It goes without saying that we live in a digital age, and that
the analog is gone and buried. Digital information propels the
modern economy on the so-called "cyber wave." Merriam-Webster
defines "cyber" as "relating to or involving computers or computer
networks." As reliance on digital information grows, the risk that
digital information will be compromised also increases. Digital
information may be compromised through a "cyber incident" or a
"cyber breach." The term "cyber incident" refers to unauthorized
access to cyber data or private servers. A hacker who changes the
homepage of a company's website has caused a cyber incident. The
term "cyber breach" refers to the unauthorized acquisition or use
of data. A hacker who steals Social Security numbers or credit card
information from a company's private server has committed a cyber
breach.
In an effort to combat cyber breaches, Massachusetts and the
federal government have increased enforcement of their
cybersecurity laws. Many corporations have responded to increasing
cyber threats by bolstering cybersecurity measures. Corporations
failing to adequately protect against cyber incidents face
potential litigation by consumers whose personal data is breached,
as well as penalty actions by Massachusetts and federal agencies.
Accordingly, attorneys advising corporate clients must be aware of
cybersecurity best practices, as well as increased governmental
cybersecurity enforcement efforts.
Cyber incidents on the rise and corporations are bearing
the cost.
Cyber incidents are increasing throughout the country. According
to PricewaterhouseCoopers, 79 percent of American corporations
detected a cybersecurity incident in the past 12 months, up from 44
percent in 2014.
In Massachusetts, the number of cyber breaches has increased
(1,999 in 2016, compared to 1,835 in 2015), as has the number of
Massachusetts residents affected by those breaches. According to
the Massachusetts Office of Consumer Affairs and Business
Regulation, cyber incidents compromised the personal information of
700,918 Massachusetts residents in 2008. In 2015, cyber incidents
compromised over one million Massachusetts residents' personal
information.
Cyber attacks are a growing menace to corporate America. There
are more of them, and they are becoming more costly to corporations
victimized by them. The British insurer, Lloyd's, estimates that
cyber attacks cost businesses over $400 billion globally each year,
and Forbes Magazine estimates that the cost of cybercrime in the
United States will reach $2 trillion by 2019. Whether these costs
are largely borne by corporations that maintain personal
information of employees and consumers, or are passed along to
consumers, the impact on the global economy is potentially
catastrophic.
Breaches come in a variety of sizes. Breaches may be large, like
the January 2016 breach of healthcare company Centene Corporation,
in which the personal information of 950,000 Centene members was
compromised. Smaller, but nonetheless costly breaches also plague
corporations. Of the 135 breaches reported to the Massachusetts
Office of Consumer Affairs and Business Regulation during the month
of January 2017, 95 breaches affected five or fewer Massachusetts
residents. Larger breaches, unsurprisingly, cost corporations more
than smaller breaches. According to the independent research
organization Ponemon Institute, data breaches of fewer than 10,000
records cost corporations on average $4.9 million in 2016, whereas
breaches of greater than 50,000 records cost corporations an
average of $13.1 million during the same time period. According to
the Ponemon Institute, the average organizational cost to a
business after a data breach was $7.01 million in 2016, whereas in
2015, the average organizational cost was $6.53 million. The
average costs associated with each stolen record increased from
$217 to $221 over the same period.
Corporations are increasing efforts to protect consumer
information.
In response to the increased threat and cost of cyber attacks,
many corporations have increased their focus on cybersecurity.
According to the Ponemon Institute, corporations nationwide have
increased their investment in "forensic and investigative
activities, assessment and audit services, crisis team management,
and communications to executive management and board of directors"
to bolster cybersecurity. According to the Wharton School, 80
percent of corporate boards of directors discuss cybersecurity at
most meetings, and according to the website CFO.com, "[a]lmost
three quarters (74 percent) of 160 public-company directors said
their boards are now involved with cybersecurity than they were
last year …, and 80 percent have expanded their cybersecurity
budget, by an average of 22 percent."
Corporations not adequately addressing cyber threats
face increased penalties as the federal government increases
enforcement of cybersecurity laws.
Massachusetts and the federal government have also increased
their focus on cybersecurity. Federally, no single agency is tasked
with cybersecurity enforcement. Rather, many federal governmental
agencies regulate cybersecurity.
The Securities and Exchange Commission (SEC) identifies
cybersecurity as one of the greatest risks to investors.
Accordingly, in 2017, the SEC announced an increased focus by its
Office of Compliance Inspections and Examinations on cybersecurity
compliance. In June 2016, the SEC announced that Morgan Stanley
Smith Barney LLC agreed to pay a $1 million penalty to settle
charges related to its failure to protect consumer information and
failure to adopt written policies and procedures reasonably
designed to protect customer data, as required by 17 C.F.R.
248.30.
Similarly, the Federal Trade Commission (FTC) has increased its
focus on cybersecurity enforcement. Following the now-infamous
breach of AshleyMadison.com (resulting in the 2015 theft of 36
million registered Ashley Madison users' personal information),
Ashley Madison entered into a settlement with the FTC in which it
agreed to pay $1.6 million, and to implement more robust data
security practices to protect user information from hackers. The
Ashley Madison case is one of the largest the FTC has investigated,
although the FTC has investigated smaller matters as well. Since
2001, the FTC has charged 60 corporations for failing to reasonably
protect consumers' personal information. Acting FTC Chairman
Maureen Ohlhausen has stated that the FTC has also increased its
efforts to educate the public about closed cases and about the
FTC's data security expectations for corporations.
The Federal Communications Commission (FCC) has also made
cybersecurity a priority. In the FCC's Jan. 18, 2017, White Paper
on Cybersecurity Risk Reduction, former FCC Public Safety and
Homeland Security Bureau Chief David G. Simpson stated that the
FCC's cybersecurity oversight and enforcement efforts are
"important component[s] of the [government's] larger effort to
protect critical communications infrastructure and the American
public from malicious cyber actors." Simpson further stated that
the FCC is "actively working with [internet service providers] to
address and minimize network vulnerabilities," and is currently
developing "voluntary industry-wide best practices that promote
cyber security on specific areas that fall within the FCC's
purview."
In addition to the above-described enforcement efforts, it is
likely that Congress will enact new cybersecurity laws in response
to increased cyber threats. Indeed, new bills relating to
cybersecurity have been proposed, including the Active Cyber
Defense Certainty Act (ACDCA). The ACDCA's proponent, Rep. Tom
Graves of Georgia, has stated that the Act "is about empowering
individuals to defend themselves online, just as they have the
legal authority to do during a physical assault." If enacted, the
ACDCA would amend the Computer Fraud and Abuse Act (18 U.S.C. §
1030) (CFAA) to permit so-called "hacking back" when an individual
is the victim of a cyber attack. Specifically, the ACDCA would
permit victims to: (1) identify the perpetrators of an attack by
accessing an intruder's network; (2) disrupt ongoing attacks;
and/or (3) report attacks to law enforcement. Currently, hacking
back is illegal. The Department of Justice views hacking back as a
violation of the illegal access without authorization provisions of
the Computer Fraud and Abuse Act, as well as a threat to innocent
parties, and a potential source of interference with ongoing
governmental investigations.
Massachusetts will likely increase enforcement of its
comprehensive cybersecurity laws.
Similarly, Massachusetts will likely increase enforcement of its
already rather comprehensive cybersecurity laws and regulations.
These include M.G.L. c. 93H (the Data Privacy Act), which obligates
companies (and individuals) possessing Massachusetts residents'
personal information to notify the Massachusetts Attorney General
and the Office of Consumer Affairs of any breach, and 201 C.M.R.
17.03, which obligates companies (and individuals) possessing such
information to maintain certain safeguards, including a written
information security program.
Massachusetts Governor Charlie Baker and Massachusetts Attorney
General Maura Healey have consistently indicated that cybersecurity
is a priority for the commonwealth, and are expected to increase
efforts to ensure the privacy of information as cyber threats
continue to grow.
Healey has stated that because "most any crime today involves
some digital element," cybersecurity is, "from [her] perspective as
attorney general … an issue that [she] actually lay[s] awake
thinking about." In 2016, Healey hosted a data privacy forum in
conjunction with the Massachusetts Institute of Technology and
Harvard University, "in support of her office's continued efforts
to protect the privacy and security of consumers' data." Among
these "continued efforts" are the attorney general's enforcement of
the Data Privacy Act against Massachusetts and foreign
corporations. Less than two years after the Data Privacy Act was
enacted in 2010, the Massachusetts Attorney General's Office
charged Belmont Savings Bank for failing to comply with its
cybersecurity program, and for keeping personal information on an
unencrypted backup tape, which it subsequently misplaced. Belmont
Savings Bank ultimately settled with the Attorney General's Office
for $7,500, and promised to encrypt all personal information, store
backup data tapes containing personal information securely, and
train employees to properly secure personal information. The
attorney general's investigations have also lead to a $15,000
settlement with Maloney Properties, Inc. in 2012; a $150,000
settlement with the Women & Infants Hospital of Rhode Island in
2014; and a $1 million multi-state settlement with Adobe Systems,
Inc. in 2016, among others.
Baker has also demonstrated his interest in cybersecurity.
During the governor's December 2016 Economic Development Mission to
Israel, leaders from the public agency Massachusetts Technology
Collaborative entered into a memorandum of understanding with
Israeli venture CyberSpark. This memorandum of understanding
focused on key areas of cybersecurity collaboration between the
Massachusetts agency and the Israeli venture, including "practical
training for students in the cybersecurity fields," "applied
research projects focusing on healthcare technology-related
cybersecurity issues," and "roundtables to discuss emerging trends
in technology, policy, and regulation."
As cyber threats continue to become more numerous, more
complicated, and more costly, it is likely the commonwealth will
increase enforcement, in order to combat increasing cybersecurity
risks.
Conclusion
Although cyber threats are increasing in frequency, corporations
can take measures to reduce their risk of cyber breaches, and to
reduce their liability if breaches occur.
First, corporations should adopt appropriate cybersecurity
measures. Companies may reduce cyber risk by installing and
regularly updating anti-virus software, blocking suspicious emails
and websites, requiring employees to regularly change passwords,
encrypting emails sent externally, and providing access to
confidential data on a need-to-know basis. Corporations should
document cybersecurity policies in a written information security
plan, train employees on cybersecurity, and perform periodic audits
to ensure compliance with cybersecurity protocols.
Second, corporations should develop a written cyber incident
response plan to provide employees with a step-by-step procedure to
follow in the event of a cyber incident. Corporations should also
test the plan to further prepare employees to respond to a cyber
incident if and when it occurs.
Third, corporations should develop relationships with the
Federal Bureau of Investigation (FBI), the Department of Homeland
Security, and/or local law enforcement agencies. During Boston
College's March 8, 2017, Conference on Cybersecurity, then-FBI
Director James Comey encouraged corporations to develop such
relationships. Comey stated that where such relationships are
developed, law enforcement is better prepared respond to breaches.
Comey cited the relationship that Sony Pictures developed with the
FBI, and stated that this relationship permitted the FBI to quickly
respond when the group "Guardians of Peace" breached Sony in
2014.
Fourth, corporations should hire attorneys with experience in
the field of cybersecurity to advise on changing cybersecurity laws
and regulations, as well as cyber best practices. Attorneys
familiar in cybersecurity law can also advise corporate clients on
legal obligations to disclose breaches that compromise confidential
employee or customer information.
Corporations face an increased risk of cybersecurity breaches,
and an increased risk of liability due to efforts to enforce
cybersecurity laws by Massachusetts and the federal government. By
working directly with counsel experienced in cybersecurity,
corporations can reduce the risk of being breached in the first
place, and may be able to limit liability if breaches do occur.