Cyberattack: Quarterbacking the Company’s Response to the Most Sophisticated Threats
November 18, 2015
Litigation Webinar Series: INSIGHTSOur take on litigation and trial developments across the U.S.
Gus Coldebella
Principal, Boston
Tom Frongillo
Principal, Boston
Overview
2
• INSIGHTS Series
• Key Developments & Trends
• Housekeeping
• CLE Contact: Jane Lundberg
• Questions
• Materials: fishlitigationblog.com/webinars
• #fishwebinar
Patent Damages: The
Success and Failure of a
Theory
Wednesday, December 2
1:00 p.m. EST
Cybersecurity Issues Companies Should Focus on Now
3
I. The Growing Threat
Who is Attacking? What Are They Looking For?
II. Preparing for the Inevitable
Board Organization, Company Oversight, A Record of Diligence
III. The Legal and Regulatory Environment
Litigation and Regulation are Here, and Increasing
IV. Responding to an Attack
Surviving a “Bet the Company” Situation—and
Taking the Fight to the Adversary
4
The Threat Who Is Attacking? What Are They Looking For?
The Dynamic and Growing Threat
5
Who are the attackers?
o Nation-States and their proxies
o Organized crime
o Individual hackers
o “Hacktivists”
o Insiders (can be any of above)
Why do they do it?
o To gain intelligence
o To access or control critical infrastructure
o To disrupt operations
o To steal intellectual property or other business-sensitive information
o To make a point
o To vandalize
What Are They Looking For?
6
That’s easy: EVERYTHING OF VALUE
Intellectual property (especially trade secrets)
o Software code
o Proprietary processes, designs and formulas
High-level executive communications
o How much are we willing to pay for that company? What’s our
litigation/marketing/competitive strategy?
Financial information and results
Military or national security information
Access to third party information, systems, data
And, of course, personally identifiable information (PII) and protected health
information (PHI)
Pro tip: Don’t focus exclusively on PII/PHI, because the bad guys don’t
7
Preparing for the Inevitable: Board Organization, Company Oversight, A Record of Diligence
Preparing for the Inevitable
8
Set “tone at the top”
Understand regulatory and statutory framework at play
Understand and assess the threat and risks
o What data might the attackers be interested in? How is it safeguarded?
o What systems are in place to let the company know that that data has been
exfiltrated or tampered with?
o And if the data is stolen or altered, who will be affected, and how can the
company recover?
Ensure board-level attention
o Agenda item with regular reports from cognizant officers
o Steady-state security assessments
Pre-crisis planning
o Develop a preparedness plan, and exercise it. It’s not “set it and forget it.”
Preparing for the Inevitable
9
Fiduciary Duty of Oversight under Caremark
Liability can be imputed to individual board members where there is:
o Failure to implement reporting system; or
o After implementing reporting system, conscious failure to monitor or
oversee.
Failure to act in the face of known duty to act constitutes breach of
duty of loyalty, not duty of care.
Companies cannot insulate directors from personal liability for duty
of loyalty claims; thus, failure to address cybersecurity can lead to
personal liability.
This is not hypothetical: there are pending Caremark claims against
Target and Wyndham board members in shareholder derivative actions.
10
The Legal and Regulatory Environment: Litigation and Regulation are Here, and Increasing
The Legal and Regulatory Environment
11
Substantive Regimes
E.O. 13636, “Improving Critical Infrastructure Security”
o Calls for “Voluntary Cybersecurity Standards” for “Critical Infrastructure”
o Read the NIST Cybersecurity Framework
Federal Trade Commission Guidelines and Enforcement Actions (more later)
o Lax cybersecurity = “unfair” trade practice
o Jurisdiction over all consumer-facing businesses
Securities and Exchange Commission – 2 sources of authority
o Cybersecurity requirements for broker-dealers and investment advisors
Many other industry-specific rules, regulations, and frameworks
o DoD (defense contractors and subcontractors)
o FFIEC (banks)
o HHS (health records)
The Legal and Regulatory Environment
12
Disclosure-based regimes
SEC’s CF Disclosure Guidance: Topic No. 2 (Oct. 2011) (more in a moment)
State breach notification laws
Market regulatory regimes
“Trickle-down regulation” and market forces
Insurance
Standard of care
…And don’t forget about “private law.”
The Legal and Regulatory Environment
13
Private Law: Arrangements between Companies, Customers
and Contractors
• Indemnification Provisions
• Who pays for what?
• Limitations on Liability
• How much?
• Breach Notification Provisions
• What triggers a notification obligation?
• What is the timeframe?
The Federal Trade Commission
14
August 2015: 3d Circuit affirmed FTC’s cybersecurity enforcement
authority over consumer-facing companies
o Poor cybersecurity practices = “Unfair” business practice under Section 45(a) of
FTC Act
o No actual consumer harm required
BUT JUST YESTERDAY an FTC ALJ ruled consumer
harm must be “probable” not just “possible.”
FTC Enforcement Focus:
o Inadequate cybersecurity measures
o False statements of cybersecurity measures
in privacy policy
Read FTC’s “Start With Security” Guide
The Securities and Exchange Commission
15
SEC Staff Guidance
CF Disclosure Guidance: Topic No. 2
Registrants are expected to:
o evaluate cyber risks
o take into account all relevant information, including:
• Prior cyber incidents, their severity and frequency
• Probability of cyber risks occurring
• Qualitative and quantitative magnitude of risks, including potential costs and other consequences
No generic disclosures
Since Guidance, SEC staff has demonstrated willingness to:
o push for disclosure of all incidents—material or not—for context
o independently monitor breaches and test against disclosures (or lack thereof)
o probe into pre-disclosure processes
o ask about third-party risk
16
Responding to an Attack: Surviving a “Bet the Company” Situation
Responding to an Attack
17
Breach should be treated as an internal investigation, run by outside counsel
o Not our first rodeo—but it may be yours
o Gain benefit of attorney-client privilege and work product protection
o We know the players
Engage outside experts
o Law firm
o Forensic cyber investigator
o Crisis PR firm
Ask and answer the important questions FAST
Disclosure
o Do we have to? Do we want to?
Assess law enforcement involvement
Assess litigation and regulatory enforcement risk
Disclosure for Public Companies
18
In the Heat of the Battle: Should We File an 8-K?
Cybersecurity incidents are not mandatory disclosure items (Item 8.01)
Companies need to consider:
o What is known
o Materiality and Trading
o Concurrent disclosures
• Mandatory (e.g., state data breach disclosure laws)
• Voluntary (e.g., PR, vendors/suppliers)
o Regulation FD
o Likely litigation, investigatory, or security consequences of disclosure
o Timing of disclosure
Fish & Richardson’s 8-K Disclosure Decision Tree
19
Fish & Richardson’s 8-K Pros & Cons Matrix
20
Pros Cons
Responding to an Attack: Taking the Fight To The Bad Guys
21
What are your options after an attack?
Sue for Misappropriation of Trade Secrets
Bring an International Trade Commission Section 337 Action
Sue for Violation of the Computer Fraud and Abuse Act
Call the Feds
Misappropriation of Trade Secrets
22
State law cause of action
48 states have adopted some form of the Uniform Trade Secret Act (except MA and
NY)
Trade secret characteristics:
Not generally known by or readily ascertainable to competitors
Confers competitive advantage to owner
Subject to reasonable efforts to maintain secrecy
Misappropriation of Trade Secrets
23
Available Remedies:
o Injunctive relief
o Monetary damages
Lost profits OR unjust enrichment
Multiple damages for willful or malicious misappropriation
o Attorney’s fees
Defend Trade Secrets Act of 2015 (proposed legislation) would give rise
to a federal civil cause of action under the Economic Espionage Act of
1996
o Unique remedy under DTSA: ex parte seizure orders to recover trade secret
International Trade Commission Section 337 Action
24
Section 337(a)(1)(A) prohibits “[u]nfair methods of competition and unfair acts in the
importation of articles” into the United States
o Includes misappropriation of trade secrets. See Certain Crawler Crane and Components Thereof
(Apr. 2015) (10-year exclusion order)
o 13 out of 17 trade secret cases (out of > 900 ITC cases) were filed since 2010
100% success rate to date in favor of complainant (settlement, consent order, or
ITC decision)
Requires showing of:
o Importation
o Existence of a protectable trade secret
o Wrongfully taking by unfair means
Successful action results in exclusion order = no importation of items to U.S.
Computer Fraud and Abuse Act
25
18 U.S.C. 1030(g) provides a federal private right of action against someone
who accessed a computer without authorization, obtained information, and
caused harm
2-year statute of limitations
No need to show:
o Information taken was a trade secret
o Actual use or misappropriation of information: only need to show access
Available remedies:
o Compensatory damages (only economic, no punitives)
o Injunctive or other equitable relief
Call the Feds
26
Federal prosecutors may bring charges under the CFAA and/or the EEA
o Trade secret theft under the EEA punishable by up to 10 years’ imprisonment
and significant fines
o Maximum punishment under CFAA is 20 years, plus fines
o May 2014: FBI indicted 5 Chinese military hackers for cyber espionage against
U.S. corporations on behalf of Chinese competitors, including state-owned
enterprises
State prosecutors (e.g., CA and MA) may also bring criminal charges for
trade secret theft
Fish’s Cybersecurity Team
27
www.fr.com/services/litigation/cybersecurity
Gus Coldebella
Principal,
Boston
Tom Frongillo
Principal,
Boston
Ed Lavergne
Principal,
Washington DC
Donna Balaguer
Principal,
Washington DC
Franceska Schroeder
Principal,
Washington DC
Caroline Simons
Associate,
Boston
Albert Wong
Technology Specialist,
New York
SHAMELESS PLUG DEPARTMENT
28
Navigating the Digital Age: The Definitive Guide for Directors and Officers
Available for download at:
http://www.fr.com/cybersecurity-guide/
29
Questions?
Mark your calendar!
Wednesday, December 2
Patent Damages: The Success and Failure of A Theory
fishlitigationblog.com/webinars
INSIGHTS Litigation Webinar Series
Thank you!
31
Please send your NY CLE forms or questions about the webinar to marketing at [email protected].
A replay of the webinar will be available for viewing at http://fishlitigationblog.com.
Gus Coldebella
Principal
Boston
617-521-7033
Tom Frongillo
Principal
Boston
617-521-7050
32
© Copyright 2015 Fish & Richardson P.C. These materials may be considered advertising for legal services under the laws and rules of
professional conduct of the jurisdictions in which we practice. The material contained in this presentation has been gathered by the lawyers at
Fish & Richardson P.C. for informational purposes only, is not intended to be legal advice and does not establish an attorney-client relationship.
Legal advice of any nature should be sought from legal counsel. Unsolicited e-mails and information sent to Fish & Richardson P.C. will not be
considered confidential and do not create an attorney-client relationship with Fish & Richardson P.C. or any of our attorneys. Furthermore,
these communications and materials may be disclosed to others and may not receive a response. If you are not already a client of Fish &
Richardson P.C., do not include any confidential information in this message. For more information about Fish & Richardson P.C. and our
practices, please visit www.fr.com.
#1 Patent Litigation Firm (Corporate Counsel, 2004–2015)