CISOs play a starring role in lawsuits that arise in the wake of data breaches. Though not new, these suits have become more financially significant as the scale of cybersecurity incidents has grown. It’s one thing to have a few records stolen by a lone wolf hacker. It’s quite another to see tens of millions customer credit card numbers exposed by a multinational criminal organization. People get scared in these situations. They sue. If you’re a CISO, you stand on the front line of legal defense. This article explores the background of this issue and suggests some ways to prepare for testifying in court.
Litigation arising from cyberattacks can vary widely but most suits are based on the legal concept of negligence. If data is breached, the plaintiff’s cause of action flows from the allegation that the corporation was negligent in its care of the plaintiff’s information. Negligence is defined by the Legal Dictionary as “Conduct that falls below the standards of behavior established by law for the protection of others against unreasonable risk of harm. A person has acted negligently if he or she has departed from the conduct expected of a reasonably prudent person acting under similar circumstances.”
Now, I’m not a lawyer, and chances are neither are you, but can you see the problem here? What does it mean to be “reasonably prudent?” Reasonable people might disagree. In cybersecurity cases, the cutting edge technical issues obscure the fact that negligence is one of the oldest legal theories in the history of humanity.
A negligence lawsuit involving cybersecurity is really a mashup of the latest technology and legal theory. Your company was trusted with valuable information. Someone stole it. You didn’t protect it well enough. You’re liable… or at least someone may try to make that claim. One thing is for sure. It’s definitely happening today.
The law evolves constantly. However, according to a very informative article on the issue in the Florida Bar Journal, cybersecurity lawsuits come in four basic varieties: shareholder derivative suits to recover for losses in stock value; securities fraud cases; class action suits by the customers or business partners; and, government enforcement actions.
Recently, the board of directors of a very large retailer faced a plaintiff’s assertion that it had breached its fiduciary duties and wasted corporate assets by not preventing their massive data breach. In another notable case, a company had to deal with a shareholder lawsuit filed after its stock dropped 80% in the wake of a data breach. The shareholder suit alleged that this particular company had overstated its cybersecurity preparedness. As security breaches happen more frequently, litigation as a result of security breaches are on the rise. Don’t think this sort of thing won’t happen to your company.
The CISO’s Role in Defending Against Cybersecurity Litigation
Being involved in major corporate litigation may not be something you’ve had to deal with in the past. It’s stressful and demanding on your time when you probably have a lot of other priorities competing for your attention. But, it’s quite important. The C-suite and the Board are counting on you. Your job is to establish that the corporation met its obligations of due care, that it acted as “a reasonably prudent person acting under similar circumstances.”
You have to be clear about how your department has undertaken its responsibilities to protect the plaintiff’s data. The reality here is that your testimony is only going to be as effective as the work you have previously done on cybersecurity. If you’ve been thorough, your defense may not be that difficult. If you haven’t done the work, your legal defense will be more complicated.
The Secret to Preparing for Cybersecurity Litigation
As the old saying suggests, it doesn’t do any good to close the barn door after the horses have run off. The quality of your cybersecurity litigation defense is going to depend on the quality of your cybersecurity program before the attack. To do well in litigation, you’re going to want to be able to document your cybersecurity program. This means being able to show a written cybersecurity plan that has been approved by the C-suite and Board of Directors.
Getting an approved cybersecurity plan in place takes time. If you don’t have one, start now. The recommended practice is to engage with senior leadership in a cybersecurity meeting or “summit” where you can work on aligning your cybersecurity objectives with corporate strategies. The summit is also a chance to tune up security policies so they align with the company’s overall risk management policies.
The particulars of your plan will depend on your industry and your preference of framework. One solid approach is to use the NIST Cyber Security Framework as your foundation. The broadly accepted validity of the NIST framework helps achieve the “reasonably prudent” standard used in negligence litigation. Of course, you have to execute on the framework. That involves processes like identifying the assets you are obligated to protect. It will also require some deep thinking and reflection on your computing ecosystem. You need to focus on such things as where and how your data is stored and protected. You have to really know your network and the threats to your ecosystem. You have to document that you are prepared to respond and recover from a breach.
For example, I encourage you to assess what your real network looks like, not what the official network topology diagram might suggest. If you have had mergers and acquisitions, for instance, the actual layout and vulnerabilities of your network may not be readily apparent. But they are there and the plaintiff’s counsel may question you about them. You also need documented controls and a sound incident response plan that’s been rehearsed. A SAS70 audit is great, but it pays to go further. When asked about your incident response plan, you’ll be able to say, “We implemented standard industry guidance and we went a step further.”
Legislative and Judicial Trends
The cybersecurity legal liability environment is far from static. Expect changes so you can get out ahead of them. A number of laws are in the legislative process now that will have an impact on cybersecurity litigation. According to Wired, Congress is working on a new version of the Personal Data Protection and Breach Accountability Act, which failed to pass in 2014. Some version of the law will likely come into existence soon. It will provide more clear-cut guidelines on corporate accountability, duties to protect, notifications and so forth. At the same time, the lawsuits currently going through the courts may result in new legal precedents that will affect everyone involved in cybersecurity litigation. So, be aware of what’s in the legislatures and the courts. It’s now part of your job.
Conclusion: This Day Will Come
Being part of a the legal defense team for your company may not be high on your list of fun work experiences but it is very much now part of a CISO’s role. For most CISOs, breaches and the eventual lawsuits should be expected and planned for in advance. My guidance is, “You know this day will come. When it comes, be ready.”