Cyber incidents are in the news on a daily basis, and their impact on businesses can be enormous. Now is the time to move beyond scary statistics and fear mongering to address this business risk as any other business risk—rationally and logically. It is time to accept this new reality and to begin teaching clients how to implement a reasonable incident-response plan.
In the absence of a preemptive federal law, states and industries are regulating themselves in a variety of ways. Additionally, the Federal Trade Commission (FTC) has begun policing the area of cybersecurity using section 5 of the Federal Trade Commission Act (FTCA), which broadly prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC’s authority to police this area was challenged in FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). Wyndham experienced three cyber breaches in a two-year period wherein a variety of data was stolen, including customer and credit-card information, which allegedly resulted in over $10M in fraudulent charges. The FTC investigated and sued Wyndham, claiming that Wyndham’s conduct was an unfair practice and that Wyndham’s privacy policy was deceptive. Wyndham filed a motion to dismiss, asserting that the FTC had exceeded its authority under the Act. The district court upheld the FTC’s authority under section 5 of the FTCA, and the district court’s ruling was affirmed on appeal by the Third Circuit.
Because the FTC’s authority is derived under the “unfair or deceptive acts or practices in or affecting commerce” language in section 5 of the FTCA, its authority is very broad and extremely flexible. The FTC has explained its position to mean that: (1) companies must fulfill the promises made to consumers regarding the use and security of their information; and (2) companies must maintain reasonable procedures to protect sensitive consumer information.
Fulfilling the Promises Made to Consumers
First, review the representations, disclosures, and terms of use currently provided to consumers. Outdated or overstated representations can give rise to liability when the company cannot meet consumer expectations associated with those representations. Rather than stating that the company’s security measures are “bullet-proof,” consider representing that the company’s security measures are routinely monitored, reviewed, and updated to align with current industry standards. Then be sure this is actually the company’s practice. The FTC has taken action against companies that claimed to have strong security measures in place when, in fact, the companies had failed to address substantial and well-known security risks. In re GMR Transcription Serv., Inc., No. C-122 3095 (FTC Aug. 21, 2014).
Second, confirm that the consent obtained from consumers for collecting and using their data is current, accurate, and observed. It is unquestionably deceptive to exceed the scope of consumer consent, and that specifically includes geo-location services. Periodically review the consent language provided to consumers and confirm the consent is broad enough to cover the company’s actual use of the data. In addition, wherever a consumer is provided an opportunity to “opt out” of any use, collection, or sharing, then that election must be accurately implemented. Violations for exceeding the scope of consent typically arise with website updates, products updates, and mobile application development or expansions. These types of events naturally lend themselves to enhanced collection, sharing, and use of data that far exceeds the prior consent language. The FTC has taken action against companies who have: (1) misrepresented the level of sharing and with whom data is shared; (2) misrepresented the purpose for collecting consumer information; (3) provided false “opt out” options where opting out was never implemented; or (4) gathered geo-location data without providing proper notice to consumers. See Snapchat, Inc., No. C-132 3078 (FTC May 9, 2014).
Maintaining Reasonable Procedures
Maintaining reasonable procedures in a commercial setting is a flexible, almost abstract standard. Although not well-defined, it is certain that taking no action, or attempting to rely on insurance coverage alone, will be deemed unreasonable. The FTC has admitted that a breach is not conclusive evidence that a business was not acting reasonably under all the circumstances. Conversely, the FTC has clarified that the absence of a breach is not evidence that a company’s actions were reasonable. Accordingly, businesses must develop an industry-appropriate cyber-security plan and an incident-response plan that address today’s concerns. These plans must be tested and periodically reevaluated to confirm they are current and reasonable.
In order to build an incident-response plan, companies must: (1) identify and locate its data; (2) evaluate the data held; (3) reduce and eliminate unnecessary data; (4) secure the company’s network and the data located on it; and (5) plan for possible incidents.
First, using its own resources or that of a contractor, a company should inventory the information and types of data in its possession and the information it is collecting in the normal course of business across all departments, including human resources, accounting, legal, sales, management, purchasing, marketing, etc. Next, the location and methods for accessing this information should be identified and documented. For example, is the data available only through a direct connection to the server, through the server via VPN, or through the cloud, or is the data housed on individual computers or employee personal devices? For better planning, it is recommended that the company’s data be categorized using a three- or five-point ranking system, similar to the following:
- critical to key business operations
- sensitive personally identifiable information
- important to management and operation
- peripheral maintenance and historical information
- insignificant and redundant information
Once the data that is collected and stored is identified and located, evaluate the legitimate need for collecting it in the first place or for continuing to store it. As a general principal, data should be collected and stored because it serves one of two purposes: (1) a fundamental business purpose, such as regulatory compliance, management, or financial; or (2) articulable marketing purposes. Wherever possible, limit the scope of collection and reduce storage to the bare minimum necessary to achieve the limited purpose for which it is collected. For example, if the month or month and day of a customer’s date of birth will provide the information necessary for a birthday e-mail club program, then do not allow an option for providing the year of birth. Similarly, records maintained for audit purposes should not be stored longer than seven years. A systematic, routine program for destroying data should be implemented in accordance with the preservation time limits on the data, which varies depending on the type of data and its use.
Next, secure the data. Begin by evaluating the physical security of the servers. Place key components of the network in a locked spaced accessible to a limited group of people with a legitimate need to physically access the equipment. Then, evaluate other security options and policies. For example:
- confirm the system has a firewall;
- routinely use encryption and protect the encryption key by storing it outside the server;
- routinely install security patches, software updates, and malware protection;
- mandate that passwords include complex character combinations and expire every 60 to 90 days without allowing an employee to reuse them;
- structure, implement, and enforce bring-your-device policies;
- consider mobile device management (MDM) software for monitoring, managing, securing, and wiping mobile devices remotely; and
- evaluate the use of cloud computing or limit the types of data approved for cloud use, and never provide the encryption key to the cloud provider.
In addition, electronic backups, as well as physical files and documents, should be securely stored and routinely destroyed in accordance with company policy. This is a good opportunity to implement a uniform e-mail deletion program that deletes e-mails older than 9–18 months. Additionally, a systematic, routine program for backing up critical information that can be made readily available on short notice should also be established to help facilitate normal business operations in the event of a ransomware attack, wherein malicious software is used to allow hackers to access a company’s computers, encrypt company data, and then demand payment to decrypt the data.
Finally, every company must have a plan for continuing to operate while addressing the issues associated with a breach event. Breaches may range from fairly minor incidents such as a lost mobile device to a full invasion of your server. Minor breaches should have routine procedures for managing them. For example, a lost mobile device should be reported to the company within a defined period of time outlined in the company’s bring-your-device policy, and the device should have MDM software through which the company can remotely backup and wipe its contents.
Managing more significant breaches requires a multipronged response. In those instances, establish an incident-response team (IRT) limited to four or five key people within the company who possess the authority to act and will be available to devote significant blocks of time responding to the incident without impacting the business’s ability to continue its core function. Members of the team might include the company president or vice president, general counsel, a human-resources executive, an IT executive or security officer, a marketing executive, or a customer-service executive. Each team member should be assigned distinct responsibilities and have the authority to act within the scope of each assignment. The team members should provide their contact numbers to the IT department and be available to respond to a serious incident 24 hours a day.
Once the core IRT is defined, begin planning. First, identify necessary outside resources. It is important to remember that the business must continue to operate during the incident, so internal resources may be limited due to on-going operational burdens. Internal resources may also be limited due to a lack of experience. Consider the internal resources available to the IRT in the event of a significant breach and then contract for services to fill the voids. Generally, external resources or service providers include insurance coverage, outside legal counsel, a public relations firm, and a computer forensics firm. The IRT should gather information about these services in advance of the breach and even consider selecting a service provider and negotiating the cost and terms of the services with a provider in advance. Advance selection allows the company to make deliberative choices about the services they need without the stress, pressure, and time constraints associated with responding to an incident.
Initially the IRT should meet at least monthly to begin preparing and making as many decisions in advance of an incident as possible. Over time, these meetings can be spaced as appropriate for the company’s needs. The team should designate one person or service provider as the primary point of contact for all communications associated with an incident. Many of those communications can be predrafted to fit the size and scope of the anticipated incident. These communications might include: (1) the notice that will be posted on the company’s website, if any; (2) reminders to employees about company policy regarding communicating with the media or third parties; and (3) press releases. The IRT should consider the possibility that the company’s electronic communications systems might be compromised and should evaluate whether to disable its e-mail systems in the event of a serious incident. Other considerations in the planning process should include:
- evaluation of insurance coverage and whether to invest in cybersecurity coverage;
- imposition of contractual indemnity obligations on contractors and other third parties for their actions or inactions that cause or contribute to an incident;
- evaluation of the capacity of the company’s customer-service department for receiving and managing incoming calls, and a determination of whether an additional toll-free number should be established for incident response or whether these types of calls will be outsourced to a call center;
- identification of the person who will notify law enforcement or administrative agencies of the incident and determine under what circumstances such a notification will be made;
- identification of the person who will physically secure the premises and equipment and who will preserve the evidence;
- identification and training of the person(s) who will take the affected equipment offline and isolate it until additional remedial action is completed;
- when notification to affected persons is required, verification of whether insurance will cover the costs and designation of counsel for providing notices; and
- as these decisions are made, evaluation of qualified, available internal resources and whether additional service providers should be contacted to fill any voids.
In the event of a breach, every IRT member should be contacted immediately. Each team member should have a list of the service providers, and the responsible team member should immediately contact the service provider within his or her assigned scope so that all necessary resources are immediately mobilized. The hours immediately following an incident are critical to reestablishing security, limiting liability, preserving evidence, and protecting the brand’s reputation. Plan to:
- Fix the Problem. Document the date, time, location, duration, and remediation efforts related to the incident. Isolate the affected equipment and safely take it offline. Take precautions to preserve physical and electronic evidence and secure the premises. Identify and address other security problems or risks. Remove hacker tools and malware.
- Implement the Plan. Immediately alert the IRT. The IRT should notify all necessary company employees and service providers and then begin implementing the company’s next actions.
- Identify the Facts. Identify the person who discovered the incident and get a statement from that person that includes as many details as possible. Determine what type of data was compromised and develop a list of affected company departments and individuals, if any. Confirm whether the data was deleted, modified, encrypted, or viewed. Inventory the equipment and confirm whether any equipment is missing.
- Move to the Second Stage. Discuss the breach with outside counsel and other service providers. Determine whether notice to law enforcement or administrative agencies is required or advisable. Decide if press releases and public notifications will be made and when. Consider whether third parties have obligations to the company based on their actions or inactions related to the incident. Review employee actions to determine whether violations of law or company policy occurred. Identify other legal obligations based on the facts.
The scope of the response will be directly impacted by the size, scope, and type of the company involved, the type of industry, state and industry laws and regulations, the type(s) of data collected, and the type(s) of data affected by the incident. The legal standard for reviewing a company’s conduct in protecting data and responding to incidents is “reasonable” under all the circumstances. Upon review, investing the time and resources to begin developing an incident-response plan as outlined above helps tilt the scale in favor of finding that a company acted reasonably even where an incident occurred. Liability in this area continues to expand; therefore, counseling clients to begin addressing this risk without overreacting or procrastinating is prudent.