Few sentences strike terror into the hearts of IT executives and senior information security professionals more than “We have a data breach.” But recent legal actions from government prosecutors and plaintiffs’ lawyers have raised the stakes to a new level.
The Department of Justice, Securities Exchange Commission and a host of other state and federal regulators have initiated both criminal and civil investigations into potential misconduct by companies that have experienced data breaches . . . and their executives. This includes Chief Information Security Officers (CISOs) and other members of a company’s information security team who have been named personally as co-defendants in complaints. This sea change was the focus of one of the keynote addresses in the 2019 AccessData User Summit, which you can the view the recording of HERE.
Aravind Swaminathan, Global Co-Chair of the Cybersecurity, Privacy and Data Innovation Practice at Orrick, delivered the provocative presentation, “This Time It’s Personal: CISOs and Other Corporate Leaders Face Criminal and Civil Investigations,” which served as both a wake-up call to senior information security professionals and a practical roadmap to specific steps that can be taken to help protect yourself from being named as a defendant in potential data breach litigation.
“It’s one thing for a company to be the focus of a government investigation and subsequent litigation from both prosecutors and plaintiffs’ lawyers, but we are now entering a new era in which individual members of a company’s information security team are coming under intense scrutiny, facing legal proceedings, and becoming the targets of regulators, plaintiffs, the press and even their own company,” said Swaminathan, a former federal prosecutor who oversaw enforcement actions related to cybercrime and white collar crime.
Swaminathan reviewed with the audience of attendees, both in-person and via live webcast, a number of well-publicized data breach investigations at companies such as Yahoo!, Uber and Equifax. He noted that subsequent litigation proceedings resulting from those investigations had a very long tail, tying up the company and its executives in serious matters for two-to-three years following the initial breach itself. More ominously, he pointed out a disturbing risk that information security professionals may be facing: taking the fall for a cybersecurity incident and being subjected to criminal liability.
“In fact, these recent cases seem to indicate that, even if you do your job properly as a CISO, you may end up being named personally as a co-defendant in data breach litigation related to shareholder derivative lawsuits or consumer class actions,” he said.
Swaminathan drew on his experience — as both a former federal prosecutor and a private-practice lawyer representing information security professionals in connection with large data security incidents — to suggest a number of specific actions that CISOs, CIOs, IT Heads and other information security professionals can take to protect themselves. Here are seven of those tips:
- Have an internal notification plan
“It’s important to create a clear ‘Escalation Matrix’ in advance for determining which executives you will notify of a data breach, depending on the nature of the incident,” he advised. Communicate this matrix to your internal colleagues and secure their buy-in so that you set a minimum baseline understanding about what the internal notification plan will be if and when a data breach occurs.
- Build the incident response team with the right people
Be careful about which colleagues you invite to join your incident response team because you want to avoid any conflicts of interest that might occur. Swaminathan noted that you don’t want anyone at the table who might pose a problem with an independent analysis of the root cause of the incident and the remediation steps required on the back end, especially if their team was potentially responsible for a systems failure.
- Focus on the Why
“Make sure to look beyond the immediate ‘what broke’ question and pivot quickly to why it broke,” he advised. “That might feel counter-intuitive to some information security executives who are trained to find the problem and patch it, but securing the answers to the ‘why’ could be crucial down the road in the event of investigations and litigation.”
- Document the incident response
Every C-suite executive understands the importance of documentation in the midst of crisis management, but this basic practice is especially crucial in the event of a data breach given the potential for individual criminal liability. There is simply no way to accurately recall years later (e.g., during a deposition or interview) the specifics of what happened and what actions you took at the time of the incident. It is crucial to document the chronology of events right away.
- Closing analysis
“Once the immediate crisis has been resolved, you should also make sure to document what you did to close out the incident,” said Swaminathan. “In fact, you should even document that you sought advice from the company’s legal counsel and have them confirm that your actions were proper. If something blows up down the line, your lawyers will take the hit for you, but you need to secure their advice and document it in your closing analysis.”
In some cases, regulators will provide a summary report after their investigation has been closed, which includes specific findings and recommendations. It’s important to debrief with your executive team and share these lessons learned so there is a clear record of responsiveness on your part.
- Review policies, procedures and controls
“Finally, I always advise executives to designate some time to identify appropriate changes they need to make in their internal policies and develop a roadmap for remediation plans in the aftermath of a data breach incident,” said Swaminathan. “If that remediation plan requires additional resources, make sure to request those needed resources from the proper internal executives and then document whether that request was approved or denied.”
Swaminathan also offered some suggestions for how senior information security professionals can navigate important employment considerations and legal considerations in order to best protect themselves. For example, regardless of whether the word “Officer” is in your title, you may want to be designated as a legal “Officer” of the company under the corporate bylaws; those individuals are often afforded certain protections from the company in the event of litigation. If you are not recognized as a corporate officer in the bylaws, you may want to negotiate contractual language that requires the company to indemnify you for all appropriate legal expenses if you are named personally in litigation related to the regular performance of your job.
“The stakes are never been higher for CISOs, CIOs and other executives responsible for cybersecurity at their companies,” said Swaminathan. “As a result, information security professionals need to become more aware of the personal risks they face, the legal landscape for incident response and security generally, and how to best protect themselves, their jobs and their careers.” To hear his complete presentation, with slides, you’re welcome to watch it now.