CYBERSECURITY AND DATA BREACH RESPONSE FOR

LAWYERS: THREATS, PREVENTION TIPS, AND MITIGATION STRATEGIES

FOR LESSENING THE RISK OF A CYBERATTACK

CLE Credit: 1.0 Wednesday, June 12, 2019

3:35 – 4:35 p.m. Jones

Galt House Hotel Louisville, Kentucky

A NOTE CONCERNING THE PROGRAM MATERIALS

The materials included in this Kentucky Bar Association Continuing Legal Education handbook are intended to provide current and accurate information about the subject matter covered. No representation or warranty is made concerning the application of the legal or other principles discussed by the instructors to any specific fact situation, nor is any prediction made concerning how any particular judge or jury will interpret or apply such principles. The proper interpretation or application of the principles discussed is a matter for the considered judgement pf the induvial legal practitioner. The faculty and staff of this Kentucky Bar Association CLE program disclaim liability therefore. Attorneys using these materials, or information otherwise conveyed during the program in dealing with a specific legal matter have a duty to research the original and current sources of authority.

Printed by: Evolution Creative Solutions 7107 Shona Drive

Cincinnati, Ohio 45237

Kentucky Bar Association

TABLE OF CONTENTS

The Presenters ................................................................................................................. i Cybersecurity and Data Breach Response for Lawyers: Threats, Prevention Tips, and Mitigation Strategies for Lessening the Risk of a Cyberattack ............................................................................... 1

i

THE PRESENTERS

Earl Rose IV Department of Homeland Security

EARL ROSE currently works for the Department of Homeland Security where he is responsible for supporting the homeland security information needs of Kentucky. Mr. Rose has worked in a number of capacities over his twenty-year career as an intelligence professional. In his current capacity he is responsible for facilitating the flow of homeland security information between federal, state, local and private sector partners in the Commonwealth. Mr. Rose participates in Homeland Security’s efforts to keep pace with the evolving cyber risk landscape, which include: reducing vulnerabilities and building resilience; countering malicious actors in cyberspace; responding to incidents; and making the cyber ecosystem more secure and resilient.

Sarah Cronan Spurlock Stites & Harbison PLLC

Louisville, Kentucky (502) 681-0461

sspurlcok@stites.com

SARAH SPURLOCK is a member of the Stites & Harbison Health Care Service Group and is Co-Chair of the firm’s Privacy & Data Security Group. Ms. Spurlock regularly advises clients on a wide range of health care and privacy matters, including fraud and abuse laws, physician and hospital contracting, information privacy and security laws, and data breach prevention and response. Her practice includes regulatory and transactional matters and health care litigation. Sarah is a Certified Information Privacy Professional (CIPP/US) and serves as the firm’s Chief Privacy Officer. She earned her B.A. from Indiana University and her J.D., magna cum laude, from the University of Kentucky College of Law.

ii

1

CYBERSECURITY AND DATA BREACH RESPONSE FOR LAWYERS THREATS, PREVENTION TIPS, AND MITIGATION STRATEGIES

FOR LESSENING THE RISKS OF A CYBERATTACK Sarah Cronan Spurlock

Cyber threats to the United States and across the globe are reaching unprecedented levels.1 Businesses face increasing pressures from customers and state and federal regulatory authorities to protect sensitive information from theft, loss, and manipulation in a cyberattack. Lawyers and law firms are no exception. While certain industries, such as health care, finance, and retail, have garnered significant media attention in recent years due to widely publicized data breaches, lawyers and law firms may be targeted because of the significant amounts of confidential and valuable data lawyers handle in representing clients. Businesses that experience data breaches face a long list of issues and considerations, including threat eradication and remediation, legal reporting obligations, potential business interruption, revenue losses, and the potential for reputational harm. Lawyers also have professional responsibilities to protect confidential client information and, as such, must also consider how ethical obligations may inform efforts to safeguard client information when using technology and steps lawyers should take in response to a cyberattack. The term “cybersecurity” means “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.”2 Cybersecurity concerns have been elevated from technology departments to “C” suites in recent years as businesses realize the potential for operational and financial impact from cyberattacks. One threat that has captured significant attention from federal agencies, regulators, and businesses alike is known as “ransomware.” “Ransomware” is a type of malicious software used to deny access to systems or data by encrypting data and holding it hostage until a ransom is paid. In March 2016, the U.S. Department of Homeland Security, United States Computer Emergency Readiness Team (US-CERT) issued an alert to provide further information on destructive ransomware, which had been observed infecting computers worldwide.3 The Federal Bureau of Investigation (FBI) and other federal agencies, including the Department of Homeland Security, have issued information and guidance on the ransomware threat that has continued to persist. The FBI developed a one-page information sheet on ransomware, which includes prevention tips and risks to consider when evaluating whether to pay a ransom.4 Additional interagency technical guidance on protecting networks from ransomware is available on the FBI’s website at www.fbi.gov. Threats such as ransomware underscore the critical importance of implementing a defense strategy to combat cyberattacks. There are many possible sources to consider

1 Addressing the Cyber Threat, Director Discusses FBI Approach at Cybersecurity Conference, https://www.fbi.gov/news/stories/director-wray-speaks-at-rsa-cybersecurity-conference-030619 (March 6, 2019). 2 Merriam-Webster Online Dictionary, https://www.merriam-webster.com/dictionary/cybersecurity (last visited March 12, 2019). 3 US-CERT Alert TA16-091A Ransomware and Recent Variants (March 31, 2016), https://www.us-cert.gov/ncas/alerts/TA16-091A. 4 https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-ceos.pdf/view.

2

when developing a defense strategy. The United States lacks a comprehensive federal privacy and data security law. No single set of rules applies to protecting confidential client data. In many cases, the standards that apply to a lawyer will be driven by a client’s industry regulations and client expectations. Whether working in-house for one client, or working in private practice counseling many clients, potential sources of data security obligations exist in a patchwork of sector-specific federal laws and regulations, varied and sometimes contradictory state laws, contractual obligations, and ethical obligations. In some areas of practice, particularly a practice involving corporate transactions and mergers and acquisitions, a lawyer may need a more substantive understanding of information security risks and requirements to effectively represent a client’s interests in a transaction and in conducting related due diligence. Section I below includes a summary of considerations for safeguarding confidential information and highlights common features of a written information security plan. Section II provides an overview of ethical considerations in the context of two American Bar Association opinions regarding use of technology and responding to a data breach. Section III outlines cybersecurity considerations for corporate transactions. Finally, the material concludes with a listing of additional resources.5 I. SAFEGUARDING CONFIDENTIAL INFORMATION

Adopting a written information security plan is one step lawyers can take to safeguard client data and minimize risks of unauthorized use, acquisition, and disclosure of confidential information. When selecting a security framework appropriate for a particular lawyer or law firm, some relevant factors for consideration include the nature of the information maintained, the industries from which clients are drawn, and resources available to address data security. Examples of information security frameworks an organization can look to in developing an information security plan include NIST Cybersecurity Framework, ISO 27002, NIST 800-53, the Secure Controls Framework, and the HIPAA Security Rule.6 While not a substitute for identifying the specific obligations and framework suitable for your practice and operational environment, some common information security program features to consider when creating or evaluating an information security plan include: A. Selecting and Implementing Safeguards

Implement and maintain appropriate administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of client information. Selected safeguards should be appropriate to the organization’s size, scope, and business, its available resources, and the amount and nature of the information it maintains.

5 Special thanks to Jennifer Jackson and Dwight Young for their assistance in preparing these materials. 6 NIST or National Institute of Standards and Technology publications are available at https://www.nist.gov/. HIPAA Security Rule regulations are located at 45 C.F.R. Part 160 and Subparts A and C of Part 164. Information about ISO frameworks can be found on the International Organization for Standardization’s website at https://www.iso.org/home.html.

3

1. Examples of appropriate administrative measures may include:

a. Designating one or more employees to coordinate the information security plan;

b. Identifying reasonably foreseeable internal and external

risks, and assessing whether existing safeguards adequately control the identified risks;

c. Training employees in security practices and procedures; d. Adjusting the information security plan in light of business

changes or new circumstances; e. Restricting authority to access information on a need-to-

know basis; f. Implementing a patch management process to address

unpatched vulnerabilities and minimize opportunities for criminal actors to exploit system weaknesses that may lead to unauthorized intrusion; and

g. Requiring service providers that may have access to or

maintain client information to implement and maintain reasonable security measures, consistent with the lawyer or law firm’s practices, applicable regulatory frameworks, and/or contractual obligations.

2. Examples of appropriate technical measures may include:

a. Controlling user identification and authentication with a

reasonably secure method of assigning and selecting passwords, requiring that passwords are “strong” (i.e. setting a minimum length and requiring a combination of characters, numbers, and symbols), unique, and kept in a location or format that does not compromise security;

b. Secure authentication protocols, such as utilizing two-factor

authentication when feasible; c. Restricting access to active users and active user accounts

only and preventing terminated employees from accessing systems or records;

d. Blocking a particular user’s access after multiple

unsuccessful attempts to gain access or placing limitations on access for particular systems or network locations;

e. Using enhanced security measures for information traveling

wirelessly or across public networks as appropriate to the

4

sensitivity of the information being transmitted (e.g. encryption);

f. Monitoring for, detecting, and responding to unauthorized

access or other attacks or system failures; g. Maintaining firewall protection and system security software

that includes malware protection with reasonably current patches and malware definitions;

h. Comprehensive backup and data recovery procedures with

offsite or offline redundancy (e.g. non-networked backups); and

i. Assigning users appropriate access required for job

performance.

3. Examples of appropriate physical measures may include:

a. Defining and implementing reasonable physical security barriers to protect areas where client information may be accessed, including reasonably restricting physical access (e.g. using locks or badge access), and storing confidential records in secure facilities or locked areas;

b. Preventing, detecting, and responding to physical intrusions

or unauthorized access to client information and restricted areas; and

c. Implementing secure disposal or destruction of client

information, whether in paper or electronic form, when it is no longer required to be retained in accordance with data retention policies, applicable laws, or contractual obligations.7

B. Conducting Security Awareness Training

While technical security safeguards are important, they represent only one aspect of an effective cyber defense strategy. In addition to implementing technical controls and safeguards, an organization must also account for the human component that makes many cyberattacks possible. Clear communication and training on information security policies and practices, threats to an organization and how to spot them, and when and how to report suspicious activity is an important part of an organization’s information security plan.

7 KRS 365.725 requires businesses to take reasonable steps to destroy, or arrange for the destruction of, portions of a customer’s records containing personally identifiable information by “shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable through any means.”

5

The proliferation and increased sophistication of ransomware attacks underscores the importance of having both robust technical controls and employee education.8 Ransomware, and other forms of malicious software, are often delivered via email. Over time, as users and email systems have become more adept at recognizing problematic spam emails, criminals too have developed new and innovative ways to deliver malicious software or “malware.”9 For example, email “spoofing” is a technique to make it appear to the recipient that an email is originating from someone known to them, often a supervisor or someone else in a position of authority. Email spoofing may be used to deliver a malicious link or attachment, increasing the chance the user will access the link or attachment because it appears to be from a legitimate source. Spoofing may also be used to solicit information that can be used for another type of intrusion, such as by obtaining access credentials or other personal information to provide clues to an individual’s password. The recipient may think they are providing the information to a trusted source, like an internal IT department or system administrator, when it is actually going to a criminal. This type of social engineering to facilitate cyberattacks is becoming more common. Employees who are mindful of these risks will be in a better position to identify suspicious emails and avoid the bait.

C. Conducting Ongoing Risk Management

Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.10 Risk management involves evaluating recommended security measures to combat identified threats and vulnerabilities, and prioritizing, modifying, and implementing security measures appropriate to the organization. Considering potential risks presented by vendors providing services to lawyers is also important to risk management. In a 2014 Formal Ethics Opinion on the Use of Cloud Computing,11 the Kentucky Bar Association addressed lawyers’ use of cloud computing with clients’ confidential information. The opinion lists questions a lawyer should consider in evaluating a cloud service provider arrangement for online storage of client confidential information, including what protections the provider has in place to prevent disclosure of confidential client information, whether the service provider is contractually obligated to protect the security and confidentiality of information stored with it, what a service agreement states with respect to who “owns” the data stored by the provider, and what procedures, including notice

8 FBI, Incidents of Ransomware on the Rise, Protect Yourself and Your Organization, April 29, 2016, available at https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise. 9 Id. 10 National Institute of Standards and Technology (NIST) Special Publication 800-30 Rev. 1, Guide for Conducting Risk Assessments, https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final (last visited March 14, 2019). 11The KBA Board of Governors adopted Formal Ethics Opinion KBA E-347 under Kentucky Supreme Court Rule 3.530. The opinion notes that pursuant to such Rule, the opinion is advisory only.

6

procedures to the lawyer, does a provider use when responding to government or judicial attempts to obtain client information.12 Although KBA Opinion E-347 specifically addresses arrangements with cloud service providers, the questions may be relevant when evaluating other types of arrangements as well.

D. Security Incident Response and Reporting

Outlining a plan for responding to suspected cyber incidents that may compromise data security can help mitigate the effects of an attack. Security incident response planning includes identifying individuals (internally and externally where appropriate) who will be called on to respond to an incident and designating the role individuals will serve in the response. Containing and eradicating ongoing threats will be the initial priority. Preserving evidence relating to an incident is also important as it may provide insight into its cause and inform remediation steps to prevent similar future occurrences. Identifying the types of incidents that will trigger the incident response process is also important. Examples may include: a suspected or confirmed authorized system intrusion; lost or stolen computer assets; unauthorized software infecting a computer or computer network; unauthorized changes to security permissions, access credentials, or system configurations; and, data loss or corruption. In responding to a security incident, an organization must also evaluate legal obligations. For instance, did the incident result in a breach of confidential information? Is the organization under a legal or contractual obligation to report the incident or breach to a client or other third parties? In the process of responding to and gathering information relative to a security incident, the incident response team should be able to supply information necessary to analyze whether an actual data breach occurred; and, in turn, what reporting obligations exist as a result.13

II. ETHICAL CONSIDERATIONS AND CYBERSECURITY

In Formal Ethics Opinion KBA E-347, the Kentucky Bar Association addressed lawyers’ use of cloud computing with clients’ confidential information. The opinion provides that use of cloud computing is permitted, provided lawyers take certain actions in so doing, including, among others, following the Rules of Professional Conduct with regard to safeguarding client confidential information. The opinion provides guidance in the exercise of reasonable judgment but declines to mandate specific practices in the world of cloud computing, citing the fact that technology evolves every day. As such, while the opinion reiterates a lawyer’s ethical obligation to safeguard client confidential information, it also confirms that the manner in which lawyers undertake that obligation in the context of technology use, and the safeguards lawyers select, may vary. Additional ethical considerations relevant to a lawyer’s use of technology and safeguarding against

12 Id. 13 See additional discussion under Section II(B) below.

7

cyber threats are found in two Formal Opinions from the American Bar Association, discussed below.14

A. ABA Formal Opinion 477R (2017) “Securing Communication of Protected

Client Information”

The ABA Committee on Ethics and Professional Responsibility issued Formal Opinion 477R, titled “Securing Communication of Protected Client Information,” in May 2017. Recognizing the ways in which use of technology has evolved in the legal profession, the Committee issued this opinion explaining a lawyer’s ethical responsibility when communicating client confidential information using the Internet. Formal Opinion 477R updates Formal Opinion 99-413, which addressed a lawyer’s confidentiality obligations for email communications with clients. Formal Opinion 99-413 concluded that “[l]awyers have a reasonable expectation of privacy in communications made by all forms of e-mail, including unencrypted e-mail sent on the Internet, despite some risk of interception and disclosure. It therefore follows that its use is consistent with the duty under Rule 1.6 to use reasonable means to maintain the confidentiality of information relating to a client’s representation.”15

In the more recent Formal Opinion 477R, the Committee notes that “[t]he Model Rules do not impose greater or different duties of confidentiality based upon the method by which a lawyer communicates with a client. . . [b]ut how a lawyer should comply with the core duty of confidentiality in an ever-changing technological world requires some reflection.”16 The Committee acknowledges that those providing legal services today use a number of devices – such as computers, tablets, smartphones, and cloud resource and storage locations – to create, transmit, and store confidential communications. Each location where confidential communications are stored represents a risk for the inadvertent and unauthorized disclosure of information related to the attorney’s representation of the client, implicating the attorney’s ethical duties. In light of these newly prevalent risks, the ABA adopted “technology amendments” to the Model Rules in 2012. The “technology amendments” include updates to the Comments on Rule 1.1 related to a lawyer’s technological competency, as well as the addition of paragraph (c) and a new Comment to Rule 1.6, which addresses a lawyer’s obligation to take reasonable measures to prevent inadvertent or unauthorized disclosure of information relating to the representation of a client. The Committee cites two general reasons why law firms are targets for cyberattacks. First, law firms obtain and store highly sensitive information

14 ABA Formal Opinions are based on the Model Rules of Professional Conduct. While these ABA Opinions are instructive, the laws, opinions, and rules of professional conduct in individual jurisdictions are controlling. 15 ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 99-413 (1999). 16 ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 477R (2017).

8

about their clients, while potentially “utilizing safeguards to shield that information that may be inferior to those deployed by the client.” Second, the information law firms possess regarding their clients is likely to be of interest to a hacker, while also likely conveniently less voluminous than the information held by the client.

With respect to the lawyer’s duty of competence, outlined in Model Rule 1.1, Comment [8] was modified in 2012 in light of the increasing impact of technology to read as follows:

To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.17

The 2012 amendment to Rule 1.6 and its accompanying commentary address efforts required to preserve the confidentiality of information related to the representation of a client. Paragraph (c) was added to Rule 1.6, providing that: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information related to the representation of a client.”18 Amended Comment 18 explains that lawyers must “act competently to safeguard information relating to the representation of a client against unauthorized access by third parties,” and also states that such unauthorized access to, or inadvertent disclosure of, such information “does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”19

The Committee emphasizes that “lawyers must use reasonable efforts when communicating about client matters,” and explains that the reasonable efforts standard rejects a one-size-fits-all approach to security matters, and instead adopts a fact-specific, process-oriented approach to “assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”20 To that end, Comment 18 to Model Rule 1.6(c) sets forth the following list of nonexclusive factors to guide lawyers in making a “reasonable efforts” determination:

17 Model Rules of Prof’l Conduct R. 1.1 cmt. [8] (2016) (emphasis added). Notably, Kentucky Rule of Professional Conduct SCR 3.130(1.1) now includes this same language under maintaining competence at Comment 6. 18 Id. at R. 1.6(c). 19 Id. at R. 1.6(c) cmt. [18]. 20 ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 477R, at 4 (2017).

9

• The sensitivity of the information;

• The likelihood of disclosure if additional safeguards are not employed;

• The cost of employing additional safeguards;

• The difficulty of implementing the safeguards, and

The extent to which the safeguards adversely affect the lawyer’s ability to represent clients.21

Formal Op. 477R further provides that reasonable efforts, as it pertains to highly sensitive information, may require stronger protective measures, like encryption. While for matters of low sensitivity, standard security methods may be sufficient. The Committee concludes that the use of unencrypted routine email generally remains an acceptable method by which a lawyer can communicate with a client; noting, however, that lawyers are tasked with constantly re-evaluating how they communicate electronically about client matters, and recommending a case-by-case determination for electronic communications about what effort is reasonable. Formal Op. 477R sets forth a number of additional useful guidelines aimed at helping attorneys mitigate the risks associated with the growing use of technology in the legal field, as summarized below.22 First, lawyers must understand the nature of the threat. This means that lawyers must consider the sensitivity of a client’s information, and whether such information is a high risk for cyberattacks. Industries that present a higher risk of data theft include those related to trade secrets, mergers and acquisitions, banking, defense, and health care, among others. Second, it is essential that lawyers understand how their clients’ confidential information is transmitted and where it is stored. This means that lawyers should undertake to understand (1) how their firm’s electronic communications are created; (2) where client data is stored; and (3) what avenues exist to access client data and confidential communications. The Committee explains that “[e]ach access point, and each device, should be evaluated for security compliance.” Next, lawyers should understand and use reasonable electronic security measures, as required by Model Rule 1.6(c). The Committee cites a number of options for lawyers to safeguard communications, including: the use of a Virtual Private Network (VPN) to securely access the Internet, the use of unique complex passwords that are changed periodically, the implementation of firewalls and anti-malware software on firm devices, the encryption of data, and the use of multi-factor authentication to access firm networks.

21 Model Rules of Prof’l Conduct R. 1.6(c) cmt. [18]. 22 The guidelines summarized here appear in ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 477R (2017) at 6-11.

10

The Committee next urges lawyers to determine how electronic communications about client matters should be protected, as different communications require different levels of protection. For example, the Committee states that the attorney and client should discuss the levels of security that will be necessary for electronic communication about client matters at the beginning of the engagement. Where client information is particularly sensitive, the Committee indicates a lawyer should encrypt the transmission, and consider using password protection for attachments. A lawyer should also use caution if the client uses electronic devices subject to the access or control of a third party. And, in certain situations, the Committee notes it may even be prudent to warn the client of the risks associated with a method of communication. The Committee also discusses labeling confidential information as “privileged and confidential” indicating such a practice serves to alert anyone to whom the communication was inadvertently disclosed that the communication is intended to be privileged and confidential, and points out that Model Rule 4.4(b) requires a lawyer who “knows or reasonably should know” that he or she has received an inadvertently sent document to promptly notify the sending lawyer.23 The Committee also addresses the application of Model Rule 5.1 in the context of electronic communications, discussing the duty of lawyers exercising managerial authority in law firms to “make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that all lawyers in the firm conform to the Rules of Professional Conduct.” The Committee notes that lawyers are tasked with establishing procedures, and training employees who assist in the delivery of legal services in the use of reasonably secure methods of communicating electronically with clients; and, supervising lawyers must follow up periodically to ensure cybersecurity policies are being followed. Finally, the Committee encourages lawyers to conduct due diligence on vendors providing communication technology, consistent with both Model Rule 1.6(c) and Model Rule 5.3, which imposes a duty on lawyers with direct supervisory authority over non-lawyers to make “reasonable efforts to ensure that” the non-lawyer’s “conduct is compatible with the professional obligations of the lawyer.”24 Echoing ABA Formal Opinion 08-451, which explained a lawyer’s obligation when outsourcing legal and nonlegal services, the Committee recommends that lawyers consider the following factors when selecting vendors for services involving electronic communications:25

• Reference checks and vendor credentials;

23 Model Rules of Prof’l Conduct at R. 4.4(b). 24 Id. at R. 5.3. 25 See also the discussion of KBA Formal Opinion E-347 on vendor evaluation in the context of cloud computing at Section I.

11

• The vendor’s security policies and protocols;

• The vendor’s hiring practices;

• The use of confidentiality agreements;

• Vendor’s conflicts check system to screen for adversity; and

• The availability and accessibility of legal redress in the event of violations of the vendor agreement.26

Comment 3 to Model Rule 5.3 addresses a lawyer’s outsourcing of legal and nonlegal services, including “using an Internet-based service to store client information.”27 The Comment sets out factors lawyers should consider when hiring an outside vendor, such as: the education, reputation, and experience of the non-lawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and, the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with respect to confidentiality.

B. ABA Formal Opinion 483 (2018) “Lawyers’ Obligations after an Electronic

Data Breach or Cyberattack”

Picking up where Formal Opinion 477R left off, the ABA Committee on Ethics and Professional Responsibility issued Formal Opinion 483, titled “Lawyers’ Obligations after an Electronic Data Breach or Cyberattack,” in October 2018. In Formal Opinion 483, the Committee explains that “[w]hen a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations under these Model Rules.”28 Formal Opinion 483 is focused only on a lawyer’s ethical obligations in the event of a data breach. The Committee notes that HIPAA and other federal or state breach notification laws may also be implicated, emphasizing that compliance with such laws does not necessarily equate to compliance with ethical obligations, and concluding that lawyers should analyze compliance separately under each applicable law or rule as a matter of best practices.29 The Committee clarifies that it defines a data breach as an event “where

26 ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 08-451 (2008). 27 Model Rules of Prof’l Conduct R. 5.3 cmt. [3] (2016). 28 See Model Rules 1.1, 1.6, 5.1, and 5.3, as modified by the ABA’s “technology amendments,” adopted in 2012. 29 For example, Kentucky’s breach notification laws are found at KRS § 365.732 and KRS §§ 61.931-61.934. Requirements for notification under HIPAA regulations, including for “business associates” are found at 45 C.F.R. §§164.400-414.

12

material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.” A cyber event that does not result in actual compromise of confidential client information is not within the scope of the opinion. The Committee states that lawyers “must make reasonable efforts to monitor their technology resources to detect a breach,” including “reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.” Recognizing the lengths to which nefarious cyber criminals often go to hide their intrusions, the Committee offers reassurance that a lawyer’s responsibility to make reasonable efforts to monitor for a data breach does not mean that the failure to immediately detect a cyberattack is an ethical violation. Instead, the potential for an ethical violation arises if he or she did not undertake reasonable efforts to avoid data loss or detect cyber-intrusion, and the lack of reasonable effort is the cause of the breach.30

In responding to a breach, Model Rule 1.1 requires that a lawyer act reasonably and promptly to stop the breach or mitigate resulting damages as soon as a potential cyber intrusion is detected. The Committee explains that how a lawyer goes about doing so is not within the scope of Formal Opinion 483 but recommends that lawyers develop an incident response plan as a matter of best practice. The Committee cites a number of general, common features incident response plans share:

The incident response process should promptly: identify and evaluate any potential network anomaly or intrusion; assess its nature and scope; determine if any data or information may have been accessed or compromised; quarantine the threat or malware; prevent the exfiltration of information from the firm; eradicate the malware, and restore the integrity of the firm’s network. Incident response plans should identify team members and their backups; provide the means to reach team members at any time an intrusion is reported, and define the roles of each team member. The plan should outline the steps to be taken at each stage of the process, designate the team member(s) responsible for each of those steps, as well as the team member charged with overall responsibility for the response.31

Model Rule 1.6(c) requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to,

30 ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 483, at 5-6 (2018). 31 Id. at 6-7.

13

information related to the representation of the client.” In the context of responding to a breach, the Committee explains that such “reasonable efforts” will depend on the circumstances and may require: (1) the restoration of the technology systems as practical; (2) implementation of new technology or new systems; or, (3) use of no technology at all if the task does not require it. The Committee emphasizes that a competent attorney must also make reasonable efforts to determine what occurred during the data breach. During a post-breach investigation, the lawyer should gather sufficient information to “ensure the intrusion has been stopped and then, to the extent reasonably possible, evaluate the data lost or accessed.”32 The Committee points out that the information a lawyer obtains through a post-breach investigation is necessary to understand the scope of an intrusion and allow for disclosure to the client consistent with a lawyer’s duty of communication and honesty under Model Rules 1.4 and 8.4(c).33 The Committee also discusses how the Model Rules inform a lawyer’s duties with respect to communications following a breach, whether to law enforcement, current clients, or former clients. For instance, Model Rule 1.6 should be considered when determining whether to report a cyberattack to law enforcement as it permits a lawyer to reveal information relating to the representation of a client if the disclosure is impliedly authorized in order to carry out the representation. The Committee explains that when a lawyer is exercising this discretion to disclose information to law enforcement in the aftermath of a data breach, the lawyer must consider: (1) whether the client would object to the disclosure; and, (2) whether reporting the breach would benefit the client (i.e. reporting may end the breach or lead to the recovery of stolen information). In light of Model Rule 1.4(a)(3), which requires a lawyer to “keep the client reasonably informed about the status of the matter,” and Model Rule 1.4(b), which requires that a lawyer “explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation,” when a lawyer knows or suspects that a data breach has occurred, he or she must evaluate notice obligations to current clients.34 In describing post-breach notice requirements, the Committee took a position consistent with that described in ABA Formal Ethics Opinion 95-398, which advised:

Where the unauthorized release of confidential information could reasonably be viewed as a significant factor in the representation, for example where it is likely to affect the position of the client or the outcome of the client’s legal

32 Id. at 7. 33 Id. at 8. 34 See Model Rules of Prof’l Conduct at R. 1.4.

14

matter, disclosure of the breach would be required under Rule 1.4(b).35

Model Rule 1.9(c) governs a lawyer’s duty of confidentiality as applied to former clients.36 The Committee concedes that the Model Rules provide no direct guidance on a lawyer’s duty to notify a former client when electronic “information relating to the representation” of a former client is compromised in a data breach, and expresses an unwillingness to “require notice to a former client as a matter of legal ethics in the absence of a black letter provision requiring such notice.” Considering Model Rule 1.16(d), which directs lawyers to return “papers and property” to the client at the conclusion of the representation, the Committee encourages lawyers to reach an agreement with clients as to how to handle the client’s electronic information in the lawyer’s possession before terminating representation.37 Lastly, Formal Opinion 483 addresses the substance of breach notification communications, stating that “the nature and extent of the lawyer’s communications will depend on the type of breach that occurs and the nature of the data compromised by the breach.” The Committee reiterates that disclosure is only required if material client information “was actually, or reasonably suspected to have been accessed, disclosed or lost in a breach.” When notifying clients of a breach, lawyers must provide enough information to allow the client to make an “informed decision” about how to proceed.38 The Committee indicates that lawyers must advise clients of the extent to which client information was accessed or disclosed (as reasonably ascertainable under the circumstances). The lawyer must also advise clients if the lawyer has attempted to determine the extent of the client information affected by the breach but is unable to do so. And, as a matter of best practices, the Committee indicates the lawyer should advise the client of the lawyer’s plan to respond to the breach, from efforts to recover compromised information (if possible), to steps being taken to implement more rigorous cybersecurity protections. If personally identifiable information is compromised during a data breach, lawyers must also evaluate attendant breach notification obligations under applicable state and federal law.39 In closing, the Committee explains that even lawyers who make “reasonable efforts” to safeguard confidential client information, stay abreast of changes in technology, and properly supervise other lawyers and third-party data storage vendors may suffer a data breach. The

35 ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 95-398 (1995). 36 Model Rules of Prof’l Conduct at R. 1.9(c). 37 See id. at R. 1.16(d). 38 ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 483, at 14 (2018). 39 All fifty states and the District of Columbia now have security breach notification laws. National Conference of State Legislatures, www.ncsl.org (last visited March 15, 2019).

15

Committee echoes the language of Formal Opinion 477R, reiterating that an attorney’s competence in preserving a client’s confidentiality “is not a strict liability standard and does not require the lawyer to be invulnerable or impenetrable.”40 Instead, the standard is reasonable efforts, both in efforts to prevent loss or access and in monitoring for breaches.41 In the event of a breach, lawyers should consider whether notification to a client is necessary to comply with a lawyer’s ethical obligations, and whether any other notification obligations exist under applicable federal or state laws.42

III. CYBERSECURITY CONSIDERATIONS FOR CORPORATE TRANSACTIONS

In today’s environment, information technology (IT) assets and data are integral to every company’s operations. However, they can also be a significant source of legal, business, and reputational risk. Within the context of corporate transactions, specifically mergers and acquisitions (M&A), privacy and information security matters are now a primary concern. Counsel should prioritize privacy and information security considerations from the outset of an M&A transaction, beginning with the initial evaluation of the target and extending beyond post-acquisition integration. Potential buyers should look carefully at a broad range of data privacy and information security issues when evaluating an M&A target, particularly if personal information of individuals such as employees or customers or other sensitive or confidential data is integral to the deal. These issues often require the consideration of legal, technical, and operational perspectives, while implicating multiple regulatory regimes and numerous stakeholders throughout an organization. A thorough assessment of the privacy and data security issues involved in a deal helps buyers manage and mitigate potential risk, liability, and exposure, both during and after integration. These due diligence findings may affect not only the purchaser’s valuation of the target company but also the contents of the purchase agreement itself, which must adequately address the target’s privacy and data security policies, practices, and obligations.

A. Due Diligence Preparation and Evaluation

In evaluating a proposed acquisition, a buyer must gain a thorough understanding of the privacy and information security posture of the target from the beginning. In order to gain this understanding, the buyer and the buyer’s attorney should:

1. Identify the data the target creates, collects, processes, or

maintains in the course of its business, particularly any personal information or other sensitive or confidential data.

40 ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 483, at 9 (2018). 41 Id. 42 Model Rules of Prof’l Conduct at R. 1.4.

16

2. Identify the IT assets the target uses to maintain, process, and safeguard that data.

3. Determine the applicable privacy and information security

obligations of the target, and whether those obligations are statutory, regulatory, or contractual.

4. Understand how the target manages its data and IT assets,

including an evaluation of the target’s (i) governance model, (ii) technical information security safeguards, and (iii) enterprise cyber risk management.

From a technical due diligence perspective, the buyer should also seek to assess the value and complexity of integrating the target’s assets. This includes the desirability and risks of merging both companies’ data, and the potential incompatibilities in IT systems, governance models, and privacy policies between both companies. Before the due diligence phase, both the buyer and the target should conduct initial evaluations on each of these issues to understand the general business model of the target and to identify the various privacy and information security risks and liabilities associated with a particular transaction.

B. Sources of Information and Information Sharing

The buyer typically begins the due diligence process by submitting a written due diligence questionnaire to the target consisting of a list of questions and requests for information and documents. It may also be necessary to conduct interviews with members of the target’s management, legal, or operations teams responsible for privacy and information security matters (for example, information security, information technology, or technology risk management). Before sharing any personal information, the parties should consider whether sharing the information is actually necessary for the level of due diligence being carried out. Personal information is often unnecessarily shared without consideration for the exposure and risks that can be avoided when the same level of due diligence can be completed with aggregated or anonymized data. If personal information must be shared in due diligence, the buyer and the target should develop mechanisms for ensuring clear and secure information sharing. In transactions with a large volume of shared data, electronic data rooms are often provided by the target or a third party. At a minimum, the parties should execute a standard non-disclosure agreement to protect against unauthorized use or disclosure of confidential or competitively sensitive information or personal information. Depending on the level of sensitivity of the information, before transferring data, the target may also need to:

1. Confirm that any pre-closing disclosures of personal information to

the buyer comply with applicable legal obligations, including any

17

commitments the target makes in its own privacy notices, privacy policies, or other public statements.

2. Consider the applicability of local laws or regulations, including

cross-border data transfer rules, if the target operates in non-U.S. jurisdictions.

3. Where possible, aggregate and anonymize personal information.

C. Identifying the Target’s Data and IT Assets

Organizations often maintain an IT asset and data inventory, or data mapping, and data asset, application, and system classifications as part of their overall information security program. The buyer should verify whether the target maintains these inventories and uses them for ongoing information security risk assessment and vulnerability management. If the target does not maintain these inventories, depending on the scope of due diligence, transaction timing, or other process constraints, the buyer should consider conducting or requiring the target to conduct an inventory for the buyer’s review as part of the due diligence process. The data inventory proves involves identifying:

1. The types and volume of data the target collects, creates, uses, and

maintains. 2. The source of any data the target collects (for example, employees,

consumers, customers, vendors, etc.) and any obligations imposed by the data source.

3. The location where data is collected, stored, and further processed. 4. When and with whom the data is shared. 5. How the data is disposed of. 6. Data retention policies.

Knowing the details of the data processed by a target defines the scope of a company’s privacy and data security obligations and helps identify any gaps in compliance. For example, federal and state laws require organizations that collect and maintain personal information to maintain reasonable data security practices and perform risk assessments. In addition to data inventory, a buyer should also take inventory of the target’s IT assets used in collecting, using, processing, and storing data. These IT assets typically include (i) computer hardware; (ii) network hardware and systems; (iii) computer platforms; (iv) laptops, portable storage media, and other mobile devices; (v) software operating systems and applications; and (vi) significant third-party cloud service platforms.

18

D. Determining Applicable Obligations

To identify potential information security-related liabilities that could affect the buyer’s valuation of the target company, buyer’s counsel must have an understanding of the legal and contractual obligations, regulatory guidelines, and industry standards applicable to the target’s data and the specific market in which the target operates. The U.S. has no single comprehensive federal privacy and data security law. There is instead a fragmented and dynamic patchwork of: (i) federal laws and regulations; (ii) state laws; (iii) government agency guidelines, which while not legally binding, are considered best practices; and (iv) industry self-regulatory group guidelines, which may be contractual obligations or, even if not legally binding, industry standards. The Federal Trade Commission (“FTC”), under the authority of the Federal Trade Commission Act (FTC Act), is an active regulator of privacy practices related to the collection and use of personal information. The FTC Act is a federal consumer protection law that prohibits unfair or deceptive commercial practices and has been broadly applied to business practices that affect consumer privacy and data security. Numerous sector-specific federal laws regulate the processing of personal information, most notably:

1. The Gramm-Leach-Bliley Act (“GLBA”) applies to financial

institutions. 2. The Fair Credit Reporting Act, as amended by the Fair and

Accurate Credit Transactions Act, regulates the privacy of consumer report information, including credit information.

3. The Health Insurance Portability and Accountability Act of 1996

(“HIPAA”), which applies to health plans, health care clearinghouses, most health care providers, and their business associates, sets out privacy and data security obligations with respect to health information.

4. The Family Educational Rights and Privacy Act protects student

education records and student personal information. 5. The Americans with Disabilities Act of 1990 governs an employer’s

use of medical and disability information for employment decisions. 6. The Genetic Information Nondiscrimination Act of 2008 regulates

the use of genetic information in employment decisions. 7. The Sarbanes-Oxley Act of 2002 regulates the accuracy of financial

reporting by public companies, including companies’ assessments of information security risks and incidents in disclosures to investors. Public companies must also establish internal controls and assess and report on the adequacy of these controls.

8. The Telephone Consumer Protection Act and Telemarketing Sales

Rule both regulate telemarketing activities.

19

9. The Controlling the Assault of Non-Solicited Pornography and Marketing Act regulates unsolicited commercial email.

10. The Children’s Online Privacy Protection Act requires that

companies implement security standards when collecting the personal information of children under the age of 13 online.

Depending on the states where affected individuals reside, or the target performs business operations or processes personal information, numerous U.S. state laws that implicate privacy and information security issues may also apply to the deal. Notably, California and Massachusetts have both passed laws that require organizations to implement a minimum level of data security safeguards. In addition to applicable legal regimes, a buyer must investigate a target’s compliance with applicable industry standards and participation in self-regulatory regimes. The Payment Card Industry Data Security Standard, for example, imposes comprehensive security standards for payment card data on any organization or merchant that accepts, transmits, or stores any cardholder data. If a target operates or processes data in jurisdictions outside the U.S., the buyer must carry out a more complex due diligence review that accounts for different privacy and data security laws that are often incongruous and dynamic. At the outset, the buyer should identify the countries where the target: (i) conducts business operations; (ii) collects data, including personal information; (iii) makes data, particularly personal information, accessible to third parties; and (iv) further processes, uses, transfers, retains, or disposes of data. Privacy and data security laws of certain jurisdictions, including the European Union (“EU”) and its member states, are much broader in scope and generally more restrictive than U.S. laws. The EU General Data Protection Regulation imposes stringent data protection requirements on the collection and processing of personal data in EU member states and the European Economic Area. Transfers of personal data, including information relating to customers, vendors, and employees, from Europe to affiliates or service providers in the U.S. or other countries that lack adequate protections must either (a) comply with a European-approved transfer mechanism, such as the EU-US Privacy Shield, or (b) qualify for a statutory exception. Even if personal information remains localized within the host country, if others outside the host country have access to that personal information, many countries’ local data protection laws treat this foreign access as a data transfer covered within the scope of those laws.

20

E. Understanding Target’s Management of Data and IT Assets

Understanding the target’s data and IT asset management practices is key to identifying any information security compliance gaps and security vulnerabilities that may present risk to the buyer and affect the value of the transaction. A buyer should seek complete information concerning the target’s policies and practices in: 1. Privacy and handling of personal information. 2. Information security. 3. Data retention and disposal. 4. Employee use of mobile devices to access or store sensitive data

or personal information. 5. Data breach response. 6. Internal controls and governance structure for policy

implementation and enforcement. 7. Third-party service provider access to data or IT assets.

Due diligence should always include a request for a target’s internal and public-facing privacy policies, notices, and statements relating to the target’s employees, consumers, customers, clients, and vendors, and any other relevant individuals. A privacy policy is generally an internal statement that controls an organization’s approach to processing personal information in any media. It is directed at potential users of that personal information and instructs employees, for example, on their data processing obligations as well as the particular rights of data subjects, each of which are informed by applicable laws and regulations. A privacy statement or notice is an external or public-facing statement made to affected individuals or data subjects that explains how the organization in question processes personal information, in addition to the rights of the data subject concerning that processing. A target’s lack of documented privacy policies, privacy statements, and other policies governing acceptable employee use of company data signals potential risk for the buyer. A buyer therefore should perform a comprehensive survey of all policies and statements that govern the target’s data privacy practices. Implementing a written information security program (“WISP”) is considered a best practice for organizations handling sensitive data and is increasingly becoming a legal requirement, most notably under (i) the Massachusetts Data Security Regulation and other state laws, and (ii) the GLBA Safeguards Rule. Buyer should consult with subject matter experts to examine the adequacy of each element of a target’s WISP.

21

F. Data Retention and Disposal

The buyer must assess whether the target’s information security program accounts for the full life cycle of IT assets and data. A target’s lack of sound data retention and disposal policies presents another red flag for a potential buyer. Organizations that retain data longer than necessary inevitably expose themselves to more significant risk in the event of a data breach. Organizations in specific industries may be legally required to abide by specific retention and disposal requirements, such as the Fair and Accurate Credit Transactions Act’s Disposal Rule (16 C.F.R. §§682.1 to 682.5). More than half of the states in the U.S. have their own laws that require organizations to implement certain reasonable measures to render personal information unreadable or indecipherable in connection with destruction and disposal.43 Even if a target is not subject to specific retention requirements by law or contract, the FTC has made clear through publications and enforcement proceedings that companies should have formal data schedules that mandate the disposal of personal information when there is no longer a legitimate business need for it. The FTC has specifically pursued enforcement actions against companies with inadequate policies and procedures in this area. Therefore, a due diligence inquiry should assess a target’s policies and procedures for:

1. Continuous testing, review, monitoring, and updating of the target’s

information security controls. 2. Disaster recovery and business continuity, to protect and recover

the target’s data and IT assets from unforeseen events, such as catastrophes, acts of nature, and digital outages.

3. Data backups and whether the backups are held in a separate and

secure location. 4. Secure and permanent disposal or destruction of data in electronic

or paper form.

If the target stores or allows access to sensitive organizational data or personal information about consumers, employees, or other individuals on personal mobile devices that are not owned by the target, such as laptops and smart phones, the buyer should inquire into the target’s Bring Your Own Device (“BYOD”) policies and procedures. A target’s security controls, including the use of encryption, as well as its retention and disposal policies, should all apply to use of BYODs. As such, the buyer should inquire about the use of mobile device management programs and tools used by the target to manage data risks associated with personal devices capable of accessing the target’s systems.

43 See, e.g., KRS § 365.725.

22

G. Incident Management and Response

With the increasing cost and frequency of data breaches and the growing sophistication of hackers, an enterprise-wide incident management and response plan is crucial for businesses that handle any kind of sensitive data or depend significantly on information systems. A strong incident management and response plan signals that an organization is well-equipped to cope with a security breach. A buyer should inquire into all policies and procedures regarding how the target plans its response to data security incidents. A target that operates in a specific sector, such as the health care or financial industries, or in a specific state may need to have explicit guidelines in place for incident management and response. Each state’s data breach notification laws differ in scope and requirements, including the types of information protected, the circumstances that trigger notification of affected individuals, whether notice to regulators or other entities is required, and enforcement mechanisms. As with each element of a target’s WISP, buyer’s counsel should consult with subject matter experts to examine the adequacy of a target’s incident management and response plan.

H. Assessments and Audits

To gauge a target’s actual privacy and data security practices, a buyer should ask for any:

1. Privacy impact assessments. 2. Information security risk assessments. 3. Internal or third-party privacy compliance audits. 4. Internal or third-party audits relating to IT systems and information

security controls. 5. Network diagrams and an outline of the target’s IT infrastructure. 6. Checklists, tools, or other records used to evaluate privacy risks

and privacy protection measures. 7. Data classification schemes and flow maps.

A target’s lack of assessments or audits is a red flag that requires further investigation by the buyer. Various data security laws, regulations, and industry standards require companies to conduct privacy and information security risk assessments. Even if not legally required, privacy impact and information security risk assessments have become industry standard best practices. A target’s lack of these assessments may indicate the presence of greater organizational privacy and information security compliance and

23

liability risks and should signal to the buyer that a more painstaking due diligence process is necessary in these areas.

I. Organization History

Part of understanding the target’s management of data and information systems is understanding its history. A buyer should request complete information from the target regarding any: 1. Past, present, or threatened breaches or security incidents as well

as any related notices provided and responses received. 2. Past, pending, or threatened litigation, complaints, regulatory

enforcement investigations or actions, notices of inquiry, settlements, consent decrees, and administrative fines or penalties relating to privacy and data security issues.

3. Of the above issues regarding any companies the target has

acquired or any service providers the target uses.

If a buyer is performing due diligence on a reporting company, it should examine all disclosures on file with the Securities and Exchange Commission (“SEC”). The SEC’s 2011 guidance and February 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, which expands and reinforces the 2011 guidance, confirm that reporting companies are required under federal securities laws to include assessments of information security risks and incidents in certain disclosures to investors, for example, corporate filings on Form 10-K or Form 8-K, if deemed to be material information.

J. Third-Party Service Providers

One of the most common sources of data breaches is mistake or negligence by third-party service providers with access to an organization’s data or IT systems. These may include providers of cloud services, telecommunications services, or outsourcing services for IT or administrative functions. In the U.S., organizations are generally legally responsible for the actions of companies or individuals that process data on their behalf. A target’s privacy and information security obligations, as well as any public-facing claims it makes regarding its privacy and information security practices, apply equally to any third parties that have access to a target’s data and IT assets. Understanding the role that third-party service providers have in the management of the target’s data and IT assets therefore can be one of the most significant components of a due diligence investigation. The overall privacy and information security due diligence framework outlined above should be extended to any of the target’s third-party service providers that can access the target’s IT systems or its sensitive data. A buyer should collect and review the target’s current contracts with those

24

service providers as well as its policies concerning service provider oversight. The buyer’s inquiry should include:

• Identifying the third-party service providers used by the target and assessing each service provider’s reputation, financial stability, and data security history.

• Classifying the type of data that is disclosed to or otherwise accessible by each provider.

• If the data involves personal information, identifying the jurisdiction in which the data originated and the third-party service provider operates.

• Identifying any legal obligations that apply to the third-party service provider’s data processing and confirming the target’s compliance with these obligations.

• Identifying the mechanisms used for transferring data from the target to the third-party service provider, including any potential security vulnerabilities.

In addition to performing due diligence on relevant third-party service providers, the buyer must also evaluate the target’s approach to managing these third parties and the associated risks. Certain state laws as well as sector-specific laws, including HIPAA and the GLBA Safeguards Rule, include service provider oversight obligations. The buyer should confirm that all contracts between the target and its third-party service providers include standard terms addressing:

• Confidentiality. Confidentiality provisions should require the service provider to treat the target’s data as confidential, including any personal information disclosed to the service provider.

• Further Use of Data. The contract should specify the purpose for which the service provider is authorized to process the target’s data and prohibit the service provider from performing data processing activities that are outside the scope of the specified purpose.

• Oversight. The target should have the right to monitor the service provider’s compliance with privacy and information security obligations.

• Information Security. The contract should require the service provider to comply with all relevant information security laws and implement specific minimum security controls.

• Security Breaches. The contract should have specific provisions in place outlining each party’s roles and responsibilities in the event of a data or security breach affecting the target’s or service provider’s IT systems, including steps to detect, contain, analyze, and eradicate the breach. The contract should also require the service provider to

25

immediately notify the target of the details of any security breach or any breach of its contractual obligations concerning information security.

• Subcontractors. If the service provider hires any subcontractors to help it fulfill its obligations under its contract with the target, the contract should require all subcontractors to follow the privacy and data security terms of the service provider’s contract.

• Indemnification and Expense Reimbursement. The contract should provide for indemnification of the target for any failure of the service provider to comply with its information security obligations. The contract should also require the service provider to reimburse the target for any costs it suffers in the event of a data breach or other security incident affecting the service provider.

A target that does not contractually mandate the above controls and protections but nonetheless makes significant use of third-party data processors is at a significant risk of both a security breach and a regulatory compliance violation.

K. Negotiation of Transaction Agreement

Depending on the extent of privacy and information security-related risks identified during due diligence, as well as the relative value of the target’s data and IT assets, the buyer may seek to address these issues in the transaction agreement. At a minimum, the transaction agreement should include representations and warranties from the target concerning:

• The target’s compliance with all of its privacy and information security policies, statements, and representations.

• The target’s compliance with all applicable privacy and information security laws.

• The target’s compliance with all privacy and information security-related contractual obligations.

• Past security breaches suffered by the target.

• Past privacy and information security-related disputes, claims, complaints, investigations, or enforcement actions.

• Whether execution or performance of the agreement will result in any violation of any privacy or information security policy, statement, or representation, or any applicable privacy or information security laws.

If the buyer identifies specific material issues with the target’s privacy and information security practices during due diligence, there are several steps the buyer can take to resolve, mitigate, or allocate the risk, including:

26

• Pre-closing conditions or covenants for issues that are readily addressable by the target.

• Adjustments to the price of the transaction due to remediation costs.

• A requirement that a portion of the merger consideration be set aside for remediation costs.

• Post-closing indemnification provisions.

• Post-closing monitoring and management.

• A post-closing transition services agreement before integration, particularly if the buyer is acquiring a division of a larger entity.

IV. ADDITIONAL RESOURCES

FBI Internet Crime Complaint Center, www.ic3.gov

• Ransomware prevention and response guidance for CISOs https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view

• Federal Trade Commission resources on recovering from identity theft for consumers, businesses, and attorneys and advocates assisting victims https://www.consumer.ftc.gov/features/feature-0014-identity-theft

• Kentucky Attorney General’s Office of Consumer Protection http://ag.ky.gov/family/consumerprotection/Pages/default.aspx

• Start With Security an FTC Guide for Businesses https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business

• U.S. Department of Health and Human Services, Office for Civil Rights, HIPAA Security Rule resource page http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

• Intrusion “Kill Chain” information https://en.wikipedia.org/wiki/Kill_chain

• Kentucky security breach notification statutes

o KRS 365.732: General data breach statute requiring notification to affected persons of computer security breach involving their unencrypted personally identifiable information.

27

o KRS 61.931-61.934: Public agency data breach statutes addressing personal information security and breach investigation and notice procedures for certain public agencies and nonaffiliated third parties.

• Ransomware and Recent Variants, US-CERT Alert TA16-091A (March 31, 2016) https://www.us-cert.gov/ncas/alerts/TA16-091A

28