Although the word Wannacry may feel overused by now, one of the most important things going forward is going to be reviewing legal liability in information security arising out of a ransomware attack. Although incorporating a cyber insurance program into a company’s risk profile can help, clearly outlining the legal risk may feel daunting. These new areas of legal liability in information security continue to evolve meaning that risk management of these risks will continue to evolve.
Legal Liability in Information Security Changes with Technology
The Foundations of Legal Liability in Information Security
Legal liability in information security comes from several places. In the European Union, the EU Data Protection Directive established an overall obligation to protect the personal information of EU residents. In addition, some countries later implemented their own individual requirements.
In the US, the obligation to protect information comes in a more piecemeal manner. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and then the 1999 Gramm-Leach-Bliley Act (GLBA) regulated the healthcare and financial areas respectively. In 2002, the FTC and several state attorneys incorporated Section 5 of the FTC Act to address privacy of non-regulated industries.
The Fair Credit Reporting Act incorporated privacy over consumer reports. The Control the Assault of Non-Solicited Pornography and Marketing Act regulated the the collection and use of emails and telephone numbers. With the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, interception of electronic communications and computer tampering became regulated.
However, the majority of legal liability comes from case law and legal precedent that argue a common law duty to protect information. Bell v. Michigan Council in 2005 determined that the defendant owed a duty by providing safeguards.
This was followed by the US District Court in 2006 arguing in Guin v. Brazos Education that a duty of care may be established statute, such as GLBA. The 2007 case, Wolfe v. MBNA America Bank creates a foreseeable and preventable standard.
2011’s Experi-Metal, Inc. v. Comerica Bank the court argued that having strong cybersecurity safeguards and security procedures was not enough to protect the financial institution from liability, thus incorporating the Uniform Commercial Code’s definition of “good faith.” As Roland Trope noted a 2012 issue of The Business Lawyer,
Comerica Bank therefore appears to offer as a lesson to financial institutions and their counsel that cyber-security policies and procedures need to focus not only on averting and mitigating the damage that could be done to the enterprise from a cyber-attack but also on early detection, quick intervention, and complete interdiction of cyber-fraud or other cyber exploits that have as their ultimate target and result the property of their customers. Comerica Bank suggests that it would be prudent for financial institutions and other enterprises that provide their customers online financial or commercial services to review their cyber-security precautions and consider enhancing them to improve the chances that the precautions could meet the standard set in Comerica Bank. Other federal courts may find Comerica Bank’s reasoning instructive if faced with cases that present similarly slow detection and slow and initially ineffectual responses to cyber-frauds that threaten to cause their customers significant financial damage.
In other words, as the law has evolved, companies not only have a legal obligation to protect information, but they have a legal responsibility to respond quickly.
Hacking and Legal Liability in Information Security
With all of the hubbub around the Wannacry ransomware attack in early May, most people may assume that the main liability arises out of Microsoft’s flaws that created the opening to be exploited. The legal liabilities reach further than just the exploited company.
The problem with trying to protect your organization from legal liability lies in the constantly moving target that is the judicial standard. For example, in January of 2017, the Superior Court of Pennsylvania answered questions about whether an employer has a legal duty to act reasonably to protect employee information, can a tort claim for negligence be maintained and a duty recognized by common law, and is there an implied agreement for an employer to safeguard systems to protect employee information.
Although in this instance, the court found that no duty existed, the concurrence is important to note. While a concurrence means nothing in establishing precedent, Justice Stabile stated,
I join the Majority’s opinion today, but write merely to express my view that in this constantly developing area of law and technology we must proceed to establish precedent slowly and with caution. Today’s decision should stand for no more than the conclusion that a legal duty was not found to exist under the facts as pled in this case.
Of note here is that the court held that the company had no duty to its employees. The law is always slower to react than reality. Important to note in the Pennsylvania case is the court not wanting to set this as a clear legal precedent.
With little regulation guiding information security, precedent weighs more heavily. One of the problems in information security will likely be that the old adage, “bad facts make bad law” will hold true.
Compliance and Legal Liability in Information Security
The death knell to most companies is losing a large, public, class action lawsuit. Protecting the organization from these kinds of lawsuits means thinking strategically about the compliance posture. Simon Isgar and Bernadette Pinto of Kennedys Law note in their article that aside from purchasing cyberinsurance companies have increased their,
investment in cyber security technology, the introduction of employee training and awareness programmes and different governance functions within an organisation, better processes related to cyber detection, including detailed scenario planning, board level reporting and management of cyber risks as part of business continuity and compliance requirements. Companies that have understood and adapted their mitigation processes to be more holistic are more successful in protecting and dealing with cyber security and data breaches.
Compliance may be peer driven in many ways. However, those pressures provide a set of “best practices” that can help mitigate the legal liability in information security lawsuits. While compliance is not a get out of jail, literally, free card, it does provide a set of protocols that lead to both detection and prompt response.
Compliance plays several roles when protecting your organization. The ability to prove due diligence in keeping the information safe is only one. In a court of law, a company may need to prove that its protocols smoothly allowed for the detection and remediation of a breach.
This is where an automated platform can help most. Showing how well coordinated the responses are and how well documented the protocols are may help prove a lack of negligence. Being able to rapidly provide clear information showing how well your company protected itself, and its customers, can help keep the organization safe in the event of a law suit.
How To Protect Legal Documentation in the Event of Breach
When thinking about documentation required during a lawsuit, the information is not always just the processes and procedures. Once a major breach occurs, the first thought may be hiring a forensic team to research the cause.
However, the way in which that forensic team is hired needs to be thoughtful. In order to protect information that may be discoverable later, the company needs to keep in mind how its post breach actions can impact a class action lawsuit. This also means that despite having a platform where all the information is stored, it may be important to segregate the forensic documentation to protect privilege.
Al Saikali of Shook, Hardy & Bacon, LLC makes several suggestions for his article in Data Security Law Journal based on recent holdings. Saikali notes that a forensic firm should be hired by outside counsel as opposed the the incident response team or the information security department.
Any work that a forensic firm does prior to the involvement of outside counsel is not protected. By starting the process of data collection under the umbrella of outside counsel, the information more clearly falls under attorney-client privilege. In addition, as with anything else, document, document, document. Think about the importance of privilege at all steps in your post-breach activities. Saikali suggests the following
- ensuring that the engagement letter between the breached entity and outside counsel envisions that outside counsel may need to retain a forensic firm to help counsel provide legal advice;
- the MSA and/or SOW between outside counsel and the forensic firm makes clear that the forensic firm is being hired for the purpose of helping counsel provide legal advice to the client;
- limit the scope of the forensic firm’s work to those issues relevant to and necessary for counsel to render legal advice;
- ensure that the forensic firm communicates directly (and only) with counsel in a secure and confidential manner;
- not sharing the forensic firm’s full report with anyone other than in house counsel; and
- incorporate the forensic firm’s report into a written legal memorandum to demonstrate how the forensic firm’s findings were used to help counsel provide legal advice to the client.
Protecting your organization from legal liability in information security means protecting your documentation. While it may feel counterintuitive to have someone disconnected from the information technology department or incident response team hiring the forensic expert, the first call after the breach should be outside counsel to protect any continued information.
To read more about how ZenGRC can help you organize your data , read our eBook “Compliance Management Best Practices: When Will Excel Crust You?”collection