In this context, airline cybersecurity preparedness has been subject to heightened scrutiny. On August 16, 2016, U.S. Senators Edward J. Markey and Richard Blumenthal, members of the Senate Commerce, Science, and Transportation Committee, wrote letters to 13 airlines relating to several cybersecurity issues, including the “resilience” of the airlines’ information technology (IT) systems. The senators encouraged airlines to ensure that their “IT systems have the appropriate safeguards and backups in place to withstand power outages, technological glitches, cyber-attacks, and other hazards that can adversely affect IT systems.” They asked airlines to “explain what protections you have in place to protect your airline’s IT systems from . . . cyberattacks.” They also noted that “[r]ecent reports suggest that some airlines have aging, complex IT systems,” and they asked each airline to “describe the state of [its] IT system and what specific steps are being taken to modernize it, if needed.”
In March 2017, Senators Markey and Blumenthal reintroduced legislation to improve aviation cybersecurity. The Cybersecurity Standards for Aircraft to Improve Resilience Act of 2017, or the Cyber AIR Act (S. 679), requires, among other things, the disclosure to the Federal Aviation Administration of “any attempted or successful cyberattack on any system on board an aircraft, whether or not the system is critical to the safe and secure operation of the aircraft, or any maintenance or ground support system for aircraft, operated by the air carrier or produced by the manufacturer. . . .” The bill also outlines the incorporation of cybersecurity into the requirements for air carrier operating and production certificates, as well as the management of cybersecurity risks of consumer communications equipment (i.e., “broadband wireless communications equipment designed for consumer use on board aircraft operated by covered air carriers that is installed before, on, or after, or is proposed to be installed on or after, the date of the enactment” of the Cyber AIR Act).
Previously introduced in 2016, the Cyber AIR Act would regulate security for data entry points (i.e., the means by which signals to control a system on board an aircraft or a maintenance or ground support system could be sent or received) employed by U.S. air carriers and aircraft manufacturers. Though it is uncertain whether the Cyber AIR Act will be enacted, it nonetheless highlights the attention cybersecurity is receiving in the aviation industry.
The breadth of aviation-related cybersecurity issues is vast, ranging from consumer and company data theft to the potential cyber hijacking of an aircraft. Many of these issues, in particular consumer and company data theft, are not unique to airlines. It is beyond the scope of this article to address all cybersecurity issues. Instead, this article focuses on cybersecurity preparedness, including risk consciousness and risk mitigation strategies that companies should consider employing.
Implementing appropriate risk mitigation strategies is complicated by the lack of clear guidance from federal and state courts in the United States and by the patchwork system of regulatory standards and enforcement. Indeed, there is no uniform national standard governing data security or data breaches. For these reasons, and because no two companies are alike, there is no single solution to cybersecurity issues—companies should craft a company-specific approach. There are, however, a number of industry guidelines that provide guidance for mitigating cybersecurity risks. See, e.g., Fed. Trade Comm’n, Start with Security,: A Guide for Business, —Lessons Learned from FTC Cases (June 2015); Sec. & Exch. Comm’n, Office of Compliance & Examinations, Cybersecurity Examination Initiative (2015) ; Nat’l Inst of Standards & Tech., Framework for Improving Critical Infrastructure Cybersecurity (Feb. 12, 2014); Cal. Dep’t of Justice, California Data Breach Report (2016), https://oag.ca.gov/breachreport2016.
Collectively, these guidelines provide a basic framework for risk management, including the following:
- assembling an appropriate cybersecurity team;
- performing an assessment of the company’s data assets, cybersecurity needs, policies, and defenses, and correcting identified weaknesses;
- creating a breach response plan;
- testing the company’s response plan and defenses; and
- keeping up-to-date on cybersecurity threats and defenses to enhance the company’s preparedness.
The first step in cybersecurity preparedness is to assemble the appropriate team to assess the company’s cybersecurity risk mitigation strategy and defenses. If the company does not have a chief information security officer (CISO), it should consider appointing one. The CISO should be responsible for, among other things, assembling the company’s cybersecurity assessment and response teams, and should employ a collaborative and multidisciplinary team approach in doing so. The Federal Trade Commission (FTC)—which has the authority to bring enforcement actions against “unfair and deceptive trade practices in or affecting commerce,” including the failure to implement basic security protocols to protect consumer information, see FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015)—suggests that cybersecurity should “factor into the decision making in every department of your business.” See Fed. Trade Comm’n, Start with Security, supra, at 2.
Involving company senior management and the board of directors in cyber risk mitigation increases the likelihood that the company will be able to demonstrate in litigation or regulatory proceedings following a data breach that it proactively attempted to mitigate these risks. Indeed, at least one court has held that under the business judgment rule, director involvement in cybersecurity issues can shield the company from shareholder derivative suits arising from cybersecurity breaches. See Palkon ex rel. Wyndham Worldwide Corp., No. 2:14-CV-01234 (SRC) (D.N.J. Oct. 20, 2014). Thus, the team managing company cyber risks should include, among others, the legal, risk management, IT, and crisis management departments; senior executives; the board of directors; the CISO; and independent third-party IT specialists.
The involvement of outside counsel during a cybersecurity assessment before any breach occurs may increase the likelihood that the company’s preparedness assessment will be protected by the attorney-client privilege or work-product doctrine (or both) if—and when—litigation or regulatory proceedings result from a breach. This is relevant because, for example, in a consumer class action litigation following a breach, plaintiffs’ counsel often seek discovery of pre-breach cybersecurity assessments to determine whether cybersecurity weaknesses were identified but not addressed.
Once a cybersecurity team is in place, the second step is to perform an assessment of the company’s data assets, cybersecurity policies, and defenses. This should begin with an analysis of the personal information the company collects and whether each piece of collected data has a necessary business purpose. Companies also should assess which employees have access to sensitive data and how to appropriately limit employee access. Companies can classify data types, store different types of data on different servers, and restrict employee access to only the specific data that employees need to perform their jobs. By classifying and segregating data types, a company can prevent wholesale breaches of its data systems and better protect its most valuable data.
An assessment of a company’s cybersecurity defenses also should include an evaluation of its written cybersecurity risk mitigation policies. Companies should have a clearly defined Written Information Security Policy (WISP) that regulates how data are stored and accessed, the likely risks employees may confront on a day-to-day basis (e.g., phishing scams), how employees should respond to those risks, and the consequences for employee violations of the WISP. The WISP should apply equally to all employees as well as to independent third-party IT specialists performing work for the company.
Companies also should conduct training on the implementation of the WISP to foster a culture of accountability. Employees who deal regularly with personal information, or the company’s commercially sensitive data, may require additional specialized training. The C suite should set the tone for the treatment of cybersecurity issues, including enforcing company policy.
In-house counsel should consider instructing independent third-party IT specialists to identify weaknesses in company cybersecurity defenses, prepare a report to counsel on those weaknesses, and implement corrective measures. As a result of working with a variety of companies, independent third-party IT specialists often develop additional expertise, as well as the ability to benchmark a company’s cyber defenses against those of other companies, which can increase the likelihood that a regulator evaluating a company’s risk mitigation practices after a breach will find that the company appropriately addressed these issues.
The full assessment of the company’s cybersecurity systems, risk mitigation policies, training, weaknesses identified, and corrective measures taken should be documented by counsel and brought to the board’s attention, both to improve the likelihood that the assessment will be found to be privileged and protected from discovery and, if necessary, to later demonstrate that the company proactively addressed cybersecurity risks.
The third step is to establish a breach team and response plan. The plan should detail employee response roles, responsibilities, decision-making authority, and coordination to ensure that the company is better prepared to act quickly and decisively in the event of a breach. Companies may wish to consider having a third-party vendor in place to assist with consumer notification and communication following a breach.
Once the breach response plan is in place, the fourth step is to test cybersecurity defenses and the company’s response plan (including tabletop exercises) with third-party IT specialists in coordination with counsel who, respectively, can again perform and document the test and recommend improvements.
Finally, the company CISO should keep abreast of emerging cybersecurity threats, changes to the legal and regulatory landscape, and changes to best practices. As part of doing so, the CISO will need a budget sufficient to continually reevaluate and retest the company’s cyber defenses and implement changes as needed. Cybersecurity preparedness should be an iterative and ongoing process.
There are many ways that companies can improve their cybersecurity preparedness. This article provides a sampling of best practices that companies should consider as legislative and regulatory bodies take an increasing interest in cybersecurity, specifically airlines’ cybersecurity defenses. Risk consciousness coupled with multidisciplinary collaboration to mitigate that risk will allow companies to better prepare for and recover from a breach, as well as help to reduce the associated fallout from a breach.