WilmerHale partner Jason Chipman advises companies on complex regulatory matters associated with data security, cyber incident response, the Committee on Foreign Investment in the United States (CFIUS) and related export controls.
He has assisted companies in nearly every sector of the economy on data security best practices and incident response, and because of his experience he is frequently asked to assist with corporate due diligence for transactions involving complex data security and privacy issues. Mr Chipman currently serves as a non-resident fellow at the National Security Institute.
WilmerHale partner Benjamin Powell has advised companies on major cybersecurity incidents and incident preparedness across virtually every sector of the economy, including the banking, investment management, software, retail, energy, defence and intelligence, media and entertainment, pharmaceutical, cloud services, government contracting, aerospace, information technology, manufacturing and travel sectors. He is recognised as a leading attorney in handling complex regulatory matters relating to international investment and mergers, including matters involving the Committee on Foreign Investment in the United States and the Defense Security Service.
WilmerHale senior associate Leah Schloss advises clients on cybersecurity, government contracts and export control investigative, regulatory and compliance issues. Leah has extensive experience coordinating data breach investigations for clients, particularly in the retail, professional services, government contracts and technology industries.
She also counsels clients ranging from financial servic companies to clients in the healthcare, government contracts and defence sectors on cybersecurity legislative, compliance and governance matters.
GTDT: What are the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
Jason Chipman, Benjamin Powell and Leah Schloss: Although many economic sectors in the United States have little or no cybersecurity standards, there is a growing trend toward more proscriptive requirements in economic sectors perceived as playing a critical role in the US economy or for US security.
For companies handling consumer data, the Federal Trade Commission (FTC), the main federal consumer protection agency responsible for enforcing the prohibition on ‘unfair and deceptive acts or practices,’ frequently enforces minimum security requirements with respect to entities collecting, maintaining or storing personal information. The scope of the FTC’s authority, however, has recently been called into question. On 6 June 2018, the Court of Appeals for the Eleventh Circuit vacated a cease-and-desist order against LabMD, Inc, rejecting the FTC’s typical ‘reasonableness’ standard. While the case left the door open for the FTC to continue bringing data security enforcement actions under its authority to enforce the ban on ‘unfair’ practices, the FTC may have to more precisely define the practices it alleges are unfair and their connection to consumer injury.
Over time, we anticipate pressure will continue to grow to establish more uniform and clear cybersecurity standards, but a consensus on how to craft such standards is likely to remain elusive. Federal agencies in the United States are likely to continue efforts to craft more aggressive cybersecurity regulatory requirements applicable to particular economic sectors, or impose general requirements on companies responding to breaches. For example, on 21 February 2018, the Securities and Exchange Commission (SEC) approved an interpretive release updating guidance on public company disclosure and other obligations concerning cybersecurity matters. While much of the Guidance reiterates and expands upon 2011 SEC staff guidance, the new Guidance further illustrates potential disclosures that companies should consider, stresses the importance of cybersecurity policies and procedures, and discusses the application of disclosure controls and procedures, insider trading prohibitions and selective disclosure prohibitions in the wake of a data breach.
GTDT: When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
JC, BP & LS: The US does not have a uniform data breach notification law. Rather, all 50 US states, as well as DC, and a number of territories, have individual data breach notification laws. At the federal level, sector-specific laws for government contractors, certain financial institutions and certain businesses handling health records also impose special breach notification rules. In general, data breach laws mandate notification to regulators and consumers when specific categories of sensitive personally identifying information are compromised through a cyber intrusion, inadvertent disclosure or other loss of data. For example, in many jurisdictions, the unauthorised acquisition of, or access to data that includes name combined with a Social Security Number, financial account number, driver’s licence number, health record or passport number would be likely to trigger a mandatory breach notification obligation to the consumer and may also trigger regulator notification obligations. States are continuing to expand their definitions of covered information, with username or email address in combination with a password or security questions and answers becoming increasingly subject to breach notification requirements.
GTDT: What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
JC, BP & LS: Data security incidents, particularly cyber intrusions, may trigger several different significant challenges. For companies handling substantial amounts of sensitive personal information, such incidents may trigger:
- communications challenges for companies that want to provide consumers or other customers with reassurance while also investigating the scope of a particular incident;
- remediation challenges in taking steps to further safeguard sensitive data to both stop a cyber intrusion and to help bolster existing security; and
- investigative challenges to determine the scope of the intrusion, what data was taken and whether the attacker has been removed from the company networks.
Managing these sorts of challenges, often while also coordinating with law enforcement authorities or other regulators, requires all components of a business to work together. Such incidents are not just the province of the information technology team. They are, rather, problems that require senior attention to manage and address.
GTDT: What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
JC, BP & LS: Incident response requires an immediate, coordinated effort to gather the facts through forensic analysis and to execute an incident response plan that enables the company to address multiple work streams simultaneously in a coordinated fashion. The response generally prioritises remediation, reputational harm, communication with all the relevant constituencies (including, critically, customers) and preparing for the range of potential regulatory inquiries and litigation that may follow.
Companies can take several steps to best prepare for improving their ability to respond to such issues, such as:
- benchmarking against industry best practices, reviewing existing incident response plans and proposing changes;
- developing and participating in tabletop exercises to help those with implementation responsibilities understand how the incident response plan would work in practice;
- engaging third-party firms in advance, through counsel, to ensure that the right resources are available to address critical issues in a time sensitive manner and under attorney–client privilege;
- reviewing incident response plans on an annual basis to determine if revisions are warranted. Plans should also be reviewed after any serious incident to incorporate lessons learned from the company’s response to that incident; and
- providing regular updates on, and analysis of, legal and regulatory developments that would influence response plans and practices.
GTDT: Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud-hosting environment?
JC, BP & LS: Cloud services trigger a variety of risks that should be carefully balanced as part of the decision to outsource data storage or other information technology functionality. Although cloud computing is somewhat new for many organisations, the risks associated with it are similar to other types of IT outsourcing. Those risks include:
- Third-party access to data – When company information is outsourced for storage or other processing by third parties, that information may no longer be solely within the control of the information owner. The cloud provider may be compelled to release it to third parties in litigation or to government agencies inside or outside the United States. Moreover, absent appropriate prohibitions in the parties’ agreement, a cloud provider may be entitled to share customer data (or data derived from customer data) with third parties for the cloud provider’s own business purposes.
- Data security – Evaluating the security of data in a cloud environment and ensuring the use of appropriate safeguards can be very challenging. Many cloud providers will not provide full visibility into their own network security posture.
- Location of data – Data entrusted to a third party may be stored or otherwise processed in a jurisdiction that gives rise to unique legal or regulatory concerns. Moreover, some cloud providers do not provide transparency or assurances concerning where the data will be located.
- Privacy and consumer notice – Processing of consumer data by a third-party cloud provider may necessitate special notices to consumers or employees, and it may trigger a number of privacy and data protection obligations with respect to how their data will be handled, retained and distributed.
- Business continuity/provider lock-in – Cloud providers and sub-processors may go out of business or otherwise experience a disaster or other incident that results in the loss, corruption or temporary inaccessibility of their customers’ data. Further, it may be difficult to extricate data from a Software as Service (SaaS) solution at the end of the parties’ engagement, at least in a format that does not require substantial processing before the data can be ingested into a competitor’s SaaS product.
There are a wide range of different regulatory regimes that impact cloud outsourcing. Some regulations that are agnostic about whether data is outsourced in a cloud environment or remains within a company’s firewall impose general obligations that have the effect of imposing rules that data owners must satisfy in a cloud scenario (such as National Institute of Standards and Technology requirements to track and specially secure sensitive data). And other regulations are cloud-specific, such as ISO 27017, an independent security standard that provides guidance on the information security aspects of cloud computing and is often used by organisations to judge their ability to manage data in a cloud environment. Certain sectors, particularly the financial services and government contracting sectors, are subject to more stringent requirements on their use of cloud services to host consumer or government data.
Several federal surveillance laws prohibit unauthorised eavesdropping on electronic communications.
GTDT: How are governments in your jurisdiction addressing serious cybersecurity threats and criminal activity?
JC, BP & LS: Cybersecurity is increasingly a substantial focus of federal and state law enforcement efforts in the United States. The Federal Bureau of Investigation has grown its cyber capabilities substantially over the past several years and the US Congress is increasingly focused on resources needed to combat cyber espionage, cyber crime and other forms of improper cyber activity. In February 2018, the Department of Justice (DOJ) established a Cyber-Digital Task Force to assess how the DOJ is responding to global cyber threats and how federal law enforcement can more effectively accomplish its cyber mission.
Specific laws that address criminal activity in the cyber context include the Computer Fraud and Abuse Act, which outlaws intrusions into or interference with the security of a government computer network or other computers connected to the internet. In addition, several federal surveillance laws prohibit unauthorised eavesdropping on electronic communications, which can limit a variety of cybersecurity activities. For example, the Electronic Communications and Privacy Act prohibits unauthorised electronic eavesdropping. The Wiretap Act prevents the intentional interception, use or disclosure of wire, oral or electronic communication, unless an exception applies. The Stored Communications Act precludes intentionally accessing without authorisation, a facility through which an electronic communication service is provided and thereby obtaining, altering or preventing authorised access to a wire or electronic communication while it is in electronic storage.
GTDT: When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
JC, BP & LS: Cybersecurity and privacy is increasingly a significant topic for M&A due diligence because of potential regulatory or litigation exposure that a company may acquire through an acquisition. Acquirers often seek special assistance today to evaluate the scope of exposure by examining the nature of the target business; the type of data it collects, maintains and shares about customers or third parties; the regulatory environment in which it operates; and the types of controls the company has in place to protect its systems, limit data sharing to permissible means and otherwise ensure compliance with regulatory requirements.
The Inside Track
When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?
Legal advice around cybersecurity issues requires counsel that is experienced at addressing and managing the wide range of issues that cybersecurity incidents and related preparation activities may trigger.
What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?
Cybersecurity is an evolving and changing field that requires lawyers to provide a mix of legal, policy and business guidance to clients navigating new and often challenging issues. An increasingly large number of federal and state regulatory agencies, categories of litigation plaintiffs and business partners are interested in understanding how companies are protecting their data, resulting in an increasingly complex web of risks.
How is the privacy landscape changing in your jurisdiction?
Privacy is becoming a critical part of contracting arrangements between parties, with greater focus on compliance with state, national and international laws. Greater regulation of the handling, securing and transfer of data is resulting in an increasing focus by companies on privacy issues, particularly on specifying the obligations that must be met in the handling of data between parties. On 28 June 2018, California enacted the California Consumer Privacy Act of 2018 (CCPA), a sweeping privacy law that provides consumers with broad notice, access and deletion rights concerning many types of personal information and permits consumers to opt-out of the sale of their personal information. The law, which takes effect on 1 January 2020, may prompt similar laws in other states.
What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?
Understanding about cyber threats is generally increasing in the United States. High-profile incidents involving espionage and criminal actors receive frequent public attention. But companies need to be constantly on guard for the latest threats. In the recent past incidents involving tax fraud were on the rise and today ransom and extortion demands associated with cyber intrusions are becoming more common.
Jason Chipman, Benjamin Powell and Leah Schloss