The Evolving State of Cybersecurity
January 16, 2019
Companies continue to face significant, even existential, risks from cybersecurity attacks. Several significant developments during 2018 have underscored the potentially escalating costs of cybersecurity incidents, as well as the risks from poor management of the ensuing crisis after an attack has been identified.
New data breach notification obligations continue to be implemented, including under the European Union’s General Data Protection Regulation (“GDPR”), which went into effect in May 2018. Enforcement actions related to cybersecurity incidents and vulnerabilities also saw an uptick in 2018, which may portend further such activity in 2019, and there continues to be significant litigation risk associated with cyberattacks.
As a result, boards should continue to exercise vigorous oversight over preparation for such attacks, and ensure that companies are dedicating sufficient resources to mitigating cybersecurity threats and to crisis preparation.
Developing Law and Guidance With Respect to Data Breach Disclosure:
- State Laws: Companies in the United States facing a data breach continue to face a patchwork of notification requirements at the state level. For the first time, as of March 2018, all 50 states (as well as the District of Columbia and several U.S. territories) now have data breach notification laws on their books. However, the laws vary, including when and how data subjects and law enforcement must be notified of a data breach, presenting challenges for a company’s compliance with all state laws using the same notification process.
- SEC Guidance: At the federal level, the SEC issued interpretive guidance in February 2018, updating the 2011 guidance from the SEC’s Division of Corporation Finance. The new guidance emphasizes the SEC’s view that companies must make appropriate disclosures relating to cybersecurity risks or incidents that are material to investors. In particular, the SEC has made clear that a company cannot simply refer to cybersecurity risks in the abstract in its risk factors when it has previously been the victim of an attack. It must also take steps to prevent trading by corporate insiders who know about a potentially material issue until investors have been appropriately informed. In October 2018, the SEC also issued a separate investigative report urging companies to account for cyber-threats when implementing internal accounting controls.
- GDPR and Its Progeny: Under the GDPR, personal data breaches have strict notification requirements that may involve notification to data protection supervisory authorities and to data subjects. In many cases, notifications must be made within 72 hours, with potential fines of up to 2% of a group’s global annual turnover for the preceding fiscal year, or €10 million (whichever is higher), for failure to comply with notification requirements under the GDPR. Moreover, the breach itself may implicate a breach of the GDPR’s underlying principles (including the principle of integrity and confidentiality) for which a fine of up to 4% of a group’s global annual turnover for the preceding fiscal year, or €20 million (whichever is higher), can be imposed. GDPR-inspired laws are now being passed across the world, including in Brazil and in California. For example, Brazil’s new data protection law (the Lei Geral de Protecão de Dados Pessoais, or “LGDP”) was recently passed and is scheduled to go into effect in 2020. Among significant new data protection rules and transfer limitations similar to the GDPR, the LGDP imposes data breach notification requirements, and significant penalties of up to 2% of turnover in Brazil, limited to 50 million Brazilian reals (approximately US$13.5) million per violation.
Selected Enforcement Activity in 2018
- State AG/FTC Enforcement. Uber Technologies Inc. was sued by the Attorneys General of all 50 states and the District of Columbia, and in September 2018, a record-breaking $148 million settlement was announced, in connection with Uber’s failure to disclose a 2016 data breach. In October 2018, the U.S. Federal Trade Commission (“FTC”) expanded its 2017 settlement with Uber regarding a 2014 data breach to include additional violations arising from Uber’s 2016 data breach. The FTC settlement imposes notification, reporting, and records retention obligations on Uber, and any failure by Uber to notify the FTC of future data security incidents could lead to civil penalties. The Uber settlements underscore the fact that, in managing the fallout from a data breach, companies must be scrupulous in meeting their disclosure obligations, even if they believe the threat of harm has been eliminated.
- SEC Enforcement. In April 2018, Altaba (formerly known as Yahoo!) entered into a $35 million settlement agreement with the SEC, resolving allegations that Yahoo! violated federal securities laws in connection with the disclosure of the 2014 cybersecurity incident involving its user database. The case represents the first time a public company has been charged by the SEC for failing to adequately disclose a cyber-breach. Altaba’s settlement with the SEC, coming on the heels of its agreement to pay $80 million to civil class action plaintiffs alleging similar disclosure violations, underscores the increasing potential legal exposure for companies based on failing to properly disclose cybersecurity risks and incidents.
- GDPR Enforcement. To date, enforcement action under the GDPR for a personal data breach has been limited to one case in Germany against Knuddels GmbH & Co KG. The size of this fine was relatively low (€20,000), with the German regulator taking into account the efficiency with which the data controller mitigated the damage and informed data subjects (as well as the high level of cooperation shown in connection with the supervisory authority’s investigation). While other regulators have yet to address a personal data breach under the GDPR, the UK’s Information Commissioner’s Office (“ICO”) has not been shy about imposing the maximum penalty under the former data protection regime. This year, the ICO levied the maximum fine (£500,000) against Equifax Inc. for its 2017 data breach which implicated the personal data of U.K. persons, and fined Uber £385,000 for failing to protect customers’ personal information relating to the 2016 cyberattack described above. Additionally, Uber was fined €600,000 by the Dutch supervisory authority (the Autoriteit Persoonsgegevens) and €400,000 from the French supervisory authority (the Commission nationale de l’informatique et des libertés), in connection with the same breach.
In addition to the growing risk of enforcement actions, the cost of data breaches from a civil litigation perspective continues to increase. In 2018, for example, Anthem agreed to pay $115 million to settle consumer class actions relating to its 2015 breach, which affected almost 80 million users. Yahoo!, in connection with the data breach mentioned above, agreed to pay consumers $85 million and provide two years of free credit monitoring for the 200 million users affected by its breaches (in addition to the $80 million Yahoo! agreed to pay shareholders based on the alleged securities disclosure violations).
Notwithstanding these large settlements, companies continue to fight claims, particularly on the basis of lack of Article III standing – that the plaintiffs whose data has been compromised cannot identify any harm from the breach. Courts remain split on what is required to establish standing for pleading purposes, and whether actual harm must be alleged, or whether alleging a substantial risk of future harm is sufficient. For example, in a 2018 case stemming from a breach of Zappos.com, the Ninth Circuit reaffirmed its position on one side of a circuit split by finding standing to bring suit based on a “substantial risk” of identity theft or fraud resulting from a data breach, even in the absence of allegations that the risk actually materialized. The Fourth Circuit took a stricter approach in Hutton v. National Board of Examiners in Optometry, Inc., holding that alleged costs for mitigating measures to safeguard against future identity theft was a sufficient injury to establish standing while declining to adopt the lower “substantial risk” standard. It remains to be seen whether, in 2019, the U.S. Supreme Court will get involved to resolve the issue.
Given the increasing levels of enforcement activity and civil litigation risk, not to mention the reputational harm that comes from suffering a data breach, companies are well-advised to prepare for the worst in advance by, among other things, ensuring that they have an incident response plan in place and testing that plan, assessing what disclosures and notifications will be required in advance of a breach, and identifying counsel and forensic firms that can be “on call” in the event of an attack.
Boards of directors, likewise, should exercise oversight over the preparations for an attack, and they should keep in mind that regulators and plaintiffs in civil actions will certainly investigate whether a company has devoted sufficient resources to prevention and preparation if there ever is a data breach. Boards should even consider participating in a tabletop exercise, or wargame, to make sure that they understand their role in managing a cyber-related crisis. This preparation, by the board and management, will pay significant dividends in helping the company move quickly and effectively to address an intrusion or other cybersecurity incident.