Cybersecurity, Cybercrime and Data Breaches
Our lawyers have significant experience in addressing cutting-edge cybersecurity risks, both from proactive counseling and compliance assessment perspective as well as reactive incident response, internal reviews and government investigations, and litigation. Based on our extensive practice for companies that need to protect sensitive corporate and personal data, we have developed a depth of knowledge about the rapidly evolving legal standards for cybersecurity across the United States – at the federal and state levels – and in the EU and rest of the world. The White House adoption of the National Institute of Standards and Technology (NIST) Cybersecurity Framework in February 2014 (together with enhanced focus by the Securities and Exchange Commission (SEC)) and counterpart developments in the EU (most notably, the launch of the U.K. Government’s Cyber Essentials Scheme in June 2014), call for all major companies to identify and address their cyber-risks. Sidley has advised a broad range of companies in numerous industry sectors to prepare, prevent and respond to major cyber-attacks and data breaches.
Investigations and Enforcement Actions
A company victimized by a data breach can quickly become the target of state or federal investigation. For instance, a retailer that maintains credit card information may suffer a data breach, and the Federal Trade Commission (FTC), state attorneys general and Congressional committees – not to mention numerous European Data Protection Authorities and other international privacy and cybersecurity regulators – may open investigations into the retailer’s response to the incident and its data security practices. At the same time, the FBI, the U.S. Secret Service and self-regulatory entities, such as the Payment Card Industry, may become involved in the investigation, which may lead to complicated consequences for the company. Companies must ensure they are prepared for such investigations and understand the benefits and risks of engagement with various governmental entities.
For example, Sidley represents two of the major retailers that have suffered significant, highly publicized data security incidents, including defense of litigation, managing forensic investigations and congressional testimony. Whether in the retail, financial services, healthcare, communications, technology, consulting or transportation industries, companies face a myriad of breach notification and data security compliance requirements. Sidley’s practice is relatively unique in that our privacy counselors and regulators are the litigators; there is no need for the regulatory lawyers to teach the litigators. And we litigate the initial actions with knowledge of the complicated potential for collateral litigation with various governmental and self-regulatory entities. Our lawyers can navigate and anticipate the relevant legal requirements in responding to complicated information security incidents and draw from a wealth of experience to rapidly deploy investigation, crisis management and public communications strategies to discover the scope of the problem and respond to government inquiries in a consistent and coherent way.
Preparation: Identifying, Protecting, Detecting, Responding and Recovering from Cyber-Attacks
Cybersecurity is a key corporate governance issue for all organizations, irrespective of sector or size. While local law requirements relating to directors and cyber governance vary, a string of high-profile cyber attacks across the globe underlines the importance of boards – irrespective of location - taking ownership of and understanding their organization’s cyber exposures.
The best time to prepare for a cyber-attack is before the attack occurs. Sidley assists with the assessment of cyber risk using toolkits and methodologies to review the legal aspects of cyber risks in different business sectors, ranging from due diligence prior to M&A, through the creation of cyber risk and contract registers to advice on governance and board responsibilities. We advise on compliance with international, federal and state privacy and data security laws and regulations, as well as industry standards and best practices. Either for compliance purposes or during transactions, we are able to offer companies a comprehensive look at their information management and security practices, and recommend necessary steps to not only comply with the law but to ensure greater protections by implementing best practices. This includes the design of protocols for data security, sharing and use of data, eDiscovery readiness, records retention and defensible deletion practices. We work with companies to craft appropriate securities disclosures of data security practices and threats, in accordance with SEC guidance. We have also worked with companies to design incident response plans and organize the necessary steps should an attack occur.
In addition, Sidley offers advice on insurance issues. This ranges from reviewing the extent of coverage under a company’s existing traditional policies as well as under new cyber insurance policies to assisting companies with issues regarding notification of breaches or potential policy claims.
Crisis Management for Cyber Incidents
In the event of an attack, Sidley assists companies with cyber crisis management. A company that has been attacked must immediately identify the threat, determine its scope and severity, consider how to work with law enforcement and forensic analysis support, determine whether consumers, customers, business partners or government agencies should or must be notified, and draft the appropriate response to media requests and government investigators – all in a coordinated and consistent way. We help clients identify priorities and maintain strategic focus through each of these steps. Our firm has developed significant abilities to triage incidents to counsel clients on the appropriate response, not just default to a costly and reputation-damaging public disclosure. Frequently, we are able to resolve data security incidents without litigation or even public disclosure, through experienced understanding of the applicable statutes or through appropriate, informal engagements with regulators.
Sidley’s representations have included interaction and advocacy with key federal agencies, such as the FTC, the FBI, the U.S. Secret Service and other parts of the Department of Homeland Security, elements of the Intelligence Community, and state Attorneys General, as well as Data Protection Authorities in Europe and other key non-U.S. jurisdictions. Particularly where sensitive consumer or national security information is at stake, companies may be subject to congressional inquiries, where our Government Strategies group can provide comprehensive guidance on relative legislative and oversight priorities. Sidley regularly represents clients before Congress, and we maintain strong relationships with various European and other non-U.S. data protection authorities. All together, our team can rapidly advise on a consistent, global response to breaches of computer systems that span borders.
In London, Sidley is working with the U.K. Cabinet Office, the Association of British Insurers (ABI), the Department for Business, Innovation & Skills (BIS) and the Cyber-security Information Sharing Partnership (CiSP) to identify cyber risk issues affecting stakeholders in businesses as well as determining responses to mitigate the threats.
Litigation and Class Actions
If the breach becomes public, Sidley has successfully responded to plaintiff suits. We have dealt with some of the most complex cases and helped clients contain the situation, control their liabilities, and manage notifications, media and regulator relationships. We have closely followed and helped shape the development of law in this area. For instance, we litigated a seminal case for the proposition that even intentional unauthorized data sharing by itself does not give rise to standing, see Conboy v. AT&T Corp., 241 F.3d 242 (2d Cir. 2001) – far before most law firms were following these issues. We have been successful on standing arguments in data breach cases, see Randolph v. ING Life Insurance & Annuity Co., 486 F.Supp.2d 1 (D.D.C. 2007). And we obtained summary judgment against a purported class action that sought damages related to alleged privacy violations on various pharmaceutical company websites for a defendant in the landmark Pharmatrak privacy litigation.
Sidley’s privacy team likewise has exceptional experience in the defense of complex class action, most prominently as national coordinating counsel for the AT&T entities, see In re National Security Agency Telecommunications Records Litigation, MDL 1791 (N.D. Cal./9th Cir.) (dismissal of claims). We have also successfully consolidated and won dismissal of all class actions pending against a large retail chain as a result of a breach, see Moyer v. Michaels Stores, Inc., No. 14 C 561, 2014 WL 3511500 (N.D. Ill. July 14, 2014).
Advanced Persistent Threats
This area has become even more complicated with the rise of state-sponsored cybersecurity threats, such as Advanced Persistent Threats (APTs), which present significantly different and novel potential harms and issues. Companies now face the potential for the loss of trade secrets, competitive and deal information and other intellectual property, not to mention the potential for significant commercial and public harms from loss of critical infrastructure. We have helped clients, including several critical infrastructure providers, to address the legal issue surrounding the investigation of and response to APT incidents. In this work, several members of our team have the requisite security clearances (above top secret) to work closely with agencies monitoring these threats.
SEC Disclosures, Financial and Other Regulatory Issues
The potential that a victim of cybercrime could suffer extensive brand damage, trigger SEC disclosure obligations, and lose valuable information and physical assets has caused many clients to work with us to consider with care their preparations for such attacks. This practice is complemented by lawyers who focus on financial services clients in connection with the unique privacy-related concerns facing the financial services industry, including data security incidents in the financial sector. Similarly, we regularly provide health information privacy counsel to a broad range of clients, including assisting clients with respect to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and amendments made to HIPAA by the Health Information Technology for Economic and Clinical Health Act (HITECH). We have assisted several clients in navigating complex breaches of health information before the Department of Health and Human Service’s Office for Civil Rights, the California Attorney General’s office and European Regulators.
Successful U.S. and International Advocacy
Sidley’s dexterity in handling these relatively new, complex and evolving issues is evidenced, in part, by an uncommon blend of our Washington, D.C. regulatory knowledge and a global white collar and litigation capacity that extends across all of our 18 worldwide offices. We have deployed talented lawyers – many of whom have had extensive governmental experience – to data breach issues and have substantially contributed to the success of our clients in navigating the crisis at hand as well as addressing particularly difficult future privacy challenges. We have a blend of experience amongst our lawyers in the areas of privacy, compliance, internal investigations and government criminal defense. We are currently and have previously represented numerous companies investigated by the FTC, including cases where we persuaded the FTC to take no enforcement action. And we have dealt with data breach matters involving various Canadian, European and Asian data protection authorities.