Complacency in the Face of Evolving

Cybersecurity Norms is Hazardous (Part 2) Cybersecurity presents new challenges for the C-suite and

those individuals directly responsible for corporate

cybersecurity, IT and personnel. Ethan S. Burger and Thomas Welch, Legaltech News

March 29, 2016 | 0 Comments

The following is part one of a two-part series. Part one explored the argument that threat demands action and

policies consistent with the corporation’s profile and its sector's norms.

Some Motivations for Strengthening Cyberdefenses and

Procuring CyberInsurance If corporations do not take steps to strengthen their cyberdefenses, there may be several undesirable and

unforeseen consequences. For example, it may become difficult to recruit officers, directors, and other

personnel if a corporation knowingly does not take appropriate steps to avoid being attacked. Companies may

feel that they cannot afford basic cybersecurity tools or hire the necessary personnel to develop and implement

appropriate policies, but future clients or supply chain contracts will soon require it.

Businesses must learn to appreciate that while outlays for improved cybersecurity will not generate revenue,

prudent, preventative measures may also avoid potentially significant future fines or disqualifications, negative

impacts on its business reputation, or becoming a defendant in a law suit. If acquiring cyber-insurance becomes

the norm, those businesses that choose to remain uninsured may be viewed as an unreliable business partner

Novel Cyber-Litigation (Including Mandatory Discovery) Is

Growing Rapidly The volume of lawsuits involving allegations of fraud and misrepresentation, liabilities of vendors of the goods

and services acquired by businesses that suffered cyber-attacks, insurance coverage disputes, and liability

resulting from victims of cyberattacks from the release of private or other confidential information seems to be

increasing. The desire of those that suffered harm to shift costs is understandable.

Defendants, and plaintiffs, must anticipate the necessity of producing non-privileged correspondence, and other

documents concerning preventative and remedial measures. This makes privileged advice particularly

valuable. Confidential attorney-client communications or attorney work product if deemed privilege do not

have to be revealed to the opposing party, or the jury, except under certain limited circumstances.

Consequently, it is often advisable for businesses to retain outside counsel to perform certain specific tasks

such as the conduct of an internal investigation, or performing case evaluations. Outside counsel can retain

cybersecurity defense specialists to work at their directions. Materials produced for the benefit of the counsels’

work or in connection with communications to the client can qualify as privileged.

The number of reported cases involving cyber-related issues are limited, particularly cases involving contract

disputes between companies seeking to enhance their cyberdefenses and vendors. Many disputes are resolved

through negotiations where the terms of the settlement include non-disclosure provisions. This makes business

decision-making difficult, because of the lack of publically available information.

Increasing One’s Cybersecurity Prudently and Effectively Acquiring effective cyber-defenses can be costly. Frequently, the purchasers are basing their decisions on

limited data. Often, companies feel pressured to make hasty expenditures recommended by government

officials, insurance companies, financial auditors or other outside consultants with an inherent conflict of

interest. Corporate Executives and Board of Directors members may feel that they require expertise about

cybersecurity matters not available within their organization. They may be apprehensive about possible

consequences if such expert advice could be subject to mandatory disclosure in the event of litigation. There

will be situations where it would be desirable that such advice were privileged and confidential.

Recovery Planning, Continuous Monitoring, and Audits Are Essential

Entities must design, test and refine their responses to both external and insider attacks. They should also

consider what is needed to facilitate the organizations’ operational recovery. Realistically, given the large

number of variables involved, cybersecurity expenditures may be of limited value, particularly if massive

attacks are undertaken by parties using unanticipated techniques.

Qualified personnel should assess and possible test whether the claims made by the vendor of goods and

services are valid. Often the actual level of performance are not consistent with venders’ representations made

prior to entering into any agreements to purchase defensive tools and services.

What Is the Standard of Care?

Officers and directors will understandably not only be concerned about what is best for their corporations, but

they have to be concerned with their own potential, individual liability. If some competitors invest in certain

defensive measures, does this mean that corporate officers and directors who fail to adopt similar policies are

not meeting their standard of care? The costs of corporate management being wrong are huge and the benefits

of accurately adopting limited cybersecurity measures may be small.

Some Other Legal Issues The effects of cyberattacks are giving rise to novel legal questions, which are not readily answered or

answerable. To date, there has been a large focus on issues relating to the release of personal and private

information by the victims of cyberattacks. These cases are often complex. They may require a familiarity with

State, U.S. and foreign legislation, regulations and “guidance,” corporate governance, and other standards,

conflicts of law rules (such as determining whether a matter is governed by comparative or contributory

negligence), evidentiary privileges and jurisdictional matters. Since plaintiffs may be from different locales,

deciding what law governs a case may prove to play a major role in resolving the matter. This makes

estimating the value of a breach claim difficult.

Undoubtedly, there are or will be numerous law suits involving:

Allegations of fraud or constructive fraud against the vendors of cybersecurity tools for exaggerating their

effectiveness;

Disputes over insurance coverage: How will insurance providers and courts interpret the word “liability,”

dealing with events that arose after an initial cyber-attack, and how different companies are interpreting the

meaning of the term “operational” in instances when the insured suffers large losses to their assets?; What

constitutes the same “act or occurrence” when there are a series of actions following the initial breach of an

insured?

Differing views about whether the corporation’s cybersecurity practices were reasonable and complied with

relevant statutes, regulations, administrative and other compliance rules and “guidance;”

Assessing whether the corporation’s human resources practices complied with labor and civil rights norms,

while yielding a competent work force; and

Addressing competing concepts of personal information and privacy as they relate to corporate personnel, job

applicants and others (it should be examined whether U.S. law or foreign law is to be applied).

It is important that corporations closely monitor the fees of outside counsel. It may be difficult to determine

such fees are reasonable under the relevant circumstances.

Conclusion Cybersecurity presents new challenges for the C-suite and those individuals directly responsible for corporate

cybersecurity, IT and personnel. Governmental regulation and cybersecurity technology is, and will continue to

be highly dynamic and unpredictable.

Corporations’ past practices when dealing with their customers, employees, suppliers, the providers of

cybersecurity tools and advice, and cyber-insurance partners will have to be adjusted to take into account the

new cyber-environment. It may be valuable to seek the insights of disinterested attorneys and experts with a

specialized knowledge of the cyber-area for advice and counselling. Since the learning curve is steep,

generalists may have limited value in many matters that will affect the outcome of a particular dispute or the

best course of action to follow when dealing with government officials, suppliers, customers, employees and

others.

Part one of this article explored the argument that threat demands action and policies consistent with the

corporation’s profile and its sector's norms.

Ethan S. Burger is a Washington-based international attorney and academic. He is an adjunct professor at

Washington College of Law.

Thomas Welch is an attorney, managing director of the American International Regulatory Coherence

Institute and a former associate director with the U.S. Food and Drug Administration.

Read more: http://www.legaltechnews.com/id=1202753540380/Complacency-in-the-Face-of-Evolving-

Cybersecurity-Norms-is-Hazardous-Part-2#ixzz45AFz501y