclose hacks; 250,000 Twitter user names/emails accessed Feb. 2013: Federal Reserve Board hacked by Anonymous based on vulnerability in vendor product Feb. 2013: New York Times, Wall Street Journal, Washington Post reveal penetration by China Jan. 2013: DDOS attacks by Iran against JPMorgan, Bank of America, Citigroup, etc.; Iran retaliation suspected August 2012: 30,000 Saudi Aramco computers wiped clean of all data by “Shamoon” virus; corporate logo replaced with burning American flag; Iran suspected May 2012: DHS announces ongoing, coordinated cyber attack on control systems of U.S. gas pipelines 2011, 2010: Flame and Stuxnet attack Iran (data extraction and SCADA)
Laws, Regulations, Policies and US Government Expectations on Cybersecurity
The President on Cybersecurity • President Obama State of the Union (Feb. 2013): • "We know hackers steal people’s identities and infiltrate private email. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems.” • “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.” • The “cyber threat is one of the most serious economic and national security challenges we face as a nation…America's economic prosperity in the 21st century will depend on cybersecurity”
US Perspectives on Cybersecurity Report from the Office of National Counterintelligence Executive (NCIX), October 2011 “Foreign collectors of sensitive economic information are able to operate in cyberspace with relatively little risk of detection by their private sector targets.” “Cyber tools have enhanced the economic espionage threat, and the Intelligence Community (IC) judges the use of such tools is already a larger threat than more traditional espionage methods.” “Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries [especially China and Russia].”
Cybersecurity Executive Order 13636 and Directive (Feb. 12, 2013) • Congressional stalemate led to Executive Order 13636: • Development of NIST “Cybersecurity Framework” and programs to encourage voluntary adoption of the framework • DHS designation of CI companies (with right of reconsideration) • Creation of regulatory standards by agencies with statutory authority • Increased threat information sharing to CI operators • Directive (Feb. 12, 2013) names 16 critical infrastructure areas • CI sectors and their designated SSAs are: Chemical (DHS); Commercial Facilities (DHS); Communications (DHS); Critical Manufacturing (DHS); Dams (DHS); Defense Industrial Base (DoD); Emergency Services (DHS); Energy (Department of Energy); Financial Services (Treasury); Food and Agriculture (Department of Agriculture (USDA) and Department of Health and Human Services (HHS)); Government Facilities (DHS and General Services Administration); Healthcare and Public Health (HHS); Information Technology (DHS); Nuclear Reactors, Materials, and Waste (DHS); Transportation Systems (DHS and Department of Transportation); and Water and Wastewater Systems (Environmental Protection Agency)
Primary (Existing) Enforcement Statutes • Computer Fraud and Abuse Act of 1984 (CFAA) • Prohibits certain attacks on computer systems used in interstate and foreign commerce • Criminal and civil penalties for unauthorized access and wrongful use of computers and networks • Electronic Communications Privacy Act of 1986 (ECPA) • Prohibits interception of wire, oral, or electronic communications unless an exception applies • Establishes rules that law enforcement must follow to access data stored by service providers (ECS and RCS), e.g., search warrants, court orders and subpoenas
SEC Cybersecurity Guidance • Corporation Finance guidance issued Oct. 13, 2011 (in response to Sen. Rockefeller) • 4/9/13: New Rockefeller letter seeking formal rules • Guidance characterizes cyber-attacks as targeting: • Financial assets, intellectual property, other sensitive information • Customer or business partner data • Disruption of business operations • Disclose cyber-risks if: they “are among the most significant factors that make an investment in the company speculative or risky” • Frequency of prior incidents; probability and potential harm of future incidents • Avoid generic language
SEC Guidance • Determine cybersecurity risks based on frequency of prior incidents and probability and potential harm of future incidents • “[A]dequately describe the nature of the material risk and specify how each risk affects the registrant,” avoiding generic language • At least 21 Dow 30 companies discussed cybersecurity or data breaches in their 2011 Form 10-K risk factor disclosures
SEC Cyber-Comment Letters • In 2012, following hack of Amazon’s Zappos servers (involving theft of 24 million customer names and e-mails), SEC asked Amazon to “expand [cybersecurity] risk factor to disclose that you have experienced cyber-attacks and breaches” and “to describe [risks of] third-party technology and systems” • SEC had disagreed with Amazon’s view that hack was not significant enough to be covered by SEC Cybersecurity Guidance • Google, AIG, Hartford Financial Services Group, Eastman Chemical, and Quest Diagnostics were also asked by SEC in 2012 to expand cybersecurity disclosures
Federal Financial Institutions Examination Council • 2011 Supplement Guidance specifically targeting cyber security: • Enhanced risk assessments: banks should update risk assessments at least annually • Layered security controls: should not rely on static challenge questions to protect customer data. Layered security measures should be implemented based on the dollar amount and complexity of the transaction • Fraud detection and monitoring: Fraud detection measures can be manual or electronic. People, processes or platforms can be used to detect anomalies • Out of band transaction confirmation: additional layer of security by having the authorization come from outside the channel where the transaction originated • Heightened education initiatives: Many security breaches can be avoided simply by educating the relevant parties in how to prevent and detect security breaches. Special attention was given to customer education
Data Breach and Data Security Laws • State data breach notification laws re: personal information • 46 states, DC, Puerto Rico, the Virgin Islands, and Guam have breach notification requirements • Some states require prompt reporting to government agencies (e.g. Puerto Rico: 10 days; VT: 14 business days) • Triggers vary from “risk of harm,” to “compromise,” to mere acquisition of data • State data security laws re: personal information • E.g., Massachusetts requires comprehensive written information security plan with specific, detailed requirements • Federal requirements regarding safeguarding personal information and responding to data breaches • Communications Act, GLBA, HIPAA • Federal data breach legislation possible
Data Security: On the Corporate Radar? • FTI Consulting/Corporate Board Member Survey: • Data security is a top legal concern in 2012 for both Directors and General Counsel • The percentage of Directors and GCs concerned re: data security has doubled since 2008 • The median annualized cost of cyber-crime per company averaged $5.9 million • But: only 42 percent of survey participants said their company had a data crisis management plan in place
Corporate Practices on Cybersecurity: Report Suggests Lack of Board Involvement Governance of Enterprise Security: CyLab 2012 Report Boards of Financial Sector Companies • 42% rarely or never review annual privacy/security budgets • 39% rarely or never review roles and responsibilities • 56% do not actively address computer/information security • 52% do not review cyber insurance
Enhance Board/CEO Attention • Review and refine information governance structure • Assign distinct board committee responsibility for cybersecurity, data protection and information privacy; establish expectations for management; require ongoing reporting regarding information risks and controls; review top-level policies • Assign C-level management responsibility, accountability and reporting obligations; provide adequate budget and operational resources; authorize involvement in industry/government information sharing • Consider appointing CISO (chief information security officer) and CPO (chief privacy officer) • Develop and approve appropriate cybersecurity protocols and safeguards; increase internal awareness • Evaluate cyber-insurance coverage
Enhance Board/CEO Attention – cont’d • Develop cybersecurity and data protection risk assessment • Understand system and network vulnerabilities; plan for possible “persistent” threats • Understand exposure of essential or valuable information and communication assets • Understand exposure to third parties and service providers (includes cloud providers and law firms) • Consider possible counter-measures to disrupt attacks • Monitor legislative, policy, industry, contractual, litigation, marketplace, consumer and employee developments and expectations • Address legal compliance and reporting responsibilities • Consider SEC issues • Engage IT and audit experts; test systems
Managing Cyber Risks • Commission and review risk assessments • Identify legal and business obligations • Monitor legal and policy developments • Address participation in industry and private sector initiatives • DHS’ US CERT Coordination Center (CERT/CC) • Information Sharing and Analysis Centers (ISACs) • Current ISACs by sector: communications, financial services, electricity, IT, surface transportation, public transit, water, multi-state • Goals: risk mitigation, incident response, alert and information-sharing
Managing Cyber Risks -- Cont’d Develop cooperative relationship with key regulators for optimal information sharing Examine incident response and notification procedures Prepare for involvement of law enforcement/FBI/DHS Inform investors of materiality of cybersecurity risks Prepare for technical and legal responses Identify resources in advance Ensure appropriate insurance Report regularly and follow-up at Board and CEO level
Lawyer To-Do List For Cybersecurity • Overall legal compliance • Oversight and readiness for incident response • Have you vetted and tested your response ability? • Analyzing and explaining the complex legal environment • Coordination of relationships with government • Development of standards and internal policies • Does your organization learn lessons? • Managing protections and obligations in contracts, customer and vendor relationships • Assessing insurance options and protections • Addressing “Hack Back” options • Managing legal/reputational issues • Fourth Amendment: Corporate agents of the government? • Privilege and selective waivers • Securities issues
Cybersecurity Insurance • SEC Guidance: “[d]escription of relevant insurance coverage.” • Most commercial insurance does not cover cyber. • Cybersecurity insurance fall into two categories: • First-party coverage for damages directly associated with intellectual property theft, data loss and destruction, hacking, and denial-of-service attacks, including the immediate technical and forensic expenses • Third-party coverage for public relations services, legal expenses arising from lawsuits brought by customers or third-party businesses, credit-monitoring for affected individuals, and associated penalties and fines • Insurers require sufficient documentation or audits demonstrating that technology solutions have been implemented. • Discounts to those who are better secured.
Costs of Intrusion Investigation, forensic and audit services Notification costs, compliance with regulatory requirements, outside experts and analysis Legal response and defense costs Lost business and reputation Post-breach costs for remediation costs, etc. Reputation restoration
Responding to an Incident Effectuate IT containment and triage Assess nature of attack; IP assets; trade secrets; financial; customer data; denial of service; geopolitical; hacktivists Determine affected systems and targeted data; gauge possible exfiltration; address persistent threats Involve outside counsel and forensic IT consultants? Identify and notify stakeholders? Consult government; national security; law enforcement; homeland security? Assess liabilities, legal compliance, contract obligations, SEC reporting, insurance, etc. Evaluate existing control systems, responsibility and accountability; implement lessons learned
FBI Visit on APT • “Advanced Persistent Threat” attack on defense contractor: not detectable through normal scans • FBI initiated contact to inform re evidence of penetration and possible exfiltration of data • Communications to suspected server • State-sponsored intrusion (no national state attribution) • Likely cause: spear phishing malware • Downloads attack tools • Communicates with malware repository • Compromise domain controllers; escalate credentials • .exe files renamed; file headers show executable nature • .rar files used for compression • Forensic measures: DNS server logging; full packet capture; firewall logs
Litigation Exposure • Failure to safeguard could expose boards to shareholder suits alleging negligence or breach of fiduciary duty • Delaware Caremark decision: duty of care to establish information control systems for reporting and oversight of legal compliance and ethics • Patco Construction Co. v. People’s United Bank(1st Cir. 2012). • Bank sued after transferring $345,000 to cyber criminal • Court held that defendant’s security procedures were “commercially unreasonable; court relied upon FFIEC standards • Lawsuits faced by: ChoicePoint, Heartland Payment Systems, Hannaford, Amazon/Zappos, Sony, etc.
TJX (2007) • Hackers stole 45 million customer records over 18 months • Breach reported to cost up to $1.6 billion • Banks and Massachusetts Bankers Association (MBA) sued ($41 million settlement) • State AG settlement (41 states) for $9.75 million • Agreed to implement stringent data security program • CA AG Coakley: settlement “ensures that companies cannot write-off the risk of a data breach as a cost of doing business” • Consumer action settled by offering $30 cash or $60 voucher for three years of credit monitoring, plus cost of replacing driver’s license
Questions? Edward McNicholas: 202-736-8010 eMcNicholas@sidley.com www.Sidley.com/InfoLaw This presentation has been prepared by Sidley Austin LLP as of July 30, 2013 for educational and informational purposes only. It does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking personalized advice from professional advisers. BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C. Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas, London, Hong Kong, Houston, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto); Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas, Houston); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm. For purposes of compliance with New York State Bar rules, Sidley Austin LLP’s headquarters are 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.