This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
Cybercrime is a global threat that is constantly increasing in both volume and complexity. Perpetrators are using new technologies to commit cyberattacks against governments, corporates, critical infrastructure and individuals. The UK Government Cyber Security Breaches Survey 2021 showed that 39 per cent of businesses reported a cybersecurity breach or attack over the most recent 12-month survey period. This is higher among medium (65 per cent) and large (64 per cent) businesses.2
To tackle ever-increasing levels of cybercrime, countries around the world are introducing new laws focused on cybersecurity and data protection. Armed with new legal frameworks, regulators and law enforcement are placing onerous obligations on organisations who fall victim to cybercrime. There are shorter deadlines in which to notify the authorities of data breaches and ever increasing fines and penalties for businesses that fail to respond swiftly and appropriately to a cyberattack.
This chapter examines the complex area of cybersecurity and considers recent cases, the particular issues that can arise in cyber investigations and how to respond to a cyberattack. It identifies key considerations for corporates and their advisers in this ever-evolving area.
41.1.1 What is cybercrime?
In the United Kingdom, cybercrime is an umbrella term used to define linked, but distinct, areas of criminal activity. Her Majesty’s Government’s National Cyber Security Strategy3 defines these two subcategories as:
- cyber-dependent crimes – crimes that can only be committed through the use of information and communication technology (ICT) devices, where the devices are both the tool for committing the crime and the target of the crime; and
- cyber-enabled crimes – traditional crimes that can be increased in scale or reach by the use of computers, computer networks or other forms of ICT such as cyber-enabled fraud and data theft.4
In the United States, there is no uniform definition of cybercrime or cybersecurity, and the principal federal criminal law, the Computer Fraud and Abuse Act (CFAA), criminalises ‘unauthorised access of computer systems’.5 The Department of Justice’s (DOJ) own manual on Prosecuting Computer Crimes sets out that ‘[its] focus is on those crimes that use or target computer networks, which [the DOJ] interchangeably refer[s] to as ‘computer crime’, ‘cybercrime’, and ‘network crime’. Examples of computer crime include computer intrusions, denial of service attacks, viruses, and worms’.6 The CFAA establishes the specific cybersecurity crimes of obtaining national security information, accessing a computer and obtaining information, trespassing in a government computer, accessing a computer to defraud and obtain value, intentionally damaging by knowing transmission, recklessly damaging by intentional access, negligently causing damage and loss by intentional access, trafficking in passwords, and extortion involving computers.
Globally cybercrime is a constantly evolving area, with perpetrators adapting their methods as new technologies become available. Several common types and techniques of cybercrime are as follows:
- Hacking is the targeted intrusion of a network, computer, mobile telephone, tablet or other electronic device.
- Malware is malicious software that interferes with computer operations and spreads across networks. Malware may be destructive, causing systems to crash or deleting files. It can also be used to steal data. Malware can be further sub-divided:
- Viruses are software programmes loaded onto a user’s computer covertly that perform malicious actions.
- Trojans are malicious computer programmes that present themselves as useful, routine or interesting to persuade the victim to install them. The Trojan programme can then steal data or undertake other nefarious tasks under the guise of being the legitimate programme.
- Spyware is software that gathers information from infected systems and monitors information such as key strokes or websites visited by a computer user. Spyware can be used to steal passwords, or financial or other valuable information.
- Ransomware is software designed to block access to a computer system until a ransom is paid.
- Worms are self-replicating programmes that spread from computer to computer causing damage. They do not require human interaction and do not need to attach themselves to software programmes.
- Phishing is the fraudulent practice of sending emails purporting to be from a reputable source to induce individuals to reveal personal information such as passwords or banking information.
- Fraudulent websites are increasingly common, they appear to be for legitimate businesses and trick victims into handing over financial information or payments.
- Denial of service (DoS) is a cyberattack in which the perpetrator disrupts a computer or other device to make it unavailable to users by disrupting the device’s normal functioning. DoS attacks typically function by overwhelming or flooding a targeted machine with requests until it can no longer process normal users.
- A distributed denial of service (DDoS) attack is the same as a DoS but targets multiple network resources at once.
New technologies bring fresh opportunities for cybercriminals and there is already concern as to how artificial intelligence and 5G will be exploited by malicious actors.
41.1.2 Motivations of cybercriminals
Financial gain remains a key motivator for malicious cyber actors. Whilst some attacks are focused on the direct extraction of money, others seek to steal valuable information and either extract a ransom from the victim or sell the information to a third party.
While many cyberattacks are aimed at obtaining personal data through theft, other information such as trade secrets, compromising information, or information harmful to reputation can be valuable.
Increasingly, cyberattacks are being used for political and ideological reasons or to spread disinformation. Attacks can be a form of protest, and in these cases they usually focus on damage to infrastructure or control systems.
41.1.3 Recent cyberattacks
Cyberattacks make headlines across the world, causing enormous reputational damage for the entities involved. Enforcement action frequently follows data breaches with ever increasing financial penalties for corporates. Many regulators also bring criminal enforcement action.
In summer 2021, Amazon’s financial filings revealed that the Luxembourg data protection supervisory authority, the Commission Nationale pour la Protection des Données (CNPD), is fining the retailer’s European arm (Amazon Europe Core Sàrl) €746 million for breaches of the EU’s General Data Protection Regulation (GDPR).7 The CNPD’s decision is not yet publicly available so little is known about the facts, and it may not relate to a cyber incident. It is nevertheless worth mentioning as it is the largest GDPR fine on record and indicative of the enormous financial repercussions of not complying with data laws. Amazon has stated it intends to defend itself vigorously in the matter.
The year 2020 ended and 2021 began with the SolarWinds’ Orion software breach, which impacted multiple US government agencies, including the US Treasury Department. Then in April 2021, Facebook confirmed that the personal information of more than 530 million users has been leaked and published on a hacking forum and is now subject to an investigation by the Irish Data Protection Commission. Most significant in terms of pure tangible impact was a ransomware attack on Georgia-based Colonial Pipeline that reportedly arose from a single compromised password, which effectively closed the supply of a key oil pipeline stretching from Texas to the Northeast of the United States, responsible for delivering 45 per cent of the East Coast’s fuel. Colonial paid the hackers, an affiliate of a Russia-linked cybercrime group DarkSide, a US$4.4 million ransom shortly after the hack. In June 2021, the US Department of Justice announced that it had traced and seized US$2.3 million of cryptocurrency, being a portion of the total ransom paid by Colonial.8
Travelex, the world’s largest retail currency dealer, received prominent media coverage in January 2020 after it suffered a ransomware attack.9 Media reports attributed the hack to a cybergang called Sodinokibi, also known as Revil. Share value in Finablr, the parent company of Travelex, dropped in the week that followed the attack.10
Following an extensive investigation, the Information Commissioner’s Office (ICO), which regulates data privacy in England and Wales, issued a notice of its intention to fine British Airways £183.39 million for infringements of data protection laws. The proposed fine related to a cyber incident notified to the ICO by British Airways in September 2018. The incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through the false site, customer details were being harvested by the attackers. Personal data of approximately 500,000 customers was compromised in the incident. British Airways was given the opportunity to make representations as to the level of financial penalty. In the end the ICO fined British Airways £20 million for failing to protect the personal and financial details of a number of its customers.11
Equifax is a multinational data, analytics and technology company with an emphasis on consumer credit reporting. In early September 2017, the US parent company announced it had been the victim of a criminal cyberattack. Although UK systems were not breached, the attack compromised personal information about some UK consumers.12 The data breach exposed the personal information of 147 million people. The company agreed to a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau and 50 US states and territories. The settlement included up to US$425 million to help people affected by the data breach.13
The WannaCry cyberattack began on 12 May 2017 and, within a day, was reported by Europol to have infected more than 230,000 computers in at least 150 countries. This global attack quickly became a matter of public concern, with the UK’s national media paying particular attention to the impact and the response of the National Health Service in England.14 WannaCry was a ransomware, which targeted computers using the Microsoft Windows operating system. It infected computers by encrypting files on the computer’s hard drive, making them impossible for users to access until a ransom had been paid in bitcoin to decrypt them. Both the United Kingdom and United States attributed the cyberattack to the North Korean Lazarus Group. Foreign Office Minister for Cyber, Lord Ahmad of Wimbledon, said: ‘The UK’s National Cyber Security Centre assesses it is highly likely that North Korean actors known as the Lazarus Group were behind the WannaCry ransomware campaign – one of the most significant to hit the UK in terms of scale and disruption.’15 The accusation had first been made by Thomas Bossert, an aide to President Donald Trump, in an interview with The Wall Street Journal.16
In 2017 Yahoo!, the American web services provider, said that all three billion of its user accounts were affected by a hacking attack dating back to 2013. Yahoo! said that the data stolen during the attack did not include payment card or bank account data. The ICO eventually fined Yahoo! UK Services Limited £250,000 for the incident, which after investigation was said to have affected the personal data of approximately 500 million users worldwide.17
Uber Technologies Inc was caught in a data controversy when it was reported that hackers stole the personal data of 57 million customers and drivers. Compromised data from the October 2016 attack included names, email addresses and phone numbers, the company reported. It was reported that the breach took place in 2016 but that Uber sought to conceal the event. The company is said to have paid hackers US$100,000 to delete the data that had been taken from Uber’s cloud-based servers.18
The ICO fined Uber £385,000 in what it called ‘a series of avoidable data security flaws which allowed the details of around 2.7 million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company. This included full names, email addresses and phone numbers’.19
The ICO was strong in its criticism of the company’s director of investigations, Steve Eckersley, saying:
This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.20
The financial penalties in the United States totalled US$148 million.21 Lisa Madigan, the Illinois Attorney General, stated:
This is one of the most egregious cases we’ve ever seen in terms of notification; a yearlong delay is just inexcusable. And we’re not going to put up with companies, Uber or any other company, completely ignoring our laws that require notification of data breaches.22
41.2 Legal framework
41.2.1 United Kingdom
Within the United Kingdom, there are a number of different Acts and Regulations that may be applicable to a cyber incident, depending on the facts and the type of entity that has been targeted.
126.96.36.199UK legislation criminalising cyberattacks
The Computer Misuse Act 1990 (CMA) is the key legislation in the United Kingdom relating to offences or attacks against computer systems. The CMA allows proceedings to be brought in England or Wales if, in the circumstances of the offending, there is at least one significant link with the United Kingdom.23
The CMA criminalises unauthorised access to computer material,24 unauthorised access with intent to commit or facilitate commission of further offences,25 and unauthorised acts with intent to impair the operation of a computer,26 causing or creating risk of serious damage for example to the environment or economy.27
Under section 3(1) of the Investigatory Powers Act 2016, which came into force in June 2018, it is an offence to intentionally intercept a communication in the United Kingdom, without lawful authority, in the course of its transmission by means of a public or private telecommunication system or a public postal service.
Additionally, some offences under the Data Protection Act 201828 (DPA) such as knowingly or recklessly obtaining or disclosing personal data without consent, procuring the disclosure of personal data to another person without consent, and selling personal data disclosed or retained without consent, can be relevant to cybercrime.29
Many types of crime, of course, do not depend on computers or networks but are being committed with relative ease using the internet. These offences include fraud, intellectual property crime and sending malicious communications, which are dealt with under separate legislation.
188.8.131.52UK laws leading to positive obligations for victims of cyberattacks
The United Kingdom has a robust set of laws relating to data breaches that commonly arise out of cyberattacks. The EU GDPR has been incorporated directly into UK law as the UK GDPR.30
Article 5 of the UK GDPR sets out the key principles, rights and obligations for most processing of personal data, but it does not apply to processing for law enforcement purposes. The seven key principles are (1) lawfulness, fairness and transparency (2) purpose limitation, (3) data minimisation, (4) accuracy, (5) storage limitation, (6) integrity and confidentiality, (7) accountability.
The UK GDPR is concerned with ‘personal data’, which means information about a particular identified or identifiable living individual; it includes employees, clients, business contacts, public officials and members of the public. If it is possible to identify someone from the details, or by combining the details with other information, then it will still come within the scope of what is ‘personal data’. What identifies an individual includes names, numbers, cookie identifiers and internet protocol (IP) addresses.
The law is designed to be flexible and to take a risk-based approach to data protection. In reality, the legislation puts the onus on organisations to think about, and if necessary be able to justify, how they use data and process data.
The UK GDPR applies to the processing of ‘personal data’ if that is completed wholly or partly by automated means or the processing other than by automated means of personal data that forms part of, or is intended to form part of, a filing system. Processing includes collecting, recording, storing, using, analysing, combining, disclosing or deleting data. For the majority of organisations handling data, the processing test will easily be met.
Organisations processing ‘personal data’ need to ensure they have appropriate security measures in place to protect the data held. This is the integrity and confidentiality principle (or security principle) of the UK GDPR. Under this principle, organisations must have appropriate technical and organisational measures in place. This may be achieved via risk analysis, organisational policies, and physical and technical actions. The costs of implementation when deciding what measures to take are relevant, but must be appropriate to the circumstances of the organisation and the risk the processing poses.
The measures in place must enable custodians of ‘personal data’ to restore access and availability of ‘personal data’ in a timely manner in the event of a physical or cyber incident. There need to be processes in place to test the effectiveness of measures, and where improvements are required these should be implemented.
The UK GDPR does not define the security measures an organisation needs to have in place, but some industries are required to meet certain standards by their regulator or industry body; for example the Financial Conduct Authority Handbook covers Data Security in Financial Services, which includes the risk that customer data is lost or stolen.31 Whether such requirements have been adhered to is likely to be relevant to enforcement action.
The DPA sets out the data protection framework in the United Kingdom alongside the UK GDPR. It contains three separate data protection regimes: part 2 sets out a general processing regime (the UK GDPR); part 3 sets out a separate regime for law enforcement authorities; and part 4 sets out a separate regime for the three intelligence services. The DPA was amended on 1st January 2021 to reflect the United Kingdom leaving the European Union.
The Network and Information Systems Regulations 2018 (NIS)33 are intended to combat the threats posed to network and information systems with a desire to improve the digital economy and society. NIS applies to operators of essential services and relevant digital service providers such as online search engines, online marketplaces and cloud computing services.
Numerous other Acts of Parliament can be relevant to data breaches. The facts of any particular case will determine which apply. The Acts can be as diverse as the Official Secrets Act 1989, dealing with information that can impact national security,34 and the Companies Act 2006, imposing duties on directors to adhere to a desirability a company maintain a reputation for high standards.35 It is advisable to engage external counsel for specialist legal advice if dealing with a data breach.
41.2.2 United States
The United States has a medley of unrelated, and at times incompatible, federal and state laws and regulatory guidance, which either relate specifically to cybersecurity or have been interpreted to do so, and no uniform national law that explicitly requires security of personal information across all industries and sectors. This results in there being no generally accepted approach to defining ‘cybersecurity’ and no nationally recognised manner in which companies can maintain systems and procedures to adequately address cybersecurity risks. The diversity of laws and the rapidly evolving regulatory environment mean there are a number of potential public and private litigants and that businesses operating across the United States need to carefully assess their cybersecurity risks and compliance requirements. In 2020, at the state level alone, 38 states introduced or considered more than 280 bills or resolutions significantly related to cybersecurity, and 20 states enacted cybersecurity-related bills.36 It is advisable to seek the assistance of external counsel when dealing with this specialised area of law.
184.108.40.206 Federal law
The CFAA provides for numerous cybersecurity-specific offences relating to unauthorised access of computer systems and related damage, trafficking and extortion. Notably, the US Supreme Court recently narrowed the scope of liability under the CFAA, holding that it only covers information obtained for an improper purpose if the person accessing the information was unauthorised to access it.37
The FTC and the Federal Trade Commission Act
The Federal Trade Commission (FTC) is a federal agency tasked with protecting consumers and promoting competition in the United States through the enforcement of civil antitrust and consumer protections laws. The FTC has powers pursuant to the Federal Trade Commission Act (FTCA),38 which prohibits ‘unfair or deceptive acts or practices in or affecting commerce’, regardless of industry.
Financial institutions and the Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA), enforced by multiple federal agencies, requires financial institutions to maintain safeguards for non-public information in the institutions’ control and to adopt ‘administrative, technical, and physical safeguards’ for the security of ‘non-public personal information’.39 In sum, the GLBA requires that financial institutions have policies and procedures reasonably designed to ensure the security and confidentiality of customer’s records and to protect against cybersecurity threats and unauthorised access and uses of customer records.
Various agencies have published guidelines pursuant to the GLBA, including the ‘Interagency Guidelines’ adopted by the Office of the Comptroller of the Currency, the Federal Reserve System and the Federal Deposit Insurance Corporation.40 The guidelines prescribe steps for institutions including involving the board in the development of a cybersecurity programme, conducting risk assessments, and conducting due diligence and ongoing monitoring of service providers’ cybersecurity measures.
Publicly traded companies
The Securities and Exchange Commission (SEC) has published guidance on publicly traded companies’ disclosure obligations with respect to cybersecurity and on companies disclosing material cybersecurity risks and incidents to investors.41 This guidance recommends that publicly traded companies adopt controls and procedures that enable companies to identify cybersecurity risks and incidents, assess and analyse their impact on a company’s business, evaluate their significance and make timely disclosures. The guidance also recommends that companies implement measures to prevent insider trading in the event of and during the investigation of a potential data breach.
Healthcare providers and the Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA)42 requires that healthcare providers, health plans, healthcare clearing houses, (and in certain cases business associates) adopt ‘administrative, technical, and physical safeguards’ to protect individually identifiable health information (protected health information or PHI). HIPAA restricts access to and use of PHI while imposing related security standards (the Security Rule), and a requirement to notify individuals affected by any breach of privacy (the Breach Notification Rule). Finally, HIPAA provides for civil and criminal penalties for the compromise of PHI maintained by entities covered by the statute (covered entities) and business associates.
The Federal Information Security Management Act
The Federal Information Security Management Act (FISMA)43 defines a framework for managing information security that must be followed by all information systems used or operated by a US federal government agency and by third-party contractors who work on behalf of a federal agency in those branches. Failure by a contractor to comply with FISMA can result in loss of federal funding.
The Cybersecurity and Infrastructure Security Agency Act
The Cybersecurity and Infrastructure Security Agency Act (CISAA)44 enables private entities to monitor information systems for cybersecurity purposes; operate ‘defensive measures’ for cybersecurity purposes;45 and most notably to share information about cyber-threat indicators or defensive measures with other private entities or the federal government,46 provided that private entities take steps to remove personal information before sharing any such cyber-threat indicators.47
220.127.116.11 State law
At least 25 states have laws that address data security practices of private sector entities, the majority of which require companies to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, and to protect the personal information from unauthorised access, destruction, use, modification or disclosure.48 As examples:
- New York requires that companies develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information including, but not limited to, disposal of data;49
- California requires companies to implement and maintain reasonable security procedures and practices appropriate to the nature of the information; and50
- Massachusetts requires companies to take specific steps to assess security risks, train employees, oversee service providers and implement other safeguards.51
All 50 states, the District of Columbia and other US jurisdictions have imposed data breach notification requirements on private entities that collect or process personal data, which can require notice to consumers, regulators, law enforcement or credit bureaus.52 Some states only require notice if the business determines that there is a reasonable likelihood of harm,53 while others require notification regardless of the determination of likelihood of harm.54 The requirements also may conflict. For example, Massachusetts prohibits any description of how a data breach occurred,55 while other states require a brief description of the incident.56 Notably, some state notification laws establish jurisdiction based on whether the data subject is located in the state and so can apply to a company regardless of where it is located.57
41.3 Proactive cybersecurity
Mr Ciaran Martin, the former head of the United Kingdom’s National Cyber Security Centre stated in 2020: ‘Every organisation now knows they need to understand cybersecurity risk just as they need to understand financial, legal risk and so on.’58 It is now a key function of business to have a comprehensive cybersecurity programme in place.
The UK GDPR specifically requires organisations to have a process for regular testing, assessing and evaluating of the effectiveness of any information security measures put in place. However, the type of tests and how regularly they are carried out is for the organisation to assess in light of its particular circumstances.
Policies should be in place that are regularly reviewed (many organisations now review their policies every quarter, such is the pace of change in this area) and updated as part of a regular cybersecurity audit. Depending on the characteristics of the business, third parties, such as businesses in its supply chain, may need to form part of the audit and assessment process. It is common for cybercriminals to breach networks via trusted business partners.
Good cybersecurity relies on education and awareness. Regular training of staff is key and should include temporary and contract staff.
Physical security, concerning access to premises and equipment, also needs to be addressed. All organisations need to consider storage arrangements and secure disposal of records that are no longer required.
Computer and network security will in most cases require technical expertise. During the covid-19 pandemic, remote working raised new risks which all organisations should have been conscious of and working to reduce. Of particular concern are removable media and vulnerabilities of multiple internet connections.
There need to be protocols to cover password use, firewalls, regular updates for software, backup and restoration of electronic information and monitoring to detect breaches.
Organisations should have a cyber-breach response plan to assist in the detection of cybercrime and ensure incidents are responded to swiftly, efficiently and comprehensively. There should be a clear structure of responsibility to allow for accountability.
41.4 Conducting an effective investigation into a cyber breach
The aim of an investigation will be to understand the scope and impact of the cybersecurity incident. The findings of the investigation will be put to multiple uses, including preventing repetition of the incident, managing all the repercussions, helping with reputational damage, assisting with operational disruption, and identifying harm to clients. This will also be key to enforcement action, so it is vital that the investigation be properly conducted. It is advisable to engage external legal counsel as soon as a breach has been detected or is suspected. This is particularly important for the protection of legal professional privilege.
The early stages of the investigation are likely to be critical and urgent. In Europe, the GDPR requires organisations to have robust breach detection and an investigation procedure in place. It is sensible to use the protocols that the organisation has in place with the benefit of legal advice. Records need to be kept of the breach and response regardless of whether the matter is ultimately reported to the authorities.
Digital evidence is likely to need to be gathered and care must be taken to establish a clear picture of what happened without compromising evidence. It may be necessary to engage third-party forensic experts. For privilege and continuity, this is best done through external legal counsel.
It is likely that there will be interviews with employees who may have contributed to the incident, for example, through downloading a malicious programme. Staff who first responded to the incident and those who may have had their personal data compromised may all need to be interviewed. It is likely to be too early to anticipate all the legal actions that may flow from the incident, so it is sensible to secure evidence in accordance with the law so it can be used as required, and if necessary at a trial. For example, in the United States an Upjohn warning may be appropriate if interviewing staff.59 Take local law advice from experienced cybersecurity counsel.
Dependent on where the cyberattack took place, where an organisation is located, where the data is held (which with the use of cloud technologies is now commonly multiple locations) and in some cases where the individuals whose data has been compromised are located, there are often several enforcement authorities with an interest in the event.
41.5.1 Enforcement in England and Wales
In most of the United Kingdom,60 the ICO is the independent authority in charge of upholding information rights in the public interest. In addition to enforcement activities, the ICO offers guidance and seeks to promote good practice by carrying out audits and monitoring compliance and complaints.
41.5.2 Reporting a breach in England and Wales
In England and Wales there is a legal requirement that certain incidents must be reported to the ICO, and this has to be done within hours of the breach. For example, if there has been a ‘personal data breach’, this must be reported to the ICO. A personal data breach is a breach of security leading to ‘the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. Such a breach must be reported within 72 hours of the organisation becoming aware of it, unless it can be demonstrated that it is unlikely to result in a risk to individuals’ rights and freedoms.
If there is a high risk to individuals’ rights and freedoms, the individuals concerned should be informed without delay.
Corporates and their advisers should assume that information provided to one data regulator will be passed on to others and that this could give rise to liabilities in multiple jurisdictions. However, the organisation should ensure it meets its reporting obligations in all jurisdictions applicable to the incident.
41.5.3 Enforcement in the United States
As referenced above, a range of general and industry-specific federal and state regulators may investigate and bring enforcement actions related to cybersecurity incidents. While too numerous and detailed to discuss for the purposes of this chapter, the FTC (which has general jurisdiction over companies operating in the US), the SEC (which has jurisdiction over publicly traded companies) and the DOJ are active in bringing enforcement actions in relation to cybersecurity incidents. Acting pursuant to the FTCA, which prohibits ‘unfair or deceptive acts or practices in or affecting commerce’, the FTC has brought cybersecurity related enforcement actions on the basis of both ‘deceptive’ and ‘unfair’ practices by companies, including for misrepresenting data security practices,61 failure to properly safeguard personal data,62 failure to use adequate encryption for medical records,63 negligent supervision of service providers responsible for handling sensitive information,64 failure to provide adequate cybersecurity training to employees,65 failure to disclose privacy practices adequately66 and using data absent informed consent.67 The SEC has investigated and brought enforcement actions against public companies following cybersecurity incidents, including for companies’ failure to appropriately disclose material cybersecurity risks contrary to the SEC’s guidance. The DOJ investigates and prosecutes cybercrime activities pursuant to the CFAA, as illustrated on 8 June 2021 when the DOJ indicted the chief operating officer of an Atlanta-based network security company, for allegedly conducting a cyberattack on a medical centre in violation of the CFAA.68
The New York Department of Financial Services (DFS), which supervises and regulates the activities of insurance companies, banking and other financial institutions in the state of New York, has investigation and enforcement powers pursuant to the DFS Cybersecurity Regulation. This imposes strict cybersecurity rules on covered organisations and subjects them to the risk of financial penalty. In July 2020, three years after the DFS Cybersecurity Regulation’s initial release, DFS announced its first enforcement action against First American Title Insurance Company seeking monetary penalties and injunctive relief for purported violations of six provisions of the DFS Cybersecurity Regulations. In March 2021, DFS announced its first penalty pursuant to a settlement with Residential Mortgage Services, Inc, which imposed a US$1.5 million penalty in relation to a 2019 data breach disclosed to DFS during a routine safety and soundness examination in 2020. In April 2021, DFS announced a US$3 million penalty pursuant to a settlement with National Securities Corporation in relation to four cyber breaches that occurred between 2018 and 2020 that exposed National Securities’ customers sensitive and non-public personal data.
While not enforcement action per se, the threat of civil litigation (class actions in particular) by private parties for damages arising from cybersecurity incidents is very real. Cybersecurity-related civil claims have been brought on a variety of theories, including for negligence,69 negligent misrepresentation,70 unfair or deceptive trade practices pursuant to state consumer protection statutes,71 breach of contract,72 breach of implied warranty73 and unjust enrichment.74 A recent example of this followed the SolarWinds breach, where investors filed a class action suit on 1 April 2021 against SolarWinds alleging that it had made materially false and misleading statements to the market in connection with the software breach.75
41.5.4 Reporting a breach in the United States
A mass of general and industry specific federal and state laws require notification of cybersecurity incidents too numerous to discuss in detail for the purposes of this chapter. Given the range of possible notification requirements, it would be prudent for any company operating in the United States to map out all notification requirements applicable to its operations, and to identify processes for sharing of information with private and public entities pursuant to CISAA.
1 Francesca Titus, Rodger Heaton, Mehboob Dossa and William Boddy are partners, and Andrew Thornton-Dibb is an international attorney, at McGuireWoods.
2 UK Government Cyber Security Breaches Survey 2021, published 24 March 2021, available at https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021.
3 Her Majesty’s Government National Cyber Security Strategy 2016–2021.
4 As defined in Her Majesty’s Government National Cyber Security Strategy 2016–2021, p. 17.
5 18 USC § 1030.
6 Prosecuting Computer Crimes, Computer Crime and Intellectual Property Section Criminal Division, published by Office of Legal Education Executive Office for United States Attorneys.
7 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (GDPR)).
9 National Cyber Security Centre Weekly Threat Report, 10 January 2020.
10 Caroline Binham and Kate Beioley, ‘Travelex hackers demand ransom to protect data’, Financial Times (8 Jan. 2020).
11 Information Commissioner’s Office, press release, ‘ICO fines British Airways £20m for data breach affecting more than 400,000 customers’ (16 Oct. 2020).
13 Data breach settlement statement issued by Federal Trade Commission, January 2020.
14 Lessons learned review of the WannaCry Ransomware Cyber Attack, William Smart, Chief Information Officer for Health and Social Care, Independent Report (1 Feb. 2018).
15 UK Government Press Release published 19 December 2017.
16 ‘It’s Official: North Korea Is Behind WannaCry,’ The Wall Street Journal (18 Dec. 2017).
17 Information Commissioner’s Annual Report and Financial Statements 2018–2019, p. 25.
18 Thomas P Bossert, ‘Uber pays $148 m over data breach cover up’, BBC News (27 Sep. 2018).
19 Information Commissioner’s Office, press release, ‘ICO fines Uber £385,000 over data protection failings’ (27 Nov. 2018).
21 People of the State of Illinois v. Uber Technologies Inc., No. 2018-CH-000304, final judgment and consent decree, September 2018.
22 Associated Press, ‘Uber agrees to $148M settlement over data breach’ (26 Sep. 2018).
23 Computer Misuse Act 1990, s.4.
24 ibid., s.1.
25 ibid., s.2.
26 ibid., s.3.
27 ibid., s.3ZA; this section is aimed at attacks on critical national security.
28 The Data Protection Act 2018 (DPA) updated and replaced the Data Protection Act 1998 when it came into force on 25 May 2018. It was thought that the older Act did not adequately provide for the modern digital age.
29 DPA, ss.170 to 173.
30 The UK GDPR is the retained EU law version of the GDPR as it forms part of the law of England, Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018, s.3, as amended by Schedule 1 to the Date Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 SI 2019/419.
31 The Financial Conduct Authority Handbook.
32 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002
concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
33 The Network and Information Systems Regulations 2018.
34 Official Secrets Act 1989, s.1.
35 Companies Act 2006, s.172(1)(e).
36 National Conference of State Legislatures, at https://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2020.aspx.
37 Van Buren v. United States, 141 U.S. 1648 (2021).
38 15 U.S.C. § 45(a)(1) (2012).
39 The Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 (2018).
40 Interagency Guidelines Establishing Information Security Standards, 12 C.F.R. § 208 app. D–2 (2016).
41 SEC Statement and Guidance on Public Cybersecurity Disclosures, 17 C.F.R. §§ 229, 249 (2018).
42 Health Insurance Portability and Accountability Act of 1996 § 1173, 42 U.S.C. § 1320d2(d)(2) (2012); see also 45 C.F.R. §§ 164.302–164.318 (2016) (outlining the Department of Health and Human Services’ security-standard regulations authorised by HIPAA).
43 44 U.S.C. §§ 3541–3549 (2012).
44 6 U.S.C. § 1503(a)(1) (2012).
45 Id. § 1503(b). The statute defines ‘defensive measure’ as ‘an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability,’ and explicitly excludes any ‘measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or information stored on, processed by, or transiting such information system’ and is not owned by the entity operating the defensive measure or another entity that has provided consent. Id. § 1501(7)(A)–(B).
46 Id. § 1503(c)(1).
47 Id. § 1503(d)(1)–(2).
48 See National Conference of State Legislatures, Data Security Laws Private Secto,r available at https://www.ncsl.org/research/telecommunications-and-information-technology/data-security-laws.aspx#Overview.
49 New York Gen. Bus. Law § 899-BB.
50 Cal Civ. Code § 1798.81.5.
51 201 Mass. Code Regs. 17.03 (2009).
52 For a list of all data breach notice statutes, see Security Breach Notification Laws, Nat’l Conf. St. Legislatures (12 Apr. 2017), at http://www.ncsl.org/research/telecommunicationsand-information-technology/security-breach-notification-laws.aspx.
53 See, e.g., Mich. Comp. Laws Ann. § 445.72 (West 2019) (requiring notice unless the organisation determines that ‘the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state[.]’).
54 See, e.g., Cal. Civ. Code § 1798.82 (West 2019).
55 Mass. Ann. Laws ch. 93H (LexisNexis 2019).
56 See, e.g., Iowa Code § 715C.2 (2019) (requiring data breach notices to include a ‘description of the breach of security.’).
57 See, e.g., Iowa Code § 715C.2 (2019) (‘Any person who owns or licenses computerized data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation, or volunteer activities and that was subject to a breach of security shall give notice of the breach of security.’).
58 Peter Foster, ‘Cyber chief warns of east-west split over the internet’, Financial Times (Aug. 2020).
59 In an Upjohn warning, an employee is advised by company counsel that counsel is acting for the company, privilege in the interview is the company’s and the company may waive that privilege in disclosing details of the interview to authorities or third parties. Upjohn Co. v. United States, 449 U.S. 383 (1981).
60 Scotland has its own Information Commissioner.
61 See, e.g., Complaint at 3–5, In re Upromise, Inc., FTC File No. 102-3116, No. C-4351 (F.T.C. 27 Mar. 2012), 2012 WL 1225058.
63 Complaint at 4, In re Henry Schein Practice Sols., Inc., FTC File No. 142-3161, No. C-4575 (F.T.C. 20 May 2016), 2016 WL 160609.
64 Complaint at 3–4, In re GMR Transcription Servs., Inc., FTC File No. 122-3095, No. C-4482 (F.T.C. 3 Feb. 2014), 2014 WL 492352.
65 Complaint at 2, In re Franklin’s Budget Car Sales, Inc., File No. 102-3094, No. C-4371 (F.T.C. 3 Oct. 2012), 2012 WL 5375157.
66 See, e.g., Complaint, In re Sears Holdings Mgmt. Corp., Docket No. C-4264, para. 4 (F.T.C. 9 Sep. 2009). (The FTC brought an enforcement action in 2009 against Sears for allegedly failing to disclose adequately the extent to which it collected personal information by tracking the online browsing of consumers who downloaded certain software).
67 Complaint, In the Matter of Myspace LLC, Docket No. C-4369 (F.T.C. 11 Sep. 2012).
68 US Dep’t of Justice, Press Release, ‘Chief Operating Officer of network security company charged with cyberattack on Gwinnett Medical Center’ (10 Jun. 2021), available at https://www.justice.gov/usao-ndga/pr/chief-operating-officer-network-security-company-charged-cyberattack-gwinnett-medical.
69 See, e.g., Hutton v. Nat’l Bd. Of Examiners in Optometry, Inc., 892 F.3d 612, 616 (4th Cir. 2018), and In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1177–78 (D. Minn. 2014).
71 See, e.g., In re Yahoo! Customer Data Security Breach Litigation, 313 F. Supp. 3d 1113, 1128 (N.D. Cal. 2018).
72 See, e.g., In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953, 970 (N.D. Cal. 2016).
73 See, e.g., In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 119–20 (D. Me. 2009), aff’d, Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011).
74 See, e.g., In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1177–78 (D. Minn. 2014).
75 The first complaint, subsequently amended, was first filed on 9 February 2021. See Complaint, In re SolarWinds Corporation Securities Litigation, 1:21-cv-00138 (W.D. Tex. 2021) (No. 1).