Global cybercrime damages are expected to exceed $6 trillion annually by 2021. From hacks of mobile payment and other non-traditional payment systems to data manipulation and sabotage, the external threats to operations and customer and investor perception seem to increase daily. We recently sat down with cybersecurity expert William S. Rogers Jr. of Prince Lobel Tye LLP, a Boston law firm whose attorneys handle matters of local, regional, national and international reach. Rogers, who is chair of the firm’s Data Privacy and Security Practice Group, discussed cybersecurity regulation and its impact on public and private companies.
Q: Thanks for speaking with us today, Bill. Tell us a bit about the major problems you see with data security and what you would like to improve.
A: The primary goal for our data security practice is to improve compliance overall. Improved compliance reduces the risks of a data breach. Compliance is woefully inadequate, especially in small to mid-sized companies. I’ve been in this field since 2009, and the relative compliance picture hasn’t really improved much in that time – the lack of education, training and regulatory compliance is still a major problem in the marketplace. There also is a lack of security and privacy compliance audit functionality – companies don’t have the systems to determine whether their security tools and procedures are actually working and if they need to make adjustments.
When companies provide data security training to their employees, they should thoroughly describe the current risks or threats and provide education about how to avoid them. One of the most common security vulnerabilities is people, so how do you deal with that? You train. That takes time, planning, energy and money. You have to take people out of their work day, put them in a room and tell them what’s going on in the world, how to spot potential problems and how to deal with them properly. Time goes by, the threats change, and you must repeat the training. It is never a one-and-done scenario. Compliance requirements may vary from business to business, and they will vary across certain types of more highly regulated industries.
Security and Privacy Compliance is, unfortunately, a moving target for all companies. This is why I believe relative compliance has not improved much over the last decade. There are so many different legal and regulatory regimes in play for interstate commerce businesses. When you add international commerce businesses and international regulatory regimes to the equation, it becomes much more complicated.
Q: There are both business and legal implications around data breaches and data security. What are some of the more pressing issues?
A: Yes, there are indeed business and legal implications to a breach. Business implications include: damage to the company brand; loss of customer loyalty; lost revenue; the actual cost of the breach in terms of remediation expense, compliance expense and legal expense; and loss or damage to third-party relationships. If there is a breach at a public company, there will often be an immediate drop in stock price, loss of enterprise value and market capitalization, management / leadership changes and potentially the loss of key institutional shareholders. If the company lost intellectual property, that will hurt the company’s future business prospects. The legal implications include: state and federal regulatory scrutiny (including SEC scrutiny for a public company); regulatory enforcement actions, potentially involving fines, sanctions, and criminal and civil penalties; and civil litigation exposure, including exposure to putative consumer class action liability.
Q: We all see the headlines created by breaches at large companies such as Equifax, Yahoo and dozens of others. Are the bad guys focused on the largest companies, or are smaller companies just as vulnerable?
A: The very large breaches make the headlines, primarily because of their scope and name recognition. However, the real problem is the hundreds of breaches happening in smaller businesses, where people just have not placed a sufficient priority on this issue. They’re not putting the necessary resources into data security, and they’re basically saying, “I’m small. No one is going to come after me and my little business.” There are hundreds of breaches reported by statute in Massachusetts alone, but you don’t see those on the front page of The Boston Globe.
Q: What proportion of data breaches is the result of negligence or human error vs. elaborate criminal planning?
A: There are a variety of ways in which human frailty or error can create a breach scenario. Such breaches typically involve employees being duped into handing over confidential or protected information in response to phishing attacks. For example, a perpetrator will request employee tax information from the accounting department using an email address that mimics a valid superior’s email address. The accounting department clerk responds to the request by providing the requested information, believing they are obeying an instruction from a superior, when in fact a breach of security has occurred. The reality is, nothing is impenetrable. That’s really the first rule that every chief information security officer has to face up to, i.e. that nothing is totally secure. Even if you’ve done everything you can, hackers can find a way into any network, and people can still make mistakes.
Q: Is there enforcement of perpetrators, or is it more enforcement of compliance?
A: The answer is multifaceted. If the perpetrators are members of an Eastern European criminal syndicate, then almost invariably, no. Unless they’re identified and somehow the government connects the dots, the reality is there are many unsolved hacker breach scenarios. There are so many barriers to attribution and actually punishing someone outside the U.S. that it doesn’t happen very often. By contrast, if the breach was caused by a vendor who left your data storage back-up tapes unprotected on a loading dock in Boston and then walked away, then there could be enforcement. It really depends.
Q: Several management teams have been criticized for delaying announcements of large, public data breaches. Are these legitimate criticisms? What are reasons such delays should occur?
A: There can be legitimate reasons for delaying, especially if you’re in the midst of an ongoing breach investigation. Some breaches can be done in a day, but some can go on for years and years – and may never be found. Still others can be caught days, weeks, months or years in, but you still have to determine what the exact nature of the breach point is and how to stop it. That can all take time. Sometimes, if you’ve notified the authorities to request assistance, they might ask you not to publicize the breach, because they’re trying to investigate in order to catch the perpetrators.
The problem is, if you don’t have those kinds of legitimate reasons, and you still delay for an unreasonable period of time, you might be violating your obligations under various breach reporting statutes. More importantly, you will get hammered in the court of public opinion, because that delay is immediately perceived as self-serving. Equifax was a good example of that – you not only had a protracted delay, but you had some insiders selling shares before notifying the public. That just killed the company in the eyes of the public. And people paid with their careers.
Legislators also have noted these protracted breach reporting delays. Following the recent Facebook scandal surrounding the sharing of personal data with the British firm Cambridge Analytica, and the subsequent congressional testimony of CEO Mark Zuckerberg, Sen. John Kennedy from Louisiana and Sen. Amy Klobuchar of Minnesota introduced a Senate bill in April authorizing consumers to disable data tracking and collection by online platforms, and it would also require that online companies notify users within 72 hours of any data breach.
Q: We know statistically there is an economic motivation for some of these attacks. How valuable is the data cyberhackers obtain?
A: It depends on the kind of data that was breached. The black market has different values for these things, and these values change over time. For example, health or medical records are worth a lot more than Social Security numbers. For Social Security numbers, it’s a matter of supply and demand. There is tremendous supply of this data after so many large breaches, so there’s no real value in it any longer. But if someone can purchase and assume your medical identity, that might enable a hacker’s customer to have a $10,000 surgery at no charge. There’s tremendous value in that, and a huge cost to the healthcare system.
In addition to the initial financial cost, there are other potential societal health issues associated with medical data breaches. Now, in my previous hypothetical, let’s assume it’s your medical identity that has been sold. If you subsequently go to another doctor, the record of this surgery on the imposter (the hacker’s customer) is now in your medical record. If the doctor takes a careful history, maybe the problem is discovered. But what if you are unconscious, and rushed to the hospital by ambulance? It might go undetected and conceivably change a diagnosis or change the way the physician decides to treat you in that subsequent encounter. It could adversely change the outcome of your treatment and perhaps even cost you your life. So, there are tremendous societal costs. That’s why there are penalties for noncompliance.
In addition, it is seldom publicized, but one of the principal targets of hackers is the intellectual property or trade secret information of businesses. This information could be the result of years of manpower effort, and the expenditure of millions of dollars of research and development. Suddenly, you find that it has been ex-filtrated through an undetected breach over the past several months. Clearly, something of tremendous value has been lost. It could alter the course and even the future of the business. Do you want to admit that to the public? To your shareholders? Unfortunately, this sort of thing happens frequently.
Q: With cyberbreaches so prevalent, it seems like insurance coverage against an attack would be wise. What types of cybersecurity insurance policies are there?
A: Cyber insurance is a relatively new product with increasing acceptance in the marketplace. It’s available as a standalone policy or as a rider to other types of coverages, such as general commercial insurance. In other types of policies, such as a crime policy, there might have been small amounts of cyber coverage included. But in the interest of increasing the market for cyber insurance, insurers are reducing those coverages or removing them from other policies, so that they can drive the market for cyber policies. As recently as 2016, 30 percent of businesses maintained cyber coverages. In 2017, that figure increased to 50 percent. That said, there is a wide disparity in pricing and types of coverage, so customers need to compare policies from different providers before making a purchase.
In terms of types of coverage, most policies offer two components. The first is a third-party liability coverage, which provides a company with indemnity from third-party claims or regulatory enforcement claims. The second component is first-party coverage, which reimburses a company for the costs of its breach response or any remediation it may need to offer customers or employees. In some cases, the need to pay cyber extortion costs is also covered.
Q: What laws govern cybersecurity?
A: The reality is that in the U.S. alone, there are now 50 different state data breach notification laws and also in four U.S. territories. Think about the implications of that for companies that do business in all 50 states and U.S. territories, and could have to provide more than 50 different breach notifications. Massachusetts has one of the most robust regulatory schemes in the country, but states like New York and California are becoming more stringent and expansive in their reach. It used to be that if a company complied with Massachusetts law, it went a long way toward complying with all of the state and territorial laws. But now, depending on industry, they may need to look to New York or California for more industry-specific compliance.
There also is a new European regulation, the General Data Protection Regulation (GDPR), which went into effect on May 25, which may implicate U.S. companies, as well. The aim of the GDPR is to protect all European Union residents from privacy and data breaches in an increasingly data-driven world. Theoretically, all companies must comply with this law globally if they possess a broad category of information on at least one European Union resident. The monetary penalties for noncompliance are as draconian as anything you’ve ever seen – including 4 percent of global revenue up to 20 million euros. The reason for these penalties is that regulators recognize most companies have not been complying with these types of laws. GDPR also has a 72-hour breach notification requirement. We are doing extensive work now for domestic businesses and organizations with exposure to GDPR who are playing catch-up but are committed to making compliance efforts. These include both for-profit and not-for-profit entities.
Q: What final piece of advice would you offer to companies seeking to protect themselves?
A: My advice is that it is never too late to implement an information security and privacy protection plan, or to take immediate steps necessary to improve the plan you may already have in place. Company management at the highest levels must have awareness of the risks and make a commitment to information security as a mandatory cost of doing business. Managements must make the budgetary and manpower resource commitments necessary commensurate with their business, the types of protected data gathered and maintained, and the regulatory obligations facing their businesses, whether foreign, domestic or global. If you are in a regulated industry or have contractual information security requirements, you want to meet your regulatory and contract obligations, just as you want to be sure that your third-party vendors are meeting their contractual and legal obligations to your business. At a minimum, you always want to anticipate a data breach in your business. You want to have a data breach team pre-designated and a written data breach response plan in place, which identifies qualified expert contacts for any breach crisis, such as physical and information security, IT, HR, legal, computer forensics, law enforcement liaisons, public relations, call center vendors and other crisis management responders, all set and ready to be mobilized. All you want left is plan execution, reporting and communications to be the only dynamic variables based on the nature and extent of the breach. Once you have these things in place, perform periodic audits to verify your ongoing compliance, and make any necessary changes or upgrades to your plan over time. If you do these things, you will enhance the company’s level of protection and reduce its risk and exposure.
Sharon Merrill Associates helps private and public companies enlist the support of their stakeholders in both routine and critical situations, and has successfully managed virtually every strategic challenge an organization might face. Our senior team is known for building long-term client relationships based on a passion for service excellence and a record of delivering desired results. To learn more about how to build a cybersecurity plan contact us at info@investorrelations.com or at (617) 542-5300.
