Cybersecurity threats are on the rise. Companies that find themselves hit with data breaches face a number of challenges, including in particular the challenge of responding to strict breach disclosure and notification requirements. In the following guest post, Paul A. Ferrillo, a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice, takes a look at the steps the companies can take before they are breached to be better positioned to respond to the notification requirements in the event of a breach. I would like to thank Paul for allowing me to publish his article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Many practitioners in the cybersecurity field don’t count their career experience in years worked. They are more apt to quantify it by naming a particular company, likely the last humungous cybersecurity breach they worked on. That is because, as Ferris Bueller once said in his famous movie, “Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.”
If you hadn’t looked around, a lot has happened in the cybersecurity world since 2013. Attacks have grown pervasive and more alarming. Data in epic proportions continues to get stolen. One of the biggest changes, and perhaps the most fearsome change, might be the near-mandatory breach disclosure requirements that face both public and private companies alike. Today there are strict reporting periods, both in the U.S. (federal and state) and abroad. Coupled with the increasing complexity of cyber-attacks, which can sometimes take days or weeks (or even months) to discover, these time deadlines stand as an obvious problem to be dealt with so that regulators and others (like potential plaintiffs’ counsel, investors, and the financial markets) can see that you or your company are good corporate citizens.
Here are our suggestions to help you “beat the clock” or at least to get a shot off before the buzzer.
Who is Your Regulator?
Before you are breached, you should determine what breach disclosure shot clock(s) you need to beat. Making this determination depends upon a lot of different factors, including:
- Are you a public company, or merely private? If public, you should be aware of the 2018 SEC guidance on “material” cybersecurity breaches. If your breach is “material,” or significant, then you might only have four days to file a Form 8K under the Securities Exchange Act of 1934 to report such a breach to investors.
- If you are a private company that does not mean you are out of the woods. If you are a healthcare organization, for instance, you might be bound by the 60-day notification requirement under HIPAA, in addition to the timing requirements under the applicable state data breach laws.
- If you are a banking institution organized and licensed under the laws of the State of New York, you might have a much shorter notification period, like the 72-hour breach notification provided for by the NY Department of Financial Services (DFS) Cybersecurity Requirements. Again, well ahead of time, you should establish who or what is your primary regulator, and have that particular time table in mind when planning for a cybersecurity breach disclosure.
- Think about if you collect data of EU citizens. If you do, and even if you are organized and licensed under the laws of the State of New York, you might be subject to the EU’s General Data Protection Regulation’s 72-hour personal data breach notification requirement.
- And lastly, if you are a publicly traded bank, organized and licensed under the laws of the State of New York, but you are also doing business and have customers in states up and down the Eastern Seaboard, you might have the 14 different state law breach notification requirements to worry about. That is in addition to your other federal notification requirements (including the FFIEC’s “as soon as possible” breach notification requirement and the SEC’s 8K requirement) and your NY DFS requirement.
So, looking at the list above, your next question might be, “So it’s possible to not only have two or three-time periods to make breach disclosures, but I could have a lot more than that?” Yes, you could, and the limit is only bounded by the scope of your operations and if you are publicly traded or not.
How to Balance the Different Breach Disclosure Time Periods?
- Step One: First you must know your regulator and the amount of time on its reporting clock. This is not an easy task if you are a big investment or merchant bank, or a big publicly traded insurance company or retailer with global operations.
- Step Two: Plan your disclosures when the “waters are calm and the sky is sunny.” How can you plan? For each of these various disclosures there is boilerplate of the material terms of the potential disclosure down in one place (not all breach disclosures are alike in form and substance). Yes, you will likely have to add the details of the breach (to the extent you know them) when reporting but at least you will not be scurrying around to find the basic information and the name, address, and fax number of your primary regulator. Get as many draft disclosures written as you can before something bad happens.
- Step Three: Determine if and when to notify the Federal Bureau of Investigation that you suffered a breach. There are not bright-line rules here, only good judgment calls. If you suspect you were hacked by a nation-state, then you may want to call the FBI as there could be national security implications inherent in what happened. They will want to know and will likely give you credit or acknowledgement for working with them. If money was a stolen, or if critical IP was taken, you may want to call the FBI (i.e suspected criminality). Indeed, there has been a long-lasting myth that calling the FBI after a breach is a bad thing, but in fact, the FBI is there to help you deal with a serious problem.
- Step Four: Now here is the hard step, or the easy one, depending upon your perspective: assess how well your Incident Response and Detection solution is working. Are you catching potentially anomalous behavior at its inception for review by your security operations center, or does such behavior take its time to get through the incident response system? Yes, this is a hard call to make, but a critical one. It is fundamental that the longer an attacker is on your system (a period called “dwell time”), the longer it has to cause mischief and mayhem. An attacker only needs three days to find a home on your network. Imagine if it was on your system for three months or more? Dwell time is one of the biggest problems in cybersecurity today. Limiting it is a necessity, especially when you might have only three more additional days after you have been breached to report it to your regulator. How do you know your incident response and detection solution is working? A review of the quarterly numbers might help. If there are too many events not being investigated, or if there are too many investigations, those facts might be a big indicator that your incident response and detection facility is not doing a good enough job weeding out low-level activity. If you had a breach that quarter that might be a good indicator too. Sometimes an outside provider/consultant can help with input and context.
- Step Five: Make sure your incident response and crisis communications plan works and efficiently allows information to rise from the server room to the board room in expeditious fashion. Said in a different way, when the shot clock is ticking, there is very little time to debate the full contents of a disclosure internally at the C-Suite level, before the board even sees it. Recently, several companies have been punished by investors and the financial markets for taking too long to make a cyber breach disclosure. Material information regarding the breach needs to escalate quickly through the ranks so that all those who are required to sign off on a disclosure can make a judgment in a timely manner. How could you measure this time period? Perhaps when you practice your incident response plan you can assess escalation and time periods for information to reach the C-Suite and senior management. If it does not, then it’s time to re-tool your incident response and your crisis communications plans to make sure that it does.
Indeed, many practitioners now contemplate breach disclosures that may be “timely” from a shot clock perspective, but might not have all the facts and details of the breach that might be required under the breach disclosure rule or statute. This sort of disclosure would then be caveated to say that the issuer “will update the disclosure” as soon as those additional facts become apparent.
In February 2018, SEC Chairperson Jay Clayton emphasized that, “Public companies must stay focused on [cybersecurity] issues and take all required action to inform investors about material cybersecurity risks and incident in a timely fashion.” With the benefit of 10 more months of cybersecurity incidents and breaches, companies must stay focused on cybersecurity risks and incidents. The stakes are presently way too high to make a mistake regarding a poor or untimely cybersecurity disclosure.
Paul Ferrillo is a shareholder in Greenberg Traurig’s Cybersecurity, Privacy, and Crisis Management Practice. He focuses his practice on cybersecurity corporate governance issues, complex securities and business litigation, and internal investigations. He assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them.