Leading up to DLA Piper's Global Technology Summit on October 9 – 10, 2018, Jim Halpert, Global Co-Chair of DLA Piper's Data Protection, Privacy and Security group, and Brett Ingerman, Global Co-Chairman of DLA Piper's Compliance and Governance group, spoke about best practices for a comprehensive, collaborative and fast cyberattack response.
Against the backdrop of increasingly sophisticated security breaches and emerging regulations such as the GDPR and the California Consumer Privacy Act (CCPA), Halpert and Ingerman share their thoughts on how organizations can protect themselves and their partners from liability and threat.
At the highest level, when a business experiences a cyberattack, what steps need to occur?
First and foremost, we would hope that businesses already have an incident response plan in place that has been developed with the specific needs and concerns of the organization in mind. The first 48 hours after a breach are the most critical, so the plan should lay out the immediate next steps that address those needs and concerns. At a high level, you need to identify and contain the threat, establish a response plan if you haven't already and identify a core incidence response team.
You also need to determine the significance and degree of risk that results from the cyberattack for external stakeholders. If it's client data that's affected, you need to know what you're obligated by contract to tell your clients or customers.
Who are the actors inside a business who need to take part in incident response?
Internally, before an incident takes place, the response team needs to meet on an ongoing basis and engage with other key stakeholders – IT, legal, a risk officer, internal communications and even the COO if the incident is serious. The team needs to cut across the organization, report to senior leadership and keep employees and internal stakeholders notified of what is happening.
Once an incident occurs, all these actors need to mobilize. If the business has cyber insurance, it will also need to contact the carrier to claim insurance, which is important to do quickly.
It's crucial to mobilize on this in the first 48 hours. An organization does not want different people going off in different directions, resulting in confusion and chaos. By having an incident response plan prepared and practiced beforehand, it is much less likely mistakes and splintering will occur following a cybersecurity incident.
How should external legal counsel and partners be engaged?
You typically need to engage three functions − legal, public relations and computer forensics.
One of your first steps will be to get internal stakeholders together and determine if you want to assert attorney/client privilege if the breach might pose legal risk to the company. If it does, the organization should be engaging outside legal counsel to conduct an official investigation into the breach, even though IT will be doing much of the work.
A third-party computer forensics firm might be necessary to contain the incident and report on its findings. You do not want to investigate a potentially dangerous breach yourself because of your own team's potential bias. Having a respected third-party forensics firm validate conclusions about the scope of the breach is important.
Finally, depending on the severity of the breach, hiring a crisis communications firm that understands cyber breaches might be necessary. It is very important to be monitoring the news about the breach as well as public sentiment online, so that the company has time to respond and formulate public messages about the incident.
How will the CCPA class action provision change things?
This summer, California passed the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020 and creates large statutory damage risk – a minimum of $100 and maximum of $750 per affected individual – for data breaches in which the business did not have reasonable security, encryption or redaction of personal data.
Litigating whether you have reasonable security is incredibly expensive. Even nuisance lawsuits can lead to millions of dollars in costs. This places a real premium on enhancing security, encrypting data and redacting personal information used by third-party services. Companies need to make sure they are protected and have the ability to file a cross-claim against a third party that may have been negligent in the event of a breach. All of this also makes having cyber insurance even more important.
This will likely drive a lot of settlements in California class action lawsuits because the amount of damages a company could incur would be huge.
Finally, how effective is our existing legal system of dealing with modern-day cyberattacks on businesses?
Not very. If an organization has reasonable cybersecurity measures in place, the cost to take those into civil litigation is extremely high, due to the passage of laws like the CCPA. We do not think this is an effective way to enhance cybersecurity.
The more effective route is through regulation and legislation, as opposed to litigation. One option is – for example – for California to incentivize businesses to enhance their security in encryption by undergoing regular comprehensive assessments. If a business discovers weaknesses in light of the assessment findings and works to address them, it ought to be able to dismiss future class-action claims.Currently, in the legal system, we do not have laws proactively incentivizing this. It is important that we see the law evolve to drive people toward good cyber hygiene instead of scrambling retroactively to address flaws.