Complacency in the Face of Evolving Cybersecurity Norms is Hazardout (Part 2)_Legaltech News
-
Upload
ethan-s-burger -
Category
Documents
-
view
64 -
download
0
Transcript of Complacency in the Face of Evolving Cybersecurity Norms is Hazardout (Part 2)_Legaltech News
Complacency in the Face of Evolving
Cybersecurity Norms is Hazardous (Part 2) Cybersecurity presents new challenges for the C-suite and
those individuals directly responsible for corporate
cybersecurity, IT and personnel. Ethan S. Burger and Thomas Welch, Legaltech News
March 29, 2016 | 0 Comments
The following is part one of a two-part series. Part one explored the argument that threat demands action and
policies consistent with the corporation’s profile and its sector's norms.
Some Motivations for Strengthening Cyberdefenses and
Procuring CyberInsurance If corporations do not take steps to strengthen their cyberdefenses, there may be several undesirable and
unforeseen consequences. For example, it may become difficult to recruit officers, directors, and other
personnel if a corporation knowingly does not take appropriate steps to avoid being attacked. Companies may
feel that they cannot afford basic cybersecurity tools or hire the necessary personnel to develop and implement
appropriate policies, but future clients or supply chain contracts will soon require it.
Businesses must learn to appreciate that while outlays for improved cybersecurity will not generate revenue,
prudent, preventative measures may also avoid potentially significant future fines or disqualifications, negative
impacts on its business reputation, or becoming a defendant in a law suit. If acquiring cyber-insurance becomes
the norm, those businesses that choose to remain uninsured may be viewed as an unreliable business partner
Novel Cyber-Litigation (Including Mandatory Discovery) Is
Growing Rapidly The volume of lawsuits involving allegations of fraud and misrepresentation, liabilities of vendors of the goods
and services acquired by businesses that suffered cyber-attacks, insurance coverage disputes, and liability
resulting from victims of cyberattacks from the release of private or other confidential information seems to be
increasing. The desire of those that suffered harm to shift costs is understandable.
Defendants, and plaintiffs, must anticipate the necessity of producing non-privileged correspondence, and other
documents concerning preventative and remedial measures. This makes privileged advice particularly
valuable. Confidential attorney-client communications or attorney work product if deemed privilege do not
have to be revealed to the opposing party, or the jury, except under certain limited circumstances.
Consequently, it is often advisable for businesses to retain outside counsel to perform certain specific tasks
such as the conduct of an internal investigation, or performing case evaluations. Outside counsel can retain
cybersecurity defense specialists to work at their directions. Materials produced for the benefit of the counsels’
work or in connection with communications to the client can qualify as privileged.
The number of reported cases involving cyber-related issues are limited, particularly cases involving contract
disputes between companies seeking to enhance their cyberdefenses and vendors. Many disputes are resolved
through negotiations where the terms of the settlement include non-disclosure provisions. This makes business
decision-making difficult, because of the lack of publically available information.
Increasing One’s Cybersecurity Prudently and Effectively Acquiring effective cyber-defenses can be costly. Frequently, the purchasers are basing their decisions on
limited data. Often, companies feel pressured to make hasty expenditures recommended by government
officials, insurance companies, financial auditors or other outside consultants with an inherent conflict of
interest. Corporate Executives and Board of Directors members may feel that they require expertise about
cybersecurity matters not available within their organization. They may be apprehensive about possible
consequences if such expert advice could be subject to mandatory disclosure in the event of litigation. There
will be situations where it would be desirable that such advice were privileged and confidential.
Recovery Planning, Continuous Monitoring, and Audits Are Essential
Entities must design, test and refine their responses to both external and insider attacks. They should also
consider what is needed to facilitate the organizations’ operational recovery. Realistically, given the large
number of variables involved, cybersecurity expenditures may be of limited value, particularly if massive
attacks are undertaken by parties using unanticipated techniques.
Qualified personnel should assess and possible test whether the claims made by the vendor of goods and
services are valid. Often the actual level of performance are not consistent with venders’ representations made
prior to entering into any agreements to purchase defensive tools and services.
What Is the Standard of Care?
Officers and directors will understandably not only be concerned about what is best for their corporations, but
they have to be concerned with their own potential, individual liability. If some competitors invest in certain
defensive measures, does this mean that corporate officers and directors who fail to adopt similar policies are
not meeting their standard of care? The costs of corporate management being wrong are huge and the benefits
of accurately adopting limited cybersecurity measures may be small.
Some Other Legal Issues The effects of cyberattacks are giving rise to novel legal questions, which are not readily answered or
answerable. To date, there has been a large focus on issues relating to the release of personal and private
information by the victims of cyberattacks. These cases are often complex. They may require a familiarity with
State, U.S. and foreign legislation, regulations and “guidance,” corporate governance, and other standards,
conflicts of law rules (such as determining whether a matter is governed by comparative or contributory
negligence), evidentiary privileges and jurisdictional matters. Since plaintiffs may be from different locales,
deciding what law governs a case may prove to play a major role in resolving the matter. This makes
estimating the value of a breach claim difficult.
Undoubtedly, there are or will be numerous law suits involving:
Allegations of fraud or constructive fraud against the vendors of cybersecurity tools for exaggerating their
effectiveness;
Disputes over insurance coverage: How will insurance providers and courts interpret the word “liability,”
dealing with events that arose after an initial cyber-attack, and how different companies are interpreting the
meaning of the term “operational” in instances when the insured suffers large losses to their assets?; What
constitutes the same “act or occurrence” when there are a series of actions following the initial breach of an
insured?
Differing views about whether the corporation’s cybersecurity practices were reasonable and complied with
relevant statutes, regulations, administrative and other compliance rules and “guidance;”
Assessing whether the corporation’s human resources practices complied with labor and civil rights norms,
while yielding a competent work force; and
Addressing competing concepts of personal information and privacy as they relate to corporate personnel, job
applicants and others (it should be examined whether U.S. law or foreign law is to be applied).
It is important that corporations closely monitor the fees of outside counsel. It may be difficult to determine
such fees are reasonable under the relevant circumstances.
Conclusion Cybersecurity presents new challenges for the C-suite and those individuals directly responsible for corporate
cybersecurity, IT and personnel. Governmental regulation and cybersecurity technology is, and will continue to
be highly dynamic and unpredictable.
Corporations’ past practices when dealing with their customers, employees, suppliers, the providers of
cybersecurity tools and advice, and cyber-insurance partners will have to be adjusted to take into account the
new cyber-environment. It may be valuable to seek the insights of disinterested attorneys and experts with a
specialized knowledge of the cyber-area for advice and counselling. Since the learning curve is steep,
generalists may have limited value in many matters that will affect the outcome of a particular dispute or the
best course of action to follow when dealing with government officials, suppliers, customers, employees and
others.
Part one of this article explored the argument that threat demands action and policies consistent with the
corporation’s profile and its sector's norms.
Ethan S. Burger is a Washington-based international attorney and academic. He is an adjunct professor at
Washington College of Law.
Thomas Welch is an attorney, managing director of the American International Regulatory Coherence
Institute and a former associate director with the U.S. Food and Drug Administration.
Read more: http://www.legaltechnews.com/id=1202753540380/Complacency-in-the-Face-of-Evolving-
Cybersecurity-Norms-is-Hazardous-Part-2#ixzz45AFz501y