Cybersecurity: Data Breaches, Ransomware Attacks and Increased Regulatory Focus

A 2021 survey of chief legal officers demonstrated that cybersecurity has overtaken compliance as the most significant legal risk that businesses face today.[1] This should not come as a surprise as 2021 brought a series of high-profile cyberattacks on major companies and U.S. infrastructure targets. Regulators also brought a number of cybersecurity enforcement actions, and announced new rules, guidance and initiatives on ransomware and other cyber-related issues. In addition, after many years of debate, Congress has made some progress in crafting legislation that would require certain companies to report significant cyberattacks and ransomware payments to the U.S. federal government.

Boards should expect that the demands of cybersecurity oversight will only intensify in 2022, and they should continue to exercise active oversight of this significant area of potential risk.

Data Breaches and Ransomware Attacks

2021 witnessed a number of significant data breaches, with widely disruptive ransomware attacks often taking the headlines:

• Colonial Pipeline, one of the largest fuel pipelines in the United States, suffered a ransomware attack that disrupted fuel supplies across the United States. The company paid $4.4 million in ransom, part of which was recovered by U.S. law enforcement.
• CNA Financial, a large commercial insurer, announced that it suffered a ransomware attack that caused the company to pay $40 million to regain access to its data.
• Cyber criminals demanded $50 million from computer manufacturer ACER after breaching the company’s systems. The company refused to pay the ransom demand, which was subsequently raised to $100 million, and was targeted again in a cyberattack in October.
• One of the country’s largest meat suppliers, JBS USA, disclosed a ransomware attack that temporarily halted operations and led to a $11 million ransom payment.
• An Iowa-based provider of agricultural services, NEW Cooperative, suffered a ransomware attack resulting in a $5.9 million ransom demand that would increase to $11.8 million if the ransom was not paid within a five-day period. The company refused payment.
• Microsoft announced that a Microsoft Exchange hack exposed vulnerabilities in the email software, affecting over 30,000 organizations across the United States.
• Airline technology provider SITA announced that it suffered a data breach affecting approximately 2 million airline passengers. The stolen information included program card numbers, status level information and, in some cases, customer names.

Regulatory Focus on Cybersecurity

In response to continuing significant data breaches and other cyber incidents, regulators – particularly the SEC – were increasingly active in bringing cybersecurity enforcement actions against companies that allegedly maintained inadequate cybersecurity protections or that failed to comply with related disclosure obligations:

• In March, New York’s Department of Financial Services (DFS) brought an enforcement action against Residential Mortgage Services, Inc. (RMS) for allegedly violating DFS’s cybersecurity regulations requiring timely reporting of data breaches and comprehensive cybersecurity risk assessments. RMS, a licensed mortgage banker, collected sensitive personal data of mortgage loan applicants as part of its business operations. After a July 2020 examination, evidence was uncovered showing that RMS had failed to report a cybersecurity breach involving unauthorized access to the email account of an RMS employee with access to a significant amount of that data. RMS agreed to pay a $1.5 million penalty.
• In June, the SEC announced a settlement with First American Financial Corporation for disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed customer information. After a journalist informed First American of a flaw in its systems, the company issued a public statement noting that it had shut down external access to the document-sharing application that had exposed customer information and had no preliminary indication of large-scale unauthorized access. However, at the time of this disclosure, senior management was unaware that the company’s information security personnel had identified the vulnerability several months earlier and had failed to remediate it. Thus, the SEC charged the company with maintaining deficient disclosure controls and procedures, even absent a third-party breach or intrusion of the company’s systems. As part of its settlement with the SEC, the company agreed to pay a $487,616 penalty.
• The SEC has also been conducting a sweep of public companies involving disclosures relating to the cyberattack involving software made by SolarWinds Corp., which became public in December 2020.[2] The SEC has sought information on a voluntary basis from companies that may have used the compromised versions of SolarWinds software, and it has advised companies that if they cooperate by providing the requested information and making any required disclosures, the SEC will not recommend an enforcement action against recipients of the request relating to disclosure controls and procedures. However, the SEC has also asked companies responding to the request to not only provide information about the impact of SolarWinds, but also to provide information about other cybersecurity incidents involving external attacks. The sweep demonstrates the aggressive approach that the SEC is taking to evaluating companies’ responses to cyberattacks both from disclosure and disclosure controls perspectives.

Separate from the enforcement actions, regulators issued new rules, guidance and initiatives on cyber-related topics, including ransomware and cyber-incident notification:

• In September, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, which highlights the sanctions risks associated with making ransomware payments.[3] The advisory stresses that the U.S. government “strongly discourages” making ransomware payments and instead “recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.” Later, in October, OFAC issued Sanctions Compliance Guidance for the Virtual Currency Industry, which provides details for companies in evaluating sanctions-related risks, building sanctions compliance programs, protecting their businesses from misuse of virtual currencies and understanding OFAC’s recordkeeping, reporting, licensing and enforcement processes.
• Given the proliferation of ransomware actors demanding ransom payments in the form of cryptocurrency, in October, the U.S. Department of Justice announced the creation of a National Cryptocurrency Enforcement Team (NCET) to oversee complex investigations and prosecutions of criminal misuses of cryptocurrency. The NCET will draw upon DOJ’s Cryptocurrency Enforcement Framework, released in October 2020.
• Also in October, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued an Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, which updates and replaces its previous advisory from 2020. The FinCEN Advisory examines the role of financial intermediaries in facilitating ransomware payments, which are generally paid using virtual currencies like Bitcoin; identifies trends, typologies and financial red flags of ransomware and associated payments; and stresses the legal obligations of U.S. financial institutions in the ransomware context – —for example, to report suspicious transactions that may involve ransom payments to criminal actors.[4]
• In November, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Board of Governors of the Federal Reserve System (Board) announced a final rule requiring banking organizations to notify their primary regulator of certain significant computer-security incidents within 36 hours. The rule separately requires bank service providers to notify their bank customers if they experience a cyber-incident that causes a material disruption of services that lasts for four or more hours.[5]
• There has also been progress on a federal data security legislation that has eluded lawmakers for years. Congress is considering draft legislation that would require critical infrastructure companies to report certain substantial cyberattacks to the U.S. federal government within 72 hours, and would require businesses with more than 50 employees to notify the government within 24 hours of making a ransomware payment.

Litigation Developments

There were also significant developments in cyber-related litigation in 2021:

• California data breach law continues to develop in response to the California Consumer Privacy Act (CCPA)’s creation of a private right of action, with more than 80 CCPA-related cases filed throughout 2021. Notably, in February, a California federal judge dismissed plaintiffs’ CCPA claim in class action litigation against Alphabet, Inc. and Google, LLC, on the basis that plaintiffs merely alleged that the defendants monitored and collected users’ sensitive personal data without consent. The court found that the plaintiffs failed to allege that any personal information was subject to unauthorized access as a result of a security breach, reasoning that a private right of action under the CCPA could only be pursued for violations related to personal information security breaches.
• In May, in class action litigation stemming from a 2019 Capital One data breach, a federal judge in Virginia granted Capital One’s motion to certify to the Virginia Supreme Court the question of whether Virginia state law imposes a duty to use reasonable care to protect consumers’ personal information from disclosure. In so doing, the court noted there were not yet any cases in Virginia considering whether a tort duty of care exists in these circumstances. The decision to certify highlights the changing landscape of state law resulting from cybersecurity-related incidents.
• In June, in class action litigation against TransUnion stemming from violations of the Fair Credit Reporting Act, the U.S. Supreme Court issued a decision limiting consumers’ standing to sue if the alleged harm, such as from misleading credit reports, does not actually materialize. This has potential implications for a wide variety of cyber-related cases in which personal information may be exposed but not necessarily used for fraudulent activity.
• In September, another federal judge in Virginia dismissed a shareholder derivative action against K12 Inc., a small-cap technology-based education company now known as Stride Inc., in connection with a series of cyberattacks affecting one of the company’s largest customers. While the investors alleged that K12 had embarked on a campaign of self-promotion with respect to its cybersecurity protocols to inflate its stock price, the court highlighted that the plaintiffs never alleged that the company failed to have such protocols, only that its systems were not sufficient to meet the company’s needs.
• In October, the Delaware Court of Chancery dismissed a shareholder derivative action concerning Marriott’s discovery of a data breach for failure to make a pre-suit demand and failure to plead sufficient facts to establish demand futility. The court found that the Marriott board members did not face a substantial likelihood of liability stemming from the breach, as they had not failed to undertake their oversight abilities, turned a blind eye to compliance violations or consciously failed to remediate cybersecurity failures. Thus, the board retained its ability to assess whether to pursue litigation on behalf of the company and the derivative action was improper.

Board Oversight Best Practices for 2022

In light of regulatory and litigation developments, boards should review their oversight of cybersecurity matters, including: 

• Delegate to a committee of the board responsibility for cybersecurity matters (or establish specific cybersecurity review guidelines if responsibility is retained at full board) including (i) oversight of the implementation of disclosure controls and procedures related to cybersecurity risks and (ii) monitoring of potential vulnerabilities from third-party vendors.
• Establish regular briefings by management to the board of cybersecurity risks including benchmarking company policies and procedures against industry peers and best practices; create a robust record of such reporting including directors’ active engagement in such discussions.
• Ensure that the board is familiar with the company’s cyber-incident response plan including the proposed reporting matrices to communicate incidents.
• Periodically engage in a cybersecurity response tabletop exercise to familiarize directors with their oversight role in the event of a cyber-related incident, and document the occurrence of such exercises to show that directors have met their risk oversight duties.
• Regularly review the company’s cybersecurity budget and assess cyber-related insurance coverage.

Key Takeaways

• Cybersecurity continues to be an essential issue for boards due to increased dependence on technology, a pandemic-generated shift to remote work arrangements and the continued proliferation of data breaches, ransomware attacks and other cyber intrusions.
• Ransomware in particular represents an increasing concern for companies from across industries, due to the substantial costs, legal risks and reputational concerns.
• Federal regulators instituted a requirement for banking organizations to notify their primary regulator of certain significant computer-security incidents, and there has been recent progress on a federal data security legislation that would apply more broadly. Boards should receive regular reports from management on developments in the law to keep abreast of their companies’ evolving obligations in this area.
• Increased regulatory action related to cybersecurity issues reflects the continued shift away from regulators viewing hacked companies as only victims and toward potentially holding them responsible for perceived deficiencies in their cybersecurity programs and other internal policies and procedures. Importantly, regulators like the SEC are focused on whether and how a company maintains disclosure controls and procedures to ensure that management is adequately and timely informed of cyber incidents that warrant public disclosures. We expect these trends to continue in 2022 as the Biden administration enters its second year.
• Private litigation arising out of data breaches continues to proliferate. In dismissing plaintiffs’ claims in the Marriott case, the court nevertheless noted that “corporate governance must evolve to address” cybersecurity risks and that “the corporate harms presented by non-compliance with cybersecurity safeguards increasingly call upon directors to ensure that companies have appropriate oversight systems in place.”
• Collectively, these trends underscore the need for boards to take an active role in overseeing management’s preparation of adequate cyber defenses and responses to incidents. Among other things, boards should establish clear ownership of cyber risk oversight, have briefings on cybersecurity risks to the full board and document steps the board has taken in connection with its oversight.

[1] Association of Corporate Counsel, “2021 ACC Chief Legal Officers Survey” (March 2021), available here.

[2] SEC, “In the Matter of Certain Cybersecurity-Related Events (HO-14225) FAQs” (June 25, 2021), available here.

[3] For additional details, see our September blog post here. See also Economic Sanctions: Developments and Considerations in this memo.

[4] For additional details, see our November blog post here.

[5] For additional details, see our December blog post here.