One More Reason for Companies to Report Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://justsecurity.org/23227/reason-companies-report-data-breaches/

Trust. And benefits. Those are two key issues impacting effective
cybersecurity collaboration: whether companies and their legal advisors
trust the government enough to reach out for help in the event of a breach;
and whether they perceive sufficient benefits from doing so. One major
stumbling block in that assessment is the dichotomous role of government
toward corporate data breach victims on the cybersecurity stage: that as
protector, and as enforcer. A number of executives remain wary about
reaching out to the government for help in a cybersecurity breach (when not
legally compelled to do so), recognizing that the same government with whom
they will share data will investigate and potentially bring an enforcement
action against the company for deficiencies in how they prepared for or
responded to the incident. The government took a small but meaningful step
toward addressing that concern last week.

On Wednesday, May 20th, in her remarks at the Cybersecurity Law Institute
in Washington, Assistant Attorney General Leslie Caldwell referenced a new
message from the Federal Trade Commission (FTC) encouraging cooperation. In
that morning’s post on the FTC site, entitled “If the FTC Comes to Call,”
seeking to help companies understand what to expect in a breach
investigation, FTC Assistant Director Mark Eichorn stated:

"We’ll also consider the steps the company took to help affected consumers,
and whether it cooperated with criminal and other law enforcement agencies
in their efforts to apprehend the people responsible for the intrusion. In
our eyes, a company that has reported a breach to the appropriate law
enforcers and cooperated with them has taken an important step to reduce
the harm from the breach. Therefore, in the course of conducting an
investigation, it’s likely we’d view that company more favorably than a
company that hasn’t cooperated."

The Department of Justice has been reaching out for years to assist victims
of data breaches. Indeed, many times it is the government who informs a
company that it has been breached, and (to varying degrees) assists the
company in determining the cause and extent of harm. But there is another
side to the government’s role in cybersecurity: the FTC and other
regulators have investigated and brought actions against a number of
corporate breach victims for failing to adequately prevent, detect,
disclose and respond to incidents. Describing this conduct, one executive
remarked to me: “it is as if the government is crawling back over the
battlefield to shoot the wounded.” But regulators and proponents of these
enforcement actions have emphasized the need to protect consumers, taking
the position that regulatory enforcement actions against corporate breach
victims will encourage improved cybersecurity hygiene, more accurate
disclosures, and a more robust response to a breach.  (For a further
discussion of the scope of civil regulatory and liability risk, see also
Judith H. Germano, Zachary K. Goldman, “After the Breach: Cybersecurity
Liability Risk,” NYU Law School, June 2014).

When a company suffers a breach, it needs to assess whether to call the
government — in an extreme case, such as Sony, the faster the company can
make that call the better. But in less dramatic instances, whether and when
to call the government, versus engaging in self-help internally or with
private legal and technical advisors, can become more nuanced. Companies
with previously established government relationships in this area often are
more inclined to reach out for help, and this effectively can be done
through informal channels as a first step. The benefits of contacting the
government include gaining a broader perspective of similar incidents,
accessing expertise beyond the company’s internal and external resources,
and the ability of proactive government efforts to investigate, apprehend
and prosecute the wrongdoers. (For more on my views on effective
public-private collaboration, see this white paper: Judith H. Germano,
“Cybersecurity Partnerships: A New Era of Public-Private Collaboration,
Center on Law and Security,” NYU Law School, Oct. 2014).

Yet companies are concerned about how the information they share will be
used, and whether it will be placed into the hands of regulators (and
private civil litigants) who investigate the company post-breach. To obtain
effective government assistance, companies should be forthright regarding
what vulnerabilities existed. But disclosing those vulnerabilities
increases exposure to, and can create a roadmap for, regulators and civil
litigants. Depending on the scope and nature of the breach, the type of
harm suffered and the company’s ability to address the situation without
government assistance, a company needs to assess whether to engage the
government. Despite the benefits of collaboration, the company’s decision
to cooperate — and potentially waive attorney-client privileges that
otherwise might exist — would be easier if there existed greater assurances
that the information shared with the government would not readily be
available for use against the company in civil and regulatory
investigations and actions. But that level of protection does not currently
exist.

Although clarity is needed, in terms of the scope, nature and extent of
protection available to companies who share information with the
government, there are competing interests that hinder that result. Many
companies and their advisors would find greater comfort in protections that
address concerns of attorney-client privilege, and shield from regulators
and civil litigants the information disclosed to law enforcement regarding
the causes and responses to a breach. But others argue that would go too
far in protecting companies from accountability for cyber incidents. At
this point, the risk remains that regulators and private civil litigants
might be able to obtain and use information a company shares with the
government against the company in a subsequent investigation and
litigation, and companies need to recognize that risk when assessing
whether and how to cooperate with the government. But the reality is that a
company, even if not working with the government, still should gather and
assess that same information to understand and respond to a breach, whether
internally or with the government directly involved. And the information
still may be available to regulators and civil litigants (even if not as
neatly packaged, and perhaps with greater potential of attorney-client
privilege protections).

But when the liability question turns to whether the company did all it
could in responding to the incident, that is where the new FTC statement
comes into play, for better and for worse. Now that the FTC has publicly
declared cooperating with law enforcement as “an important step to reduce
the harm from the breach,” companies should expect to be held accountable
for whether (or not) they have taken that step.

Companies now have an added benefit to put on the balance sheet in favor of
cooperating: It may not keep them away, but cooperating with law
enforcement may help improve the company’s standing when regulators and
civil litigants come calling after a breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!