General Session: Cybersecurity and Supply Chain: Who, What, Where, Huawei? Recognizing that entities supplying software and hardware to the electric grid may pose profound security challenges, newly-minted NERC Standard CIP-013-1 requires Responsible Entities to develop documented supply chain cyber security risk management plans. NERC's related Implementation Guidance supports third party accreditation as a recommended element of a compliance plan, and work in now being undertaken in a number of silos on some such programs. While this work is underway, responsible entities are largely left to their own devices in managing these risks. How they are doing so, and how we can effectively counsel our clients in controlling security and regulatory risk is the focus of this panel discussion. Moderator: Paul Tiao, Partner, Hunton Andrews Kurth Speakers: Tobias R. Whitney, Technical Executive, Power Delivery and Utilization – Cyber Security, Electric Power Research Institute Laura Schepis, Senior Director, Security Policy, Edison Electric Institute Ted J. Murphy, Partner, Hunton Andrews Kurth Andrew G. Geyer, Partner, Hunton Andrews Kurth
Transcript
General Session: Cybersecurity and Supply Chain: Who, What, Where,
Huawei?
Recognizing that entities supplying software and hardware to the electric grid may pose profound security challenges, newly-minted NERC Standard CIP-013-1 requires Responsible Entities to develop documented supply chain cyber security risk management plans. NERC's related Implementation Guidance supports third party accreditation as a recommended element of a compliance plan, and work in now being undertaken in a number of silos on some such programs. While this work is underway, responsible entities are largely left to their own devices in managing these risks. How they are doing so, and how we can effectively counsel our clients in controlling security and regulatory risk is the focus of this panel discussion.
Moderator: Paul Tiao, Partner, Hunton Andrews Kurth
Speakers: Tobias R. Whitney, Technical Executive, Power Delivery and Utilization – Cyber Security, Electric Power Research Institute Laura Schepis, Senior Director, Security Policy, Edison Electric Institute Ted J. Murphy, Partner, Hunton Andrews Kurth Andrew G. Geyer, Partner, Hunton Andrews Kurth
This article presents the views of the authors, which do not necessarily reflect those of Hunton & Williams LLP or its clients. The information presented is for general information and education purposes. No legal advice is intended to be conveyed; readers should consult with legal counsel with respect to any legal advice they require related to the subject matter of the article.
Lawyer Insights
June 27, 2017
Ransomware Attacks Raise Key Legal Considerations
by Lisa J. Sotto, Brittany M. Bacon and Jeffrey Dunifon
Published in Law360i
On May 12, 2017, a massive ransomware attack hit tens of thousands of computer systems in over 150 countries. The ransomware, known as “WannaCry,” leverages a Windows vulnerability and encrypts files on infected systems and demands payment for their release. If payment is not received within a specified timeframe, the ransomware automatically deletes the files. On June 27, 2017, another ransomware
variant, “Petya,” began affecting computers in the Ukraine before spreading worldwide. A wide range of industries have been impacted by these attacks, including businesses, hospitals, utilities and government entities around the world. Ransomware is one of the many types of recent cyberattacks that can have significant legal implications for affected entities and industries for whom data access, integrity and availability are critical; health care and financial companies are particularly vulnerable. As affected entities work to understand and respond to the threat of ransomware, below is a summary of key legal considerations. Considerations FTC Enforcement The Federal Trade Commission has used its authority under Section 5 of the FTC Act to pursue “unfair or deceptive acts or practices” to address data privacy and security issues. The deception doctrine has been used to pursue companies that misrepresent their use of personal information or the security measures used to protect such data, while the unfairness doctrine has been used to bring actions against companies that fail to employ adequate safeguards prior to a security incident (regardless of the company’s representations). In a November 2016 blog entry, the FTC stated that “a business’ failure to secure its networks from ransomware can cause significant harm to the consumers (and employees) whose personal data is hacked. And in some cases, a business’s inability to maintain its day-to-day operations during a ransomware attack could deny people critical access to services like health care in the event of an emergency.” The FTC also indicated that “a company’s failure to update its systems and patch vulnerabilities known to be exploited by ransomware could violate Section 5 of the FTC Act.” Nearly all data security actions brought by the FTC have been settled and have resulted in comprehensive settlement agreements that typically impose obligations for up to 20 years. Breach Notification Laws In the U.S., 48 states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have laws that require notification to affected individuals (and in many states, regulators) in the event of unauthorized acquisition of or access to personal information. Certain federal laws, such as the Health
Ransomware Attacks Raise Key Legal Considerations By Lisa J. Sotto, Brittany M. Bacon and Jeffrey Dunifon Law360 | June 27, 2017
Information Technology for Economic and Clinical Health Act, also require notification for certain breaches of covered information, and there are an increasing number of breach notification laws being adopted internationally. To the extent a ransomware attack results in the unauthorized acquisition of, or access to, covered information, applicable breach notification laws may impose notification obligations on affected entities. Data Security Laws A number of U.S. states have enacted laws that require organizations that maintain personal information about state residents to adhere to certain information security requirements with respect to that personal information. As a general matter, these laws (such as Section 1798.81.5 of the California Civil Code) require businesses that own or license personal information about state residents to implement and maintain reasonable security procedures and practices to protect the information from unauthorized access, destruction, use, modification or disclosure. To the extent a ransomware attack results from a failure to implement reasonable safeguards, affected entities may be at risk of legal exposure under the relevant state security laws. Litigation In the event that ransomware results in a compromise of covered information, litigation is another potential risk. Despite the difficulty of bringing successful lawsuits against affected entities, plaintiffs lawyers continue to actively pursue newsworthy breaches, as businesses are paying significant amounts in settlements with affected individuals. Affected entities also may face lawsuits from their business partners whose data is involved in the attack, and often battle insurers over coverage of costs associated with the attack. Businesses must also be cognizant of cyber-related shareholder derivative lawsuits, which increasingly follow from catastrophic security breaches. Agency Guidance Given the evolving nature of ransomware attacks, government agencies are continuously developing recommendations to help businesses respond. For example, the U.S. Department of Health and Human Services Office for Civil Rights, which enforces the Health Insurance Portability and Accountability Act and the HITECH Act, published a fact sheet advising health care entities on methods for preventing, investigating and recovering from ransomware attacks. The fact sheet also provides insight to help entities assess their potential breach notification obligations in the wake of a ransomware attack. The FBI similarly has developed ransomware resources directed towards chief information security officers and CEOs. This guidance should be carefully considered to help prevent and recover from ransomware attacks and to understand the potential criminal and enforcement implications of such attacks. Industry Standards and Best Practices In addition to complying with explicit legal requirements, organizations should continuously evaluate their practices against industry standards, which typically evolve and are updated more frequently than relevant legislation, and which help organizations better align their practices with the expectations of consumers, business partners and regulators. As a recent example, earlier this month the Health Care Industry Cybersecurity Task Force published a report addressing cybersecurity in the health care industry. The task force, which was established by Congress in 2015, is composed of government officials and leaders in the health care industry. Noting that “the rise and sophistication of ransomware attacks that hold IT systems and patient-critical devices hostage continues to grow,” the report sets forth best practices for addressing cyber security threats that were gleaned from studying the financial services and energy sectors, including: (1) conducting comprehensive information sharing on current threats,
Ransomware Attacks Raise Key Legal Considerations By Lisa J. Sotto, Brittany M. Bacon and Jeffrey Dunifon Law360 | June 27, 2017
attack vectors and the systems within the enterprise; (2) implementing baseline protections such as patching against known vulnerabilities; (3) designing and testing security incident response and recovery efforts; and (4) enhancing communications and collaboration by engaging in more regular and formalized collaboration within the sector. Conclusion Ransomware is a growing concern, and while the recent global attacks have been some of the most high-profile to date, they are part of an overall trend in the evolving threat landscape. Businesses and other organizations should take into account the legal considerations discussed above in their efforts to prevent, investigate and recover from these disruptive attacks.
Lisa J. Sotto is a partner in the New York office of Hunton & Williams LLP and chairs the firm’s global privacy and cybersecurity practice. She chairs the US Department of Homeland Security’s Data Privacy and Integrity Advisory Committee. She can be reached at (212) 309-1223 or [email protected]. Brittany M. Bacon and Jeffrey R. Dunifon are attorneys in the firm’s New York office. Brittany can be reached at (212) 309-1361 or [email protected]. Jeffrey can be reached at (212) 309-1335 or [email protected].
i This article has been updated slightly to reflect more recent news since the article has been published by Law360.
80 | Pipeline & Gas Journal • January 2019
Addressing Legal Risk Through SAFETY Act By Eric Hutchins, Principal, H2 Legal, P.C., and Ted Murphy, Partner, Hunton Andrews Kurth
n the morning of Aug. 15, 2012, most Saudi Aramco employees were home celebrating Ramadan. Suddenly, the few remaining at
work noticed problems with their computers. Screens flickered, and files were lost. Not long after, a group called the Cutting Sword of Justice announced it had launched a major cyber-attack, later dubbed “Shamoon,” warn-ing that, “destruction operations … will be completed within a few hours.”
By the time it was over, Saudi Aramco had suffered the worst cyber-attack to date, destroying over 35,000 computers – requiring the company to rebuild its entire corporate network. While the attacks did not success-fully target segmented supervisory control and data acquisition (SCADA) systems, repercus-sions still spread across the infrastructure to create real-world physical impacts. Lacking a system to complete transactions, trucks lined up for miles outside of Saudi Aramco termi-nals unable to be loaded. After two weeks, the company was forced to give oil away for free to keep it flowing within Saudi Arabia.
Cyber-attacks have long been identified as a significant threat to critical infrastruc-ture owners and operators – one the oil and gas sector saw first-hand in the Shamoon attack. Potential damages from such attacks on the sector continue to increase.
With natural gas supplying an increasing share of not only real-time peaking, but now also baseload, electricity generation capac-ity, supply disruptions could ripple through-out society to create an economic, public health, and even national security crisis. Oil and gas pipeline owners and operators could face enormous liabilities in these scenarios. Even less catastrophic cyber-attacks can lead to substantial exposure.
Against this backdrop, the Support Anti-terrorism by Fostering Effective Technologies Act (SAFETY Act) is becoming an increas-ingly viable tool to mitigate escalating cyber-attack risks. The SAFETY Act provides legal protections, including liability caps and immu-nity, where qualified technologies approved by the Department of Homeland Security (DHS) are deployed against an “act of terrorism.”
Under the SAFETY Act, an act of ter-rorism need not have a political component but is instead based on factors including the severity of an attack, as determined by the Secretary of Homeland Security. Likewise, qualified technologies under the SAFETY Act are broadly defined to include services like risk management programs.
In September, DHS certified for the first time an internal enterprise-wide cyberse-curity risk management program, notably for an energy sector company. Oil and gas companies could seek similar protec-tion from cyber-risks. But how does the SAFETY Act work, and what are the prac-tical benefits of SAFETY Act coverage outside of where an act of terrorism occurs?
Under the SAFETY Act’s implementation regulations, DHS provides two levels of protection for qualified technologies – des-ignation and certification. Designated tech-nologies must show effectiveness with confi-dence of repeatability. Companies deploying these technologies against acts of terrorism enjoy legal protections including limits on liability and exclusive federal jurisdiction.
Certified technologies must also show proven effectiveness, but with a high con-fidence of repeatability. In addition to the legal protections for designated tech-nologies, certification provides a rebuttable presumption of immunity from liability resulting from an act of terrorism.
The SAFETY Act provides a statutory shield to protect oil and gas companies against liabilities associated with cyber-attacks by ter-rorists. As cyber threat actors grow in number and become more sophisticated, this protec-tion becomes an increasingly important tool to mitigate risks that could threaten the existence of even the largest companies.
Oil and gas companies should also con-sider the significant additional benefits that SAFETY Act coverage of internal cyber-security programs can provide beyond declared acts of terrorism. After all, the Secretary of Homeland Security has not, to date, declared an event to be an act of terrorism under the SAFETY Act. Indeed, when a company recently attempted to
assert SAFETY Act protections in court, DHS responded by posting a notice on its webpage stating that the incident at issue was not declared an act of terrorism.
SAFETY Act-covered technologies can be listed as “approved technologies” on DHS’s SAFETY Act website and receive DHS’s SAFETY Act “seal of approval.” This list-ing and these markings can be used to mar-ket approved technologies to the public. In this way, SAFETY Act coverage of internal cybersecurity programs can provide powerful outside government verification of an oil and gas company’s cybersecurity oversight and controls. This can yield important legal, insur-ance, and public relations benefits.
SAFETY Act coverage can help estab-lish that a company meets the legal “stan-dard of care” in litigation over response to a cybersecurity incident – even if it is not a declared act of terrorism. Where a company only seeks SAFETY Act cover-age of its risk management program, and not its cybersecurity controls, it would still have powerful support in response to chal-lenges against director and senior execu-tive actions in the wake of a cyber-attack. Furthermore, SAFETY Act coverage may reduce insurance costs and expand avail-able scope of coverage. Both before and after an incident, a company can cite DHS’s recognition of its cybersecurity pro-gram under the SAFETY Act in response to regulator inquiries or public concerns regarding cybersecurity efforts.
Critical infrastructure is a major target of cyber-attack, and the global oil and gas sector has already experienced some of the most damaging incidents. The SAFETY Act coverage of internal cybersecurity programs can provide oil and gas companies that own and operate critical infrastructure legal protection against worst-case threats, while also providing everyday benefits.
DHS’s recent certification of an energy sec-tor company’s internal enterprise-wide cyber-security risk management program indicates that other companies could similarly leverage the SAFETY Act to address their legal risk from cyber-attacks in the near future. P&GJ
O
LEGAL PERSPECTIVES
Hutchins Murphy
EDITOR’S NOTE: COMBATING RISKSSteven A. Meyerowitz
DEALMAKERS IGNORE CYBER RISKS AT THEIR OWN PERILAaron P. Simpson and Adam H. Solomon
CYBERSECURITY AND GOVERNMENT “HELP” – ENGAGING WITH DOJ, DHS, FBI, SECRET SERVICE, AND REGULATORS – PART IAlan Charles Raul and Tasha D. Manoranjan
THE DEFEND TRADE SECRETS ACT OF 2015: ATTEMPTING TO MAKE A FEDERAL CASE OUT OF TRADE SECRET THEFT – PART IDavid R. Fertig, Christopher J. Cox, and John A. Stratford
FTC LAUNCHES “START WITH SECURITY” INITIATIVE: RELEASES DATA SECURITY GUIDANCE AND ANNOUNCES NATIONWIDE CONFERENCE SERIESJames S. Talbot
FFIEC RELEASES VOLUNTARY CYBERSECURITY ASSESSMENT TOOLJames S. Talbot and Cristina Vasile
JEEP HACK DRIVES CYBER, CRISIS, LIABILITY, AND SUPPLY CHAIN COVERAGE ISSUESJoseph F. Bermudez
PR
AT
T’S
PR
IVA
CY
& C
YB
ER
SE
CU
RIT
Y L
AW
RE
PO
RT
OC
TO
BE
R 2
015
VO
L. 1 • N
O. 2
PRIVACY & CYBERSECURITY
LAWREPORT
OCTOBER 2015
VOL. 1 • NO. 2
AN A.S. PRATT PUBLICATION
P R A T T ’ S
QUESTIONS ABOUT THIS PUBLICATION?
For questions about the Editorial Content appearing in these volumes or reprint permission, please contact:Deneil C. Targowski at ............................................................................................... 908-673-3380Email: ........................................................................................ [email protected] assistance with replacement pages, shipments, billing or other customer service matters, please call:
Customer Services Department at ............................................................................. (800) 833-9844Outside the United States and Canada, please call .................................................... (518) 487-3000Fax Number ..................................................................................................... . . . . (518) 487-3584Customer Service Web site ........................................................ http://www.lexisnexis.com/custserv/For information on other Matthew Bender publications, please call
Your account manager or .......................................................................................... (800) 223-1940Outside the United States and Canada, please call ............................................... (518) 487-3000
Cite this publication as:[author name], [article title], [vol. no.] PRATT’S PRIVACY & CYBERSECURITY LAW REPORT [page number](LexisNexis A.S. Pratt);Aaron P. Simpson and Adam H. Solomon, Dealmakers Ignore Cyber Risks at Their Own Peril, [1] PRATT’SPRIVACY & CYBERSECURITY LAW REPORT [46] (LexisNexis A.S. Pratt)
This publication is sold with the understanding that the publisher is not engaged in rendering legal, accounting, orother professional services. If legal advice or other expert assistance is required, the services of a competent professionalshould be sought.
LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license.A.S. Pratt is a trademark of Reed Elsevier Properties SA, used under license.
Copyright # 2015 Reed Elsevier Properties SA, used under license by Matthew Bender & Company, Inc. All RightsReserved.
No copyright is claimed by LexisNexis, Matthew Bender & Company, Inc., or Reed Elsevier Properties SA, in the textof statutes, regulations, and excerpts from court opinions quoted within this work. Permission to copy material may belicensed for a fee from the Copyright Clearance Center, 222 Rosewood Drive, Danvers, Mass. 01923, telephone (978)750-8400.
An A.S. Pratt� PublicationEditorial
Editorial Offices630 Central Ave., New Providence, NJ 07974 (908) 464-6800201 Mission St., San Francisco, CA 94105-1831 (415) 908-3200www.lexisnexis.com
(2015–Pub. 4939)
Dealmakers Ignore Cyber Risks at Their OwnPeril
By Aaron P. Simpson and Adam H. Solomon*
With cyber attacks pervasive in commerce today, it is imperative for businesses enga-ging in corporate transactions to consider the cybersecurity and privacy risks of theirinvestments prior to purchasing, merging with, or financing a company. Dealmakerscan mitigate these risks and prevent the incurrence of unanticipated costs and criticismfrom unforeseen information security and privacy issues that may emerge after theclosing of a deal through thoughtful due diligence efforts. The authors of this articlediscuss the cybersecurity and privacy due diligence process.
In today’s commercial environment, it is imperative for businesses engaging incorporate transactions to consider the cybersecurity and privacy risks of their invest-ments prior to purchasing, merging with or financing a company. Cyber attacks acrossindustry are rampant, and purchasers face significant risks of data breaches and privacyviolations occurring before or arising after the closing of a deal. These events canincrease liability and ultimately harm the value of the investment. Through thoughtfuldue diligence efforts, dealmakers can mitigate these risks and prevent the incurrence ofunanticipated costs and criticism from unforeseen information security and privacyissues that may emerge after the closing of a deal.
There are many liabilities that may arise from the collection, use, disclosure andsecurity of company data. The most significant liabilities result from cyber attackscompromising sensitive information maintained by the company. As a starting point,companies experiencing a breach incur potentially hefty costs investigating, reme-diating and responding to breaches, including the cost of conducting a forensicexamination and fixing, rebuilding, upgrading or altogether replacing impactedcomputer systems. On top of these expenses, data breaches pose liability risks asso-ciated with regulatory enforcement, fines and assessments levied by payment cardbrands or regulators, private litigation such as consumer class actions and shareholderderivative suits and congressional inquiries, as well as losses of sales, goodwill, intel-lectual property, information assets and shareholder value. Similar liability risks mayarise for companies in data-intensive fields from the use of consumer information inviolation of privacy laws or company privacy policies that are treated as actionablepublic representations under state and federal consumer protection laws.
* Aaron P. Simpson, a member of the Board of Editors of Pratt’s Privacy & Cybersecurity Law Report, isa partner at Hunton & Williams LLP, advising clients on a broad range of privacy and cybersecuritymatters, including state, federal, and international privacy and data security requirements as well as theremediation of data security incidents. Adam H. Solomon is an associate at the firm, focusing his practiceon privacy and cybersecurity law. Resident in the firm’s New York office, the authors may be contacted [email protected] and [email protected], respectively.
46
Faced with the seeming inevitability of cyber attacks and potentially massive liabilitythat ensues, companies and management are increasingly judged by how well they haveprepared for and responded to these types of events. When purchasing, merging withor investing in a company, conducting due diligence of the target company’s informa-tion assets has become a critical step in protecting investments, limiting liability andmitigating operational, financial and reputational risk arising from the target compa-ny’s privacy and information security practices.
THE CYBER AND PRIVACY DUE DILIGENCE PROCESS
To manage these risks and liabilities, companies must be proactive. Even if the targetcompany makes representations that it has never suffered a breach, it is undoubtedlyonly a matter of time before a cyber attacker exploits potential vulnerabilities or a thirdparty identifies ongoing misuse of company information. Moreover, an attack mayalready be underway. In 2014, an Israeli security firm discovered an ongoing hackingoperation targeting banks, governments, research labs and critical infrastructure facil-ities in Europe that began over 12 years before it was discovered.1 With networkintrusions becoming more persistent, the risk of acquiring a company experiencingan ongoing breach (perhaps unknowingly) has increased.
Potential post-closing integration difficulties also up the ante on diligence associatedwith information assets. Following a merger or acquisition, companies often facedifficulties in integrating their information assets, which can lead to cyber intrusionsand privacy mishaps. For example, the merging of the networks or databases ofdifferent entities may introduce security weaknesses, induce privacy violations orresult in coverage gaps in the company’s cyber insurance policy, all of which can bemanaged more effectively if the companies go into the deal with their eyes wide open.
By conducting cybersecurity and privacy due diligence, purchasers can proactivelyidentify incidents and issues that give rise to concerns regarding the adequacy, reason-ableness and appropriateness of the target company’s privacy and information securitypractices. In doing so, the purchaser can develop a roadmap for remediating anymaterial gaps post-closing so that it is well-equipped to manage the cybersecurityand privacy risks of its new investment efficiently and appropriately. Due diligencerequests for privacy and cybersecurity-related materials can, however, become overlyburdensome and inefficient if the right issues are not identified and the wrong ques-tions are asked. Each due diligence approach should be tailored to the deal andcompanies at issue. The process should begin with a comprehensive privacy andinformation security due diligence questionnaire that asks specific questions to thetarget company and should end with an agreement that contains the appropriate
1 See Liat Clark, Decade-long Cybercrime Ring Hacked European Banks and Labs, Wired.Co.UK(Sept. 16, 2014), http://www.wired.co.uk/news/archive/2014-09/16/harkonnen-operation.
47
DEALMAKERS IGNORE CYBER RISKS AT THEIR OWN PERIL
representations and covenants concerning privacy and security. As described below,this diligence process should account for the following key areas of risk.
Incident History
There are an assortment of actors threatening corporate information assets today,including cyber criminals, hacktivist organizations and nation states. These threatactors routinely infiltrate corporate networks to steal proprietary information,including customer and employee personal data, payment card information, sensitivefinancial and strategic information, trade secrets and intellectual property. Theseparties are not acting alone. To the contrary, they are supported by a sophisticatedsupply chain of vendors, including software developers, infrastructure providers andmoney launderers. While some of these attacks are targeted and bespoke, many arecarried out using toolkits purchased on the black market that enable non-technicalactors to hack corporate networks on a scalable basis using sophisticated malware andother automated methods. As a result of the commodification of hacking, thefrequency and volume of cyber attacks has increased.
With the rise in cyber attacks, there is a growing risk of a data breach goingundetected or undisclosed prior to closing a deal. Cyber attacks have impactedseveral deals in recent years. For example, Australian telecommunications providerTelstra reported that it recently became aware of a customer data breach at a subsidiaryacquired in the Asia-Pacific region just weeks after closing a $697 million deal topurchase the company in April 2015.2 Nearly 10 months after acquiring a databroker subsidiary in 2012, Experian was reportedly notified by the U.S. SecretService that its new subsidiary was being exploited by identity thieves to steal thepersonal information of allegedly over 200 million individuals.3 The incident resultedin congressional and regulatory inquiries, a consumer class action brought againstExperian, and Experian suing the former owner of its subsidiary for breach of warrantyand contract, express contractual indemnification and various tort claims arising fromits acquisition. Similarly, in the midst of BNY Mellon acquiring the asset managementsubsidiary of MBIA in October 2014, a data researcher reportedly discovered sensitiveinformation of the subsidiary exposed on the Internet, including customer accountnumbers, balances and account access credentials.4
3 Gerry Tschopp, The Facts on Court Ventures and Experian, Experian News Blog (Mar. 30, 2014),http://www.experian.com/blogs/news/2014/03/30/court-ventures/; Jim Finkle & Karen Freifeld, Exclu-sive: U.S. States Probing Security Breach at Experian, Reuters, http://www.reuters.com/article/2014/04/03/us-experian-databreach-idUSBREA321SL20140403.
4 Edward Krudy & Hilary Russ, Update 1: Data Breach at Bond Insurer MBIA May Affect Thousands ofLocal U.S. Governments, Reuters (Oct. 7, 2014), http://www.reuters.com/article/2014/10/08/mbia-cybersecurity-idUSL2N0S22LB20141008.
48
PRATT’S PRIVACY & CYBERSECURITY LAW REPORT
To help evaluate the target company’s cybersecurity posture and obtain appropriaterepresentations and warranties, the purchaser should investigate the target company’shistory of cybersecurity incidents, including those related to the company’s network,service providers, Web sites, and customers. The clear objective of this inquiry shouldbe to uncover circumstances in which the target company has discovered or beennotified of an actual or suspected information security incident, and receive appro-priate representations regarding how the company responded to the matter, assessedand satisfied its applicable legal obligations, and remediated the incident. To gain acomplete picture of the target company’s history of privacy and security incidents, thereview also should ascertain the process by which the company monitors, detects,investigates and responds to information security incidents. A lack of appropriateincident response mechanisms increases the likelihood that a breach has gone unde-tected or undisclosed to management.
Regulatory Compliance
Legal compliance is another key risk to evaluate during the due diligence process.The obligation to comply with privacy and information security laws and standardscan raise the integration costs of the acquisition. To remediate deficiencies, thepurchaser may need to incur expenses such as updating or replacing computersystems, hiring additional staff, purchasing new services and retaining outsideexperts to provide assessments. While all companies have compliance challenges, therisk of noncompliance with applicable legal requirements is especially prevalent withstartups and midsize companies, which often have less robust, formal and well-fundedcompliance, legal and information security programs. This can lead to the existence ofgaps between such a target’s privacy and information security practices and its legalobligations. In these cases, the cost of noncompliance can be significant.
In addition to incurring potentially substantial expenses to remediate privacy andinformation security issues and align the target company’s practices with the purcha-ser’s policies, a regulatory violation could result in fines or civil penalties and extensivesettlement agreements that impose onerous information security and privacy require-ments on not only the target company but also the purchasing entity. As a historicalmatter, Federal Trade Commission (‘‘FTC’’) settlements in the information securityarena have been broad, typically enjoining future misconduct and imposing conti-nuing obligations related to the company’s information security practices, includingthird-party audits, for over 20 years. Given how privacy and information security issueswere regulated just five years ago, 20 years is a virtual eternity in the data space.
There are many sources of privacy and information laws in the United States andabroad. In the U.S., information privacy and security laws constitute a complexmelange of sectoral-based state and federal laws. Depending on the nature of thetarget’s business, a variety of federal and state laws concerning privacy and informationsecurity could apply to the target company’s information, including laws regulating
49
DEALMAKERS IGNORE CYBER RISKS AT THEIR OWN PERIL
healthcare entities, telecommunications providers, utilities and financial institutions.The FTC has been the primary regulator overseeing privacy and information securitypractices in the U.S. by using its core consumer protection authority to enforce againstunfair or deceptive practices of unregulated entities such as retailers. Industry standardsalso may impose privacy and security requirements on the target company. Mostnotably, to the extent the target company receives or processes payment card informa-tion, it will have contractual obligations to comply with the comprehensive securityrequirements of the Payment Card Industry Data Security Standard.
Given the variety of legal mandates applicable to privacy and information securityissues, the due diligence process must include an evaluation of the applicable require-ments set forth in federal, state and foreign laws, regulatory enforcement actions, andimportant industry standards concerning privacy, information security and dataprotection. Based on the applicable requirements, the review should in turn identifyand assess areas in which the target’s privacy and information security practices fallshort of its legal obligations. The target company’s privacy and information securitypolicies and procedures serve as key sources of information for conducting such anassessment. To gain a further understanding of the company’s privacy and securityposture, the compliance review also should evaluate reports prepared by or on behalf ofthe target company documenting the findings and recommendations from prior riskassessments, privacy and security assessments, or audits or evaluations, including anyassociated corrective action plans related to those reports. Through these materials, thepurchaser can identify red flags and compliance gaps such as out-of-date policies andprocedures, inaccurate descriptions of the target’s practices or lack of legal compliance,all of which can create significant issues post-closing.
Privacy Representations
To the extent the target company makes privacy representations to its customers, forexample, through an online privacy notice or Health Insurance Portability andAccountability Act (‘‘HIPAA’’) privacy notice, the due diligence review shouldassess the target’s privacy practices and policies representing the way in which itmay collect, retain, use, share and process the personal information of consumers.The representations in the target’s privacy notices will place limits on the purchaser’sability to use and share this information after the acquisition. Notably, the FTC hasissued guidance and sent letters to companies engaging in acquisitions, most recently aletter to Facebook prior to its acquisition of WhatsApp in 2014,5 regarding its expecta-tion that following a merger or acquisition, the purchaser must honor the priorpromises made to consumers by the purchased entity regarding how it may use orshare consumer information, or otherwise get express permission from consumers to
5 Letter from Jessica Rich, Director, Bureau of Consumer Protection, to Erin Egan, Chief PrivacyOfficer, Facebook, Inc. and Ann Hoge, General Counsel, WhatsApp Inc. (Apr. 10, 2014), https://www.ftc.gov/system/files/documents/public_statements/297701/140410facebookwhatappltr.pdf.
50
PRATT’S PRIVACY & CYBERSECURITY LAW REPORT
materially change how their previously collected information will be collected, used orshared after the corporate transaction.6 For many companies this would be a gargan-tuan and entirely impractical exercise that should only be taken on with full knowledgeof the possibility before closing. The acquisition or merger also might require thecompany to provide consumers with notice of any change to how it plans to useinformation collected after the transaction and a choice whether to agree to suchchanges.
Contractual Liability
The due diligence process also should include an assessment of the target company’scontractual relationships with vendors, customers and business partners. Besides asses-sing the company’s risk and legal posture, this review will help identify the next stepsfor managing the company’s vendor and customer relationships after closing in caseswhere existing contractual language could be enhanced or revised, or ongoing moni-toring may be appropriate.
With respect to the target company’s vendors, the purchaser should identify third-party privacy and security risks associated with the target outsourcing IT functions todata centers, software developers and other types of service providers. The focus of thisreview should be on the agreements in place with vendors that host, maintain, receiveor transmit the target company’s sensitive information. It also is important to ascertainhow the target selects, reviews and monitors its vendors. If the target does not takereasonable measures to retain appropriate vendors, include strong contractual protec-tions in its agreements with vendors and monitor its vendors’ compliance, then thepossibility of a data breach at one of those vendors, known or unknown, increases.Issues commonly found in vendor contracts include agreements with insufficientcontractual specifications, broad sharing and usage rights related to the target’s infor-mation, or a lack of privacy, confidentiality and information security obligationsaltogether. The review also may uncover that the agreements do not adequatelycomply with applicable laws, such as when the vendor constitutes a business associateunder HIPAA, which requires specific contractual obligations in the business associateagreement.
In addition to vendor agreements, in most cases it will be necessary to evaluate thetarget company’s customer and business partner agreements. These agreements mayinclude additional privacy and information security obligations over and above thetarget’s legal obligations. If such agreements contain terms that establish additionalprivacy requirements and security specifications such as adherence to informationsecurity standards, limitations on data de-identification or restrictions on outsourcing,
6 See e.g., Jamie Hine, Mergers and Privacy Promises, Fed. Trade Comm’n (Mar. 25, 2015),https://www.ftc.gov/news-events/blogs/business-blog/2015/03/mergers-privacy-promises.
51
DEALMAKERS IGNORE CYBER RISKS AT THEIR OWN PERIL
the company may have additional compliance-related challenges and costs associatedwith meeting such obligations.
Furthermore, in this day and age it is necessary to assess the target’s cyber insurancecoverage as part of this contractual review. This assessment should analyze bothcompanies’ insurance portfolio, including current policies covering cybersecurity,directors and officers, errors and omissions, fidelity and crime, and general commercialliability, to assess potential coverage in the event of a cyber incident and the ramifica-tions the corporate transaction may have on the coverage.
CONCLUSION
Given the pace of technological change we have seen in the recent past and thepotential for scalable privacy and information security abuses, the cyber-stakes are at anall-time high. Businesses making investments in data-intensive targets overlook dili-gence in these key areas at their own peril. Those who take appropriate precautionarymeasures to assess the privacy and cybersecurity implications of their investments willcontinue to fare far better than those that fail to do so. By performing due diligence ofthe target company’s privacy and information security practices, businesses will iden-tify key risks to their investment and gain critical knowledge of how potential liabilitiesmay impact their investment.
52
PRATT’S PRIVACY & CYBERSECURITY LAW REPORT
05719
Typewritten Text
This article presents the views of the authors and do not necessarily reflect those of Hunton & Williams or its clients. The information presented is for general information and education purposes. No legal advice is intended to be conveyed; readers should consult with legal counsel with respect to any legal advice they require related to the subject matter of the article.
05719
Typewritten Text
05719
Typewritten Text
05719
Typewritten Text
05719
Typewritten Text
1
Assessing Cybersecurity Risks in the Supply Chain By Ben DiPietro Apr 20, 2017
Paul Tiao, partner, Hunton & Williams. PHOTO: HUNTON & WILLIAMS
Paul Tiao and Andy Geyer, partners at law firm Hunton & Williams, discuss supply-chain risks and cybersecurity risks facing supply chains.
How should a company think about what constitutes its cyber supply chain?
Mr. Tiao: One of the things we always do when it comes to risk management is to identify the nature of the risk in different parts of the company, prioritize those risks and evaluate what are the best ways for mitigating those risks. Significantly sized companies are going to have hundreds of third-party vendors and part of the challenge to the company is getting its arms around the nature of the risks associated with its supply chain. It’s something companies have really begun to focus on, at least with respect to cybersecurity. The only way to fight that is to conduct a comprehensive review of your vendors and what sort of access they have to sensitive information. Make sure that access is required and minimize whatever access they have and don’t give any more access than they need.
How would you describe the state of preparedness for cyberattacks?
Mr. Tiao: If specifically we are talking about the supply chain, preparedness is weak. Companies are better at managing risks associated with cyberthreats in other aspects of their business than they are with their supply chain. Supply chain is a particularly vexing challenge; the government is struggling with it, the private sector is struggling with it, the government is trying to figure out how to get the private sector to do it more effectively. It’s hard enough to ensure your own security protocols and systems are reasonable and good, but to try to ensure your suppliers have the appropriate levels of security, that’s another level of difficult. It’s one of the areas where we are weakest.
Mr. Geyer: Part of the challenge, when thinking about it as a customer, is you are trying to protect your own company. You go to one of your third-party suppliers and you say, ‘Here are my protocols if you want to be my supplier.’ For example, with large cloud providers, the vendor typically resists agreeing to the customer’s protocols. They say they have their own policies and procedures and can’t agree to each customer’s specific and tailored procedures. So it becomes a risk point. You may have your own ship in order, but once you are allowing another vessel in, the likelihood of getting them to agree to all of your procedures is going to be difficult. Sometimes you are a big enough company where you can force a particular vendor to agree to your specific protocols, but that is probably
2
not the norm. What typically happens is you need to ask the vendor what are its procedures, protocols and standards, and you need to review those so you understand the gaps between what you require and what the vendor provides.
Andrew Geyer, partner, Hunton & Williams. PHOTO: HUNTON & WILLIAMS
What can companies do to mitigate these risks?
Mr. Tiao: There are no silver bullets about risk management. It’s not about risk elimination, you’ve just got to manage it, survey your entire network and business to identify where the sensitive data is, what security is wrapped around that data and what security should be wrapped around it. The best security should be around the crown jewels; you should limit access to that data and monitor the heck out of what is happening with it. The nature of security defenses has evolved. You‘ve got to be monitoring your network for malicious activity.
A growing field is information-sharing, working with agencies and other private companies to get the best information on threats and vulnerabilities. There are many things you can do technically and at the business and policy levels to mitigate and make sure you are ready for a breach. It’s a good idea to plan a breach-response exercise that puts the right people in place. That’s where preparedness helps.
How can an organization put in place an effective cybersecurity program?
Mr. Tiao: A lot of the challenge is internal. You may do an assessment to identify areas that may require attention but companies in general don’t have enough resources to meet every single demand. So the team has to prioritize the process through which it can persuade the company to invest in new systems and additional personnel to address the changing nature of risk and to close those gaps. The information security executives have to prioritize these requests and encourage the company to build a governance team to support these requests and understand these requests, to make sure they’ve got the right governance structure and the right culture to address cybersecurity.
How does a company put that in place if it doesn’t have it?
Mr. Tiao: A lot of the job of the information security executive is to manage up, to persuade the C-suite to create a team of individuals…that includes all of the key stakeholders that would weigh in on cybersecurity. You need to build teams at different levels—it’s not just a technical problem, you have to get the powers that be to create that structure so everyone involved is working together to get the right information. Then it takes time to build a structure, so you’ve got to be good politically within the company, to be a persuasive advocate for the program. You won’t get resources and support if you don’t have the right governance team in place.
