Cybersecurity

41.1 Introduction

Cybercrime is a global threat that is constantly increasing in both volume and complexity. Perpetrators are using new technologies to commit cyber­attacks against governments, corporates, critical infrastructure and individuals. A recent data breach investigation found that 72 per cent of cyber breaches involved large business, and in 58 per cent of attacks personal data had been compromised.[2]

To tackle ever increasing levels of cybercrime, countries around the world are introducing new laws focused on cybersecurity and data protection. Armed with new legal frameworks, regulators and law enforcement are placing onerous obligations on organisations who fall victim to cybercrime. There are shorter deadlines in which to notify the authorities of data breaches and ever increasing fines and penalties for businesses that fail to respond swiftly and appropriately to a cyberattack.

This chapter examines the complex area of cybersecurity and considers recent cases, the particular issues that can arise in cyber investigations and how to respond to a cyberattack. It identifies key considerations for corporates and their advisers in this ever evolving area.

41.1.1What is cybercrime?

In the United Kingdom cybercrime is an umbrella term used to define linked, but distinct, areas of criminal activity. Her Majesty’s Government’s National Cyber Security Strategy[3] defines these two subcategories as:

  • cyber-dependent crimes – crimes that can only be committed through the use of information and communication technology (ICT) devices, where the devices are both the tool for committing the crime and the target of the crime; and
  • cyber-enabled crimes – traditional crimes that can be increased in scale or reach by the use of computers, computer networks or other forms of ICT such as cyber enabled fraud and data theft.[4]

In the United States, there is no uniform definition of cybercrime or cyber­security, and the principal federal criminal law, the Computer Fraud and Abuse Act (CFAA), broadly criminalises ‘unauthorised access of computer systems’.[5] The Department of Justice’s own manual on Prosecuting Computer Crimes sets out that ‘[its] focus is on those crimes that use or target computer networks, which [the DOJ] interchangeably refer[s] to as ‘computer crime’, ‘cybercrime’, and ‘network crime’. Examples of computer crime include computer intrusions, denial of service attacks, viruses, and worms’.[6] The CFAA establishes the specific cyber­security crimes of obtaining national security information, accessing a computer and obtaining information, trespassing in a government computer, accessing a computer to defraud and obtain value, intentionally damaging by knowing transmission, recklessly damaging by intentional access, negligently causing damage and loss by intentional access, trafficking in passwords, and extortion involving computers.

Globally cybercrime is a constantly evolving area, with perpetrators adapting their methods as new technologies become available. Several common types and techniques of cybercrime are as follows:

  • Hacking is the targeted intrusion of a network, computer, mobile telephone, tablet or other electronic device.
  • Malware is malicious software that interferes with computer operations and spreads across networks. Malware may be destructive, causing systems to crash or deleting files. It can also be used to steal data. Malware can be further sub-divided:
    • Viruses are software programmes loaded onto a user’s computer covertly that perform malicious actions.
    • Trojans are malicious computer programmes that present themselves as useful, routine or interesting to persuade the victim to install them. The Trojan programme can then steal data or undertake other nefarious tasks under the guise of being the legitimate programme.
    • Spyware is software that gathers information from infected systems and monitors information such as key strokes or websites visited by a computer user. Spyware can be used to steal passwords, or financial or other valuable information.
    • Ransomware is software designed to block access to a computer system until a ransom is paid.
    • Worms are self-replicating programmes that spread from computer to computer causing damage. They do not require human interaction and do not need to attach themselves to software programmes.
  • Phishing is the fraudulent practice of sending emails purporting to be from a reputable source to induce individuals to reveal personal information such as passwords or banking information.
  • Fraudulent websites are increasingly common, they appear to be for legitimate businesses and trick victims into handing over financial information or payments.
  • Denial of service (DoS) is a cyberattack in which the perpetrator disrupts a computer or other device to make it unavailable to users by disrupting the device’s normal functioning. DoS attacks typically function by overwhelming or flooding a targeted machine with requests until it can no longer process normal users.
  • A distributed denial of service (DDoS) attack is the same as a DoS but targets multiple network resources at once.

New technologies bring fresh opportunities for cybercriminals and there is already concern as to how artificial intelligence and 5G will be exploited by malicious actors.

41.1.2 Motivations of cybercriminals

Financial gain remains a key motivator for malicious cyber actors. Whilst some attacks are focused on the direct extraction of money, others seek to steal valuable information and either extract a ransom from the victim or sell the information to a third party.

While many cyberattacks are aimed at obtaining personal data through theft, other information such as trade secrets, compromising information, or information harmful to reputation can be valuable.

Increasingly, cyberattacks are being used for political and ideological reasons or to spread disinformation. Attacks can be a form of protest, and in these cases they usually focus on damage to infrastructure or control systems.

41.1.3Recent cyberattacks

Cyberattacks make headlines across the world, causing enormous reputational damage for the entities involved. Enforcement action frequently follows with ever increasing financial penalties for corporates. Many regulators also bring criminal enforcement action.

In 2017 Yahoo!, the American web services provider, said that all of its three billion user accounts were affected by a hacking attack dating back to 2013. Yahoo! said that the data stolen during the attack did not include payment card or bank account data. The Information Commissioner’s Office (ICO), which regulates data privacy in England and Wales eventually fined Yahoo! UK Services Limited £250,000 for the incident, which after investigation was said to affect the personal data of approximately 500 million users worldwide.[7]

Uber Technologies Inc was caught in a data controversy when it was reported that hackers stole the personal data of 57 million customers and drivers. Compromised data from the October 2016 attack included names, email addresses and phone numbers, the company reported. It was reported that the breach took place in 2016 but that Uber sought to conceal the event. The company is said to have paid hackers US$100,000 to delete the data that had been taken from Uber’s cloud-based servers.[8]

The ICO fined Uber £385,000 in what it called ‘A series of avoidable data security flaws which allowed the details of around 2.7 million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company. This included full names, email addresses and phone numbers.’[9]

The ICO was strong in its criticism of the company’s director of investigations, Steve Eckersley. It said:

This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.[10]

The financial penalties in the United States totalled US$148 million.[11] Lisa Madigan, the Illinois Attorney General, stated:

This is one of the most egregious cases we’ve ever seen in terms of notification; a yearlong delay is just inexcusable. And we’re not going to put up with companies, Uber or any other company, completely ignoring our laws that require notification of data breaches.[12]

Equifax is an American multinational data, analytics and technology company with an emphasis on consumer credit reporting. In early September 2017, the US parent company announced it had been the victim of a criminal cyberattack. Although UK systems were not breached, the attack compromised the personal information of some UK consumers.[13] The data breach exposed the personal information of 147 million people. The company agreed to a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau and 50 US states and territories. The settlement included up to US$425 million to help people affected by the data breach.[14]

The WannaCry cyberattack began on 12 May 2017 and, within a day, was reported by Europol to have infected more than 230,000 computers in at least 150 countries. This global attack quickly became a matter of public concern, with the UK’s national media paying particular attention to the impact and the response of the National Health Service in England.[15] WannaCry was a ransomware, which targeted computers using the Microsoft Windows operating system. It infected computers by encrypting files on the computer’s hard drive, making them impossible for users to access until a ransom had been paid in bitcoin to decrypt them. Both the United Kingdom and United States attributed the cyberattack to the North Korean Lazarus Group. Foreign Office Minister for Cyber, Lord Ahmad of Wimbledon, said: ‘The UK’s National Cyber Security Centre assesses it is highly likely that North Korean actors known as the Lazarus Group were behind the WannaCry ransomware campaign – one of the most significant to hit the UK in terms of scale and disruption.’[16] The accusation had first been made by Thomas Bossert, an aide to President Donald Trump, in an interview with the Wall Street Journal[17].

Travelex, the world’s largest retail currency dealer, received prominent media coverage in January 2020 after it suffered a ransomware attack.[18] Media reports attributed the hack to a cybergang called Sodinokibi, also known as Revil.[19] Share value in Finablr, the parent company of Travelex, dropped in the week that followed the attack.[20]

Following an extensive investigation, the ICO issued a notice of its intention to fine British Airways £183.39 million for infringements of data protection laws. The proposed fine related to a cyber incident notified to the ICO by British Airways in September 2018. The incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through the false site, customer details were being harvested by the attackers. Personal data of approximately 500,000 customers was compromised in the incident. British Airways was given the opportunity to make representations as to the level of financial penalty. In the end the ICO fined British Airways £20 million for failing to protect the personal and financial details of a number of its customers.[21]

41.2 Legal framework

41.2.1United Kingdom

Even within the United Kingdom there are a number of different Acts and Regulations that may be applicable to a cyber incident, depending on the facts and the type of entity that has been targeted.

41.2.1.1 UK legislation criminalising cyberattacks

The Computer Misuse Act 1990 (CMA) is the key legislation in the United Kingdom relating to offences or attacks against computer systems. The CMA allows proceedings to be brought in England or Wales if, in the circumstances of the offending, there is at least one significant link with the United Kingdom.[22]

The CMA criminalises unauthorised access to computer material;[23] unauthorised access with intent to commit or facilitate commission of further offences;[24] unauthorised acts with intent to impair the operation of a computer;[25] causing or creating risk of serious damage for example to the environment or economy.[26]

Under section 3(1) of the Investigatory Powers Act 2016, which came into force in June 2018, it is an offence to intentionally intercept a communication in the United Kingdom, without lawful authority, in the course of its transmission by means of a public or private telecommunication system or a public postal service.

Additionally, some offences under the Data Protection Act 2018 such as knowingly or recklessly obtaining or disclosing personal data without consent, procuring the disclosure of personal data to another person without consent, and selling personal data disclosed or retained without consent, can be relevant to cybercrime.[27]

Many types of crime, of course, do not depend on computers or networks but are being committed with relative ease using the internet. These offences include fraud, intellectual property crime and sending malicious communications, which are dealt with under separate legislation.

41.2.1.2 UK laws leading to positive obligations for victims of cyberattacks

The United Kingdom has a robust set of laws relating to data breaches that commonly arise out of cyberattacks. These laws are contained in both EU and domestic legislation. Arguably the most significant law concerned with personal data is the EU General Data Protection Regulation (GDPR)[28], which, while implemented in the United Kingdom through the Data Protection Act 2018, is also part of UK law. As a European Regulation, the GDPR has direct effect in the United Kingdom until the end of the Brexit transition period,[29] and if there is not adequacy in the law of the United Kingdom after the transition period, the GDPR will form part of domestic law under the European Union (Withdrawal) Act 2018,[30] possibly with some technical changes specific for it to work in a domestic context. The GDPR has direct effect in all European Union Member States.

Article 5 of the GDPR[31] sets out the key principles, rights and obligations for most processing of personal data, but it does not apply to processing for law enforcement purposes, or to areas outside European Union law, such as national security. The seven key principles are (1) lawfulness, fairness and transparency (2) purpose limitation, (3) data minimisation, (4) accuracy, (5) storage limitation, (6) integrity and confidentiality, (7) accountability.

The GDPR is concerned with ‘personal data’, which means information about a particular identified or identifiable living individual; it includes employees, clients, business contacts, public officials and members of the public. If it is possible to identify someone from the details, or by combining the details with other information, then it will still come within the scope of what is ‘personal data’. What identifies an individual includes names, numbers, cookie identifiers and internet protocol (IP) addresses.

The law is designed to be flexible and to take a risk-based approach to data protection. In reality, the legislation puts the onus on organisations to think about, and if necessary be able to justify, how they use data and process data.

The GDPR applies to the processing of ‘personal data’ if that is completed wholly or partly by automated means or the processing other than by automated means of personal data that forms part of, or is intended to form part of, a filing system. Processing includes collecting, recording, storing, using, analysing, combining, disclosing or deleting data. For the majority of organisations handling data, the processing test will easily be met.

Organisations processing ‘personal data’ need to ensure they have appropriate security measures in place to protect the data held. This is the integrity and confidentiality principle (or security principle) of the GDPR. Under this principle, organisations must have appropriate technical and organisational measures in place. This may be achieved via risk analysis, organisational policies, and physical and technical actions. The costs of implementation when deciding what measures to take are relevant, but must be appropriate to the circumstances of the organisation and the risk the processing poses.

The measures in place must enable custodians of ‘personal data’ to restore access and availability of ‘personal data’ in a timely manner in the event of a physical or cyber incident. There need to be processes in place to test the effectiveness of measures, and where improvements are required these should be implemented.

The GDPR does not define the security measures an organisation needs to have in place, but some industries are required to meet certain standards by their regulator or industry body; for example the Financial Conduct Authority Handbook covers Data Security in Financial Services, which includes the risk that customer data is lost or stolen.[32] Whether such requirements have been adhered to is likely to be relevant to enforcement action.

The Data Protection Act 2018[33] (DPA) sets out the data protection framework in the United Kingdom alongside the GDPR. The UK government appears to view the DPA as key legislation with a valuable role post-Brexit.[34]

The DPA is a complex piece of legislation, which brings together four regimes of data protection law. Each regime focuses on the regulation of processing personal data for a specific type of data processing. In practice, most organisations will be concerned with the two regimes outlined in Part 2 of the DPA, which cover processing data to which the GDPR applies, and then separately processing data not covered by the GDPR. The third and fourth regimes are concerned with law enforcement and the intelligence services.

The DPA also provides significant additional powers to the ICO.

Other laws relevant to privacy in which obligations for corporates can be found are the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR),[35] which is concerned with electronic communications and specific rules for emails, texts, cookies, location data and itemised billing. PECR is predominantly concerned with public electronic communications networks or services, but it applies to organisations that use cookies or similar technology on their website, or market by telephone, email, text or fax.

The Network and Information Systems Regulations 2018 (NIS)[36] are derived from European law.[37] NIS is intended to combat the threats posed to network and information systems with a desire to improve the digital economy and society. NIS applies to operators of essential services and relevant digital service providers such as online search engines, online marketplaces and cloud computing services. For the NIS to apply in the United Kingdom the provider has to have its head office in the UK or have a nominated representative in the jurisdiction in addition to having more than fifty staff and a turnover or balance sheet of more than €10 million.[38]

Numerous other Acts of Parliament can be relevant to data breaches. The facts of any particular case will determine which apply. The Acts can be as diverse as the Official Secrets Act 1989 dealing with information that can impact national security,[39] to the Companies Act 2006 imposing duties on directors to adhere to a desirability a company maintain a reputation for high standards.[40] It is advisable to engage external counsel for specialist legal advice if dealing with a data breach.

41.2.2United States

The United States has a medley of unrelated, and at times incompatible, laws and regulatory guidance, which either relate specifically to cybersecurity or have been interpreted to do so, and no uniform national law that explicitly requires security of personal information across all industries and sectors. This results in there being no generally accepted approach to defining ‘cybersecurity’ and no nationally recognised manner in which companies can maintain systems and procedures to adequately address cybersecurity risks. The diversity of laws means there are a number of potential public and private litigants and that businesses operating across the United States need to carefully assess their cybersecurity risks and compliance requirements. It is advisable to seek the assistance of external counsel when dealing with this specialised area of law.

41.2.2.1 Federal law

The FTC and the Federal Trade Commission Act

The Federal Trade Commission (FTC) is a federal agency tasked with protecting consumers and promoting competition in the United States through the enforcement of civil antitrust and consumer protections laws. The FTC has powers pursuant to the Federal Trade Commission Act (FTCA),[41] which prohibits ‘unfair or deceptive acts or practices in or affecting commerce’, regardless of industry.

Financial institutions and the Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA), enforced by multiple federal agencies, requires financial institutions to maintain safeguards for non-public information in the institutions’ control and to adopt ‘administrative, technical, and physical safeguards’ for the security of ‘non-public personal information’.[42] In sum, the GLBA requires that financial institutions have policies and procedures reasonably designed to ensure the security and confidentiality of customer’s records and to protect against cybersecurity threats and unauthorised access and uses of customer records.

Various agencies have published guidelines pursuant to the GLBA, including the ‘Interagency Guidelines’ adopted by the OCC, FRB and FDIC.[43] The guidelines prescribe steps for institutions including involving the board in the development of a cybersecurity programme, conducting risk assessments, and conducting due diligence and ongoing monitoring of service providers’ cyber­security measures.

Publicly traded companies

The Securities and Exchange Commission (SEC) has published guidance on publicly traded companies’ disclosure obligations with respect to cybersecurity and on companies disclosing material cybersecurity risks and incidents to investors.[44] This guidance recommends that publicly traded companies adopt controls and procedures that enable companies to identify cybersecurity risks and incidents; assess and analyse their impact on a company’s business; evaluate their significance; and make timely disclosures. The guidance also recommends that companies implement measures to prevent insider trading in the event of and during the investigation of a potential data breach.

Healthcare providers and the Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA)[45] requires that healthcare providers, health plans, healthcare clearing houses, (and in certain cases business associates) adopt ‘administrative, technical, and physical safeguards’ to protect individually identifiable health information (protected health information or ‘PHI’). HIPAA restricts access to and use of PHI while imposing related security standards (the Security Rule), and a requirement to notify individuals affected by any breach of privacy (the Breach Notification Rule). Finally, HIPAA provides for civil and criminal penalties for the compromise of PHI maintained by entities covered by the statute (covered entities) and business associates.

The Federal Information Security Management Act

The Federal Information Security Management Act (FISMA)[46] defines a framework for managing information security that must be followed by all information systems used or operated by a US federal government agency and by third-party contractors who work on behalf of a federal agency in those branches. Failure by a contractor to comply with FISMA can result in loss of federal funding.

The Cybersecurity and Infrastructure Security Agency Act

The Cybersecurity and Infrastructure Security Agency Act (CISAA)[47] enables private entities to monitor information systems for cyber­security purposes; operate ‘defensive measures’ for cybersecurity purposes;[48] and most notably to share information about cyber-threat indicators or defensive measures with other private entities or the federal government,[49] provided that private entities take steps to remove personal information before sharing any such cyber-threat indicators.[50]

41.2.2.2 State law

At least 25 states have laws that address data security practices of private sector entities, the majority of which require companies to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, and to protect the personal information from unauthorised access, destruction, use, modification or disclosure.[51] As examples:

  • New York requires that companies develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information including, but not limited to, disposal of data.[52]
  • California requires companies to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.[53]
  • Massachusetts requires companies to take specific steps to assess security risks, train employees, oversee service providers and implement other safeguards.[54]

All 50 states, the District of Columbia and other US jurisdictions have imposed data breach notification requirements on private entities that collect or process personal data, which can require notice to consumers, regulators, law enforcement or credit bureaus.[55] Some states only require notice if the business determines that there is a reasonable likelihood of harm,[56] while others require notification regardless of the determination of likelihood of harm.[57] The requirements also may conflict. For example, Massachusetts prohibits any description of how a data breach occurred,[58] while other states require a brief description of the incident.[59] Notably, some state notification laws establish jurisdiction based on whether the data subject is located in the state and so can apply to a company regardless of where it is located.[60]

41.3 Proactive cybersecurity

Mr Ciaran Martin, the former Head of the United Kingdom’s National Cyber Security Centre recently stated: ‘Every organization now knows they need to understand cybersecurity risk just as they need to understand financial, legal risk and so on.’[61] It is now a key function of business to have a comprehensive cybersecurity programme in place.

In Europe, the GDPR specifically requires organisations to have a process for regular testing, assessing and evaluating of the effectiveness of any information security measures put in place. However, the type of tests and how regularly they are carried out is for the organisation to assess in light of its particular circumstances.

Policies should be in place that are regularly reviewed (many organisations now review their policies every quarter, such is the pace of change in this area) and updated as part of a regular cybersecurity audit. Depending on the characteristics of the business, third parties, such as businesses in its supply chain, may need to form part of the audit and assessment process. It is common for cybercriminals to breach networks via trusted business partners.

Good cybersecurity relies on education and awareness. Regular training of staff is key and should include temporary and contract staff.

Physical security, concerning access to premises and equipment, also needs to be addressed. All organisations need to consider storage arrangements and secure disposal of records that are no longer required.

Computer and network security will in most cases require technical expertise. During the covid-19 pandemic, remote working raised new risks which all organisations should have been conscious of and working to reduce. Of particular concern is removable media and vulnerabilities of multiple internet connections.

There need to be protocols to cover password use, firewalls, regular updates for software, backup and restoration of electronic information and monitoring to detect breaches.

Organisations should consider having a cyber-breach response plan to assist in the detection of cybercrime and ensure incidents are responded to swiftly, efficiently and comprehensively. There should be a clear structure of responsibility to allow for accountability.

41.4 Conducting an effective investigation into a cyber breach

The aim of an investigation will be to understand the scope and impact of the cybersecurity incident. The findings of the investigation will be put to multiple uses, including preventing repetition of the incident, managing all the repercussions, helping with reputational damage, assisting with operational disruption, and identifying harm to clients. This will also be key to enforcement action, so it is vital that the investigation be properly conducted. It is advisable to engage external legal counsel as soon as a breach has been detected or is suspected. This is particularly important for the protection of legal professional privilege.

The early stages of the investigation are likely to be critical and urgent. In Europe, the GDPR requires organisations to have robust breach detection and an investigation procedure in place. It is sensible to use the protocols that the organisation has in place with the benefit of legal advice. Records need to be kept of the breach and response regardless of whether the matter is ultimately reported to the authorities.

Digital evidence is likely to need to be gathered and care must be taken to establish a clear picture of what happened without compromising evidence. It may be necessary to engage third-party forensic experts. For privilege and continuity, this is best done through external legal counsel.

It is likely that there will be interviews with employees who may have contributed to the incident, for example, through downloading a malicious programme. Staff who first responded to the incident and those who may have had their personal data compromised may all need to be interviewed. It is likely to be too early to anticipate all the legal actions that may flow from the incident, so it is sensible to secure evidence in accordance with the law so it can be used as required, and if necessary at a trial. For example, in the United States an Upjohn warning may be appropriate if interviewing staff.[62] Take local law advice from experienced cybersecurity counsel.

41.5 Enforcement

Dependent on where the cyberattack took place, where an organisation is located, where the data is held (which with the use of cloud technologies is now commonly multiple locations) and in some cases where the individuals whose data has been compromised are located, there are often several enforcement authorities with an interest in the event.

41.5.1Enforcement in England and Wales

In most of the United Kingdom,[63] the ICO is the independent authority in charge of upholding information rights in the public interest. In addition to enforcement activities the ICO offers guidance and seeks to promote good practice by carrying out audits and monitoring compliance and complaints.

41.5.2Reporting a breach in England and Wales

In England and Wales there is a legal requirement that certain incidents must be reported to the ICO, and this has to be done within hours of the breach. For example, if there has been a ‘personal data breach’, this must be reported to the ICO. A personal data breach is a breach of security leading to ‘the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. Such a breach must be reported within 72 hours of the organisation becoming aware of it, unless it can be demonstrated that it is unlikely to result in a risk to individuals’ rights and freedoms.

If there is a high risk to individuals’ rights and freedoms, the individuals concerned should be informed without delay.

Corporates and their advisers should assume that information provided to one data regulator will be passed on to others and that this could give rise to liabilities in multiple jurisdictions. However, the organisation should ensure it meets its reporting obligations in all jurisdictions applicable to the incident.

41.5.3Enforcement in the United States

As referenced above, a range of general and industry-specific federal and state regulators may investigate and bring enforcement actions related to cybersecurity incidents. While too numerous and detailed to discuss for the purposes of this chapter, both the FTC (which has general jurisdiction over companies operating in the US) and the SEC (which has jurisdiction over publicly traded companies) are active in bringing enforcement actions in relation to cybersecurity incidents. Acting pursuant to the FTCA, which prohibits ‘unfair or deceptive acts or practices in or affecting commerce’, the FTC has brought cybersecurity related enforcement actions on the basis of both ‘deceptive’ and ‘unfair’ practices by companies, including for misrepresenting data security practices;[64] failure to properly safeguard personal data;[65] failure to use adequate encryption for medical records;[66] negligent supervision of service providers responsible for handling sensitive information;[67] failure to provide adequate cybersecurity training to employees;[68] failure to disclose privacy practices adequately;[69] and using data absent informed consent.[70] The SEC has investigated and brought enforcement actions against public companies following cybersecurity incidents, including for companies failure to appropriately disclose material cybersecurity risks contrary to the SEC’s guidance.

While not enforcement action per se, the threat of civil litigation (class actions in particular) by private parties for damages arising from cybersecurity incidents is very real. Cybersecurity related civil claims have been brought on a variety of theories, including for negligence;[71] negligent misrepresentation;[72] unfair or deceptive trade practices pursuant to state consumer protection statutes;[73] breach of contract;[74] breach of implied warranty,[75] and unjust enrichment.[76]

41.5.4Reporting a breach in the United States

A mass of general and industry specific federal and state laws require notification of cybersecurity incidents too numerous to discuss in detail for the purposes of this chapter. Given the range of possible notification requirements, it would be prudent for any company operating in the United States to map out all notification requirements applicable to its operations, and to identify processes for sharing of information with private and public entities pursuant to CISAA.


Footnotes

[1] Francesca Titus, Rodger Heaton, Mehboob Dossa and William Boddy are partners, and Andrew Thornton-Dibb is an international attorney, at McGuireWoods.

[2] Verizon Data Breach Investigations Report 2020. A large business is defined in the report as a business with over 1,000 employees.

[3] Her Majesty’s Government National Cyber Security Strategy 2016-2021.

[4] As defined on page 17 of Her Majesty’s Government National Cyber Security Strategy 2016-2021.

[5] 18 USC § 1030.

[6] Prosecuting Computer Crimes, Computer Crime and Intellectual Property Section Criminal Division, published by Office of Legal Education Executive Office for United States Attorneys.

[7] Page 25, Information Commissioner’s Annual Report and Financial Statements 2018-2019.

[8] ‘Uber pays $148 m over data breach cover up’, 27 September 2018, BBC News.

[9] Press release, 27 November 2018, ‘Information Commissioner’s Office ICO fines Uber £385,000 over data protection failings’.

[10] Press release, 27 November 2018, ‘Information Commissioner’s Office ICO fines Uber £385,000 over data protection failings’.

[11] People of the State of Illinois v Uber Technologies Inc., No. 2018-CH-000304, final judgment and consent decree, September 2018.

[12] Associated Press, ‘Uber agrees to $148M settlement over data breach’, 26 September 2018.

[13] Cybersecurity incident – information for UK customers on Equifax website https://www.equifax.co.uk/incident.

[14] Data breach settlement statement issued by Federal Trade Commission, January 2020.

[15] Lessons learned review of the WannaCry Ransomware Cyber Attack, William Smart, Chief Information Officer for Health and Social Care, Independent Report, 1 February 2018.

[16] UK Government Press Release published 19 December 2017.

[17] ‘It’s Official: North Korea Is Behind WannaCry,’ The Wall Street Journal, Thomas P. Bossert 18 December 2017.

[18] National Cyber Security Centre Weekly Threat Report, 10 January 2020.

[19] ‘Travelex hackers demand ransom to protect data’, The Financial Times, Caroline Binham and Kate Beioley 8 January 2020.

[20] ‘Travelex hackers demand ransom to protect data’, The Financial Times, Caroline Binham and Kate Beioley 8 January 2020.

[21] Press release, 16 October 2020, Information Commissioner’s Office, ‘ICO fines British Airways £20m for data breach affecting more than 400,000 customers’.

[22] Section 4 Computer Misuse Act 1990.

[23] Section 1 Computer Misuse Act 1990.

[24] Section 2 Computer Misuse Act 1990.

[25] Section 3 Computer Misuse Act 1990.

[26] Section 3ZA Computer Misuse Act 1990; this section is aimed at attacks on critical national security.

[27] Sections 170 to 173 Data Protection Act 2018.

[28] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[29] The United Kingdom left the European Union on 31 January 2020 and the transition period after Brexit was at the time of writing due to end on 31 December 2020.

[30] European Union (Withdrawal) Act 2018.

[31] General Data Protection Regulation.

[32] The Financial Conduct Authority Handbook.

[33] The Data Protection Act 2018. It updated and replaced the Data Protection Act 1998 when it came into force on 25 May 2018. It was thought that the older Act did not adequately provide for the modern digital age.

[34] Data Protection Act 2018 Factsheet-Overview document published by the Department for Digital, Culture, Media and Sport, 23 May 2018: ‘As part of this the 2018 Act applies the EU’s GDPR standards, preparing Britain for Brexit. By having strong data protection laws and appropriate safeguards, businesses will be able to operate across international borders. This ultimately underpins global trade and having unhindered data flows is essential to the UK in forging its own path as an ambitious trading partner. We have ensured that modern, innovative uses of data can continue while at the same time strengthening the control and protection individuals have over their data.’

[35] Directive 2002/58/EC of the European Parliament and of the Council, 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

[36] The Network and Information Systems Regulations 2018.

[37] The Network and Information Systems Regulations 2018 implement European Directive 2016/1148 on a high common level of security of network and information systems across the European Union. The European Commission has also published an implementing regulation, Regulation 2018/151.

[38] Section 1 Network and Information Systems Regulations 2018.

[39] Section 1 Official Secrets Act 1989.

[40] Section 172(1)(e) Companies Act 2006.

[41] 15 U.S.C. § 45(a)(1) (2012).

[42] The Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 (2018).

[43] Interagency Guidelines Establishing Information Security Standards, 12 C.F.R. § 208 app. D–2 (2016).

[44] SEC Statement and Guidance on Public Cybersecurity Disclosures, 17 C.F.R. §§ 229, 249 (2018).

[45] Health Insurance Portability and Accountability Act of 1996 § 1173, 42 U.S.C. § 1320d2(d)(2) (2012); see also 45 C.F.R. §§ 164.302–.318 (2016) (outlining the Department of Health and Human Services’ security-standard regulations authorised by HIPAA).

[46] 44 U.S.C. §§ 3541–49 (2012).

[47] 6 U.S.C. § 1503(a)(1) (2012).

[48] Id. § 1503(b). The statute defines ‘defensive measure’ as ‘an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability,’ and explicitly excludes any ‘measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or information stored on, processed by, or transiting such information system’ and is not owned by the entity operating the defensive measure or another entity that has provided consent. Id. § 1501(7)(A)–(B).

[49] Id. § 1503(c)(1).

[50] Id. § 1503(d)(1)–(2).

[51] See, National Conference of State Legislatures, Data Security Laws Private Sector available at https://www.ncsl.org/research/telecommunications-and-information-technology/data-security-laws.aspx#Overview.

[52] New York Gen. Bus. Law § 899-BB.

[53] Cal Civ. Code § 1798.81.5.

[54] 201 Mass. Code Regs. 17.03 (2009).

[55] For a list of all data breach notice statutes, see Security Breach Notification Laws, Nat’l Conf. St. Legislatures (12 April 2017), http://www.ncsl.org/research/telecommunicationsand-information-technology/security-breach-notification-laws.aspx.

[56] See, e.g., Mich. Comp. Laws Ann. § 445.72 (West 2019) (requiring notice unless the organisation determines that ‘the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state[.]’).

[57] See, e.g., Cal. Civ. Code § 1798.82 (West 2019).

[58] Mass. Ann. Laws ch. 93H (LexisNexis 2019).

[59] See, e.g., Iowa Code § 715C.2 (2019) (requiring data breach notices to include a ‘description of the breach of security.’).

[60] See, e.g., Iowa Code § 715C.2 (2019) (‘Any person who owns or licenses computerized data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation, or volunteer activities and that was subject to a breach of security shall give notice of the breach of security . . . .’).

[61] ‘Cyber chief warns of east-west split over the internet’, Financial Times, Peter Foster, August 2020.

[62] In an Upjohn warning an employee is advised by company counsel that counsel is acting for the company, privilege in the interview is the company’s and the company may waive that privilege in disclosing details of the interview to authorities or third parties. Upjohn Co. v. United States, 449 U.S. 383 (1981).

[63] Scotland has its own Information Commissioner.

[64] See, e.g., Complaint at 3–5, In re Upromise, Inc., FTC File No. 102-3116, No. C-4351 (F.T.C. 27 March 2012), 2012 WL 1225058.

[65] See, e.g., FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 245 (3d Cir. 2015) (‘A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business . . . ’).

[66] Complaint at 4, In re Henry Schein Practice Sols., Inc., FTC File No. 142-3161, No. C-4575 (F.T.C. 20 May 2016), 2016 WL 160609.

[67] Complaint at 3–4, In re GMR Transcription Servs., Inc., FTC File No. 122-3095, No. C-4482 (F.T.C. Feb. 3, 2014), 2014 WL 492352.

[68] Complaint at 2, In re Franklin’s Budget Car Sales, Inc., File No. 102-3094, No. C-4371 (F.T.C. 3 October 2012), 2012 WL 5375157.

[69] See, e.g., Complaint, In re Sears Holdings Mgmt. Corp., Docket No. C-4264, para. 4 (F.T.C. 9 September 2009). (The FTC brought an enforcement action in 2009 against Sears for allegedly failing to disclose adequately the extent to which it collected personal information by tracking the online browsing of consumers who downloaded certain software).

[70] Complaint, In the Matter of Myspace LLC, Docket No. C-4369 (F.T.C. 11 September 2012).

[71] See, e.g., Hutton v. Nat’l Bd. Of Examiners in Optometry, Inc., 892 F.3d 612, 616 (4th Cir. 2018), and In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1177–78 (D. Minn. 2014).

[72] See, e.g., In re Zappos.com, Inc., No. 3:12-cv-00325-RCJ-VPC, 2013 WL 4830497, at *3–4 (D. Nev. 9 September 2013).

[73] See, e.g. In re Yahoo! Customer Data Security Breach Litigation, 313 F. Supp. 3d 1113, 1128 (N.D. Cal. 2018).

[74] See, e.g., In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953, 970 (N.D. Cal. 2016).

[75] See, e.g., In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 119–20 (D. Me. 2009), aff’d, Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011).

[76] See, e.g., In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1177–78 (D. Minn. 2014).

Get unlimited access to all Global Investigations Review content