Data Security And Data Breaches: What's A Lawyer To Do?
How can lawyers help their clients protect their data, and how can lawyers help in the event of a breach?
Another day, another data breach. Major data breaches at major corporations show up in the headlines on what seems like a constant basis. What can lawyers do, both to protect their clients from breaches and to respond to breaches once they occur?
At last week’s last week’s Global Privacy Summit, hosted by the International Association of Privacy Professionals (IAPP), I attended two panels relevant to this subject:
I’m A Lawyer; How Can I Advise On Data Security Issues?
How The New Lexis+ AI App Empowers Lawyers On The Go
- Kirk Nahra, CIPP/US, Partner, Wiley Rein
- Holly Brady, CIPM, CIPT, Senior Counsel, Governance, Compliance and Employment, Altria Client Services
- Tanya Forsheit, CIPP/US, CIPT, Partner, Chair, Privacy and Data Security Group, Frankfurt Kurnit Klein & Selz
Incident Response 3.0: Managing New (Individual) Legal Liability Issues
- Jason Smolanoff, Senior Managing Director, Global Practice Leader Cybersecurity and Investigation, Kroll
- Aravind Swaminathan, Partner, Orrick
Data security is more important than ever, as reflected in how it’s a legal requirement across industries. But it’s a very challenging issue for lawyers, as Kirk Nahra of Wiley Rein explained. Information security issues require a different mix of skills and knowledge compared to typical lawyerly work, and they also require lawyers to depend on the individuals who have the detailed technical knowledge that lawyers lack.
Sponsored
Curbing Client And Talent Loss With Productivity Tech
Law Firm Business Development Is More Than Relationship Building
AI Presents Both Opportunities And Risks For Lawyers. Are You Prepared?
AI Presents Both Opportunities And Risks For Lawyers. Are You Prepared?
A law like HIPAA or the Gramm-Leach-Bliley Act might require a company to take “reasonable” or “appropriate” measures to protect data security. How can a lawyer, who is not a technologist or computer programmer or other IT professional, advise clients as to whether they’re in compliance?
Reliance of IT and cybersecurity professionals is essential, according to Holly Brady of Altria. Lawyers need to build relationships with these professionals and explain complex legal issues to them. Strong interpersonal and communication skills are essential, especially since some IT professionals might not be thrilled about lawyers getting involved in their work.
Another complication, identified by Tanya Forsheit of Frankfurt Kurnit, is the existence of multiple sources of law and multiple regulators in this space. These include, but aren’t limited to, state data security laws and the FTC’s Section 5 authority. New regulators enter the space all the time, as do new lawsuits seeking to hold companies liable for data breaches (e.g., recent shareholder litigation involving companies like Yahoo! and Home Depot).
In this challenging climate, what’s a lawyer to do? The panel offered these recommendations:
1. Educate yourself about technology.
Sponsored
How The New Lexis+ AI App Empowers Lawyers On The Go
Happy Lawyers, Better Results The Key To Thriving In Tough Times
The lawyer’s duty of competence includes a duty to be competent not only in the law and its practice but also in technology, as a growing number of states have made explicit in their ethics rules. This is especially true, of course, for lawyers who work on issues relating to information security and data breaches.
Lawyers need to know enough about technology to ask the right questions of IT professionals and to oversee their work. Lawyers also need to understand enough of the terminology in this area so they can effectively communicate with IT professionals. (Familiarize yourself with the five core functions of the NIST Cybersecurity Framework if you don’t know them already.)
2. At the same time, accept what you don’t know.
You will never know enough about the technology as you might like or be as comfortable with data security issues compared to other aspects of your job. Just accept this and figure out how to make it work for you. You can still be an excellent lawyer in this area, as long as you can ask the right questions and communicate effectively.
3. Physician, heal thyself: make sure your own firm’s cybersecurity is strong.
Law firms have been victims of hacking — and clients are paying more and more attention to how well their outside attorneys protect their data. So make sure that your own firm’s security protocols are robust.
Let’s say that, despite your and your client’s best efforts, a data breach occurs. What then?
For starters, for lawyers who have been practicing in the data-breach space or a while, you can’t just take the same old approach. Aravind Swaminathan of Orrick explained how incident response has changed over time.
Incident Response 1.0 was fairly straightforward, an exercising in sending out letters notifying affected parties of the data breach. Incident Response 2.0 was more robust, including forensic investigation into how the breach occurred and how future breaches can be prevented.
The phase we are in today, Incident Response 3.0, is far more complex and comprehensive. It includes not just breach notification and forensic investigation, but also brand and reputational management, navigation of regulatory concerns, and protection of privilege. There’s also a much greater focus on the part of regulators on individuals and their culpability — which is one way to get directors and officers very interested in issues of cybersecurity.
Jason Smolanoff of Kroll identified three main components to an incident response:
1. Investigation. This could last for anywhere from a week to two months.
2. Remediation. This includes a tactical aspect, which happens very quickly — deny the attacker further access to the network — and a strategic aspect, which involves repairing shortcomings in how your network was structured. The strategic aspect can take quite some time, since structural problems in a network can’t be fixed overnight.
3. Disclosures. These might be to clients, employees, or regulators, and they must be carefully structured to protect the corporate brand and the attorney-client privilege.
“You’re doing things you’ve always done,” Swaminathan explained, “but one thing that’s very different today is the storytelling aspect. What is the narrative we want to tell the public, the regulators, and others after the incident?”
Another factor that makes dealing with data breaches more complicated than ever has to do with technology. According to Swaminathan, it’s increasingly common to see hackers having “keys to the kingdom” — i.e., the right to access pretty much everything on a network. Responding to such an attack is especially difficult because of a lack of forensic evidence.
“The bad guys look like your people because they have the same access,” he said. “How can you determine what systems were accessed and what data was accessed when you don’t have all the forensic evidence?”
This is where forensic experts come in. As Jason Smolanoff explained, when Kroll gets called into an investigation, it focuses on the attackers’ “TTPs”: tactics, techniques and procedures. Through studying these TTPs, investigators can identify behaviors specific to the attacker, allowing them to deny the attacker further access to the network and to review what the attacker might have taken or damaged in terms of data.
Any response to a breach must also be designed with regulators in mind. Regulators in this area are more sophisticated than ever, so companies need breach response strategies and information security programs that are defensible. The crucial issue today is how quickly a company can detect an incident — because incidents are inevitable in this day and age — and how quickly a company can respond. The general standard here is reasonableness; a company cannot prevent all threats or reduce risk to zero, but it must take reasonable efforts to protect against breaches.
And what about the issue of individual liability for directors or officers related to a data breach? There are a number of possible theories.
There could be possible securities fraud, such as insider trading before public disclosure of a breach, or material misrepresentations in a securities filing about a breach (including failure to disclose a breach if material). There could be wire fraud, if the data breach affects users of a company’s telecommunications or IT service. Individual employees, directors or officers are also sometimes named in consumer class actions arising out of data breaches. There’s no end to creative theories imposing criminal or civil liability on individuals related to data breaches.
“All you need is an AUSA [assistant U.S. attorney] who says here’s my theory and here’s the case I’m going to make my name on,” said Swaminathan, a former federal prosecutor himself. “And in three years I’m going to leave and become a law firm partner.”
Notifying affected individuals of a data breach could even give rise to problems under Reg FD, which requires publicly traded companies to disclose material information to all investors at the same time. Say there’s a data breach that affects only a certain number of customers or employees. The company has an obligation to notify the affected individuals — but if the breach is material, then it might also have an obligation to make a public disclosure, through a press release or Form 8-K filing.
Not every incident is material and therefore reportable. But when an incident does rise to the level of materiality, then it must be disclosed — because the consequences of a failure to report are more grave than ever.
David Lat is editor at large and founding editor of Above the Law, as well as the author of Supreme Ambitions: A Novel. He previously worked as a federal prosecutor in Newark, New Jersey; a litigation associate at Wachtell, Lipton, Rosen & Katz; and a law clerk to Judge Diarmuid F. O’Scannlain of the U.S. Court of Appeals for the Ninth Circuit. You can connect with David on Twitter (@DavidLat), LinkedIn, and Facebook, and you can reach him by email at [email protected].