Our first two articles discussed how to prevent and prepare for a network intrusion and what steps to take immediately upon discovering an intrusion to mitigate harm and re-secure your network. This article provides a framework for identifying and assessing the risks and obligations your company may face as a result of a network intrusion.
Companies may face three types of risks arising out of a network intrusion: legal risks, commercial risks and reputational risks. When your company discovers a network intrusion or other security breach, you should systematically identify, assess and address these risks and obligations so that you can minimize litigation, mitigate damage and protect your company's bottom line.
The legal risks and obligations a company may face as a result of a network intrusion arise from four sources:
- Federal or state statutes
- Regulations applicable to a particular sector or industry
- The common law
A number of federal laws impose reporting and other legal obligations, including:
- The Sarbanes-Oxley Act, which requires that companies establish and report annually to the Securities and Exchange Commission (SEC) regarding their internal controls to ensure fair and accurate financial reporting, including data integrity and fraud prevention controls
- Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive trade practices, such as misrepresentations regarding data security
- The Gramm-Leach-Bliley Act, which requires that any entity engaged in financial activities protect the security and confidentiality of customers' nonpublic personal information
- The Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which requires that health care plans, providers, clearinghouses or any business associate of any of these comply with network security and breach notification requirements
- The Fair & Accurate Credit Transactions Act (FACTA), which requires companies with consumer information to meet certain security standards in the disposal of such information
- The SEC's cybersecurity disclosure guidance, which sets forth the disclosures publicly traded companies must make regarding cybersecurity risks and cyber incidents
Federal laws also impose data security and, in some cases, breach notification requirements on certain regulated industries including the nuclear energy industry; the maritime, aeronautical, and rail transportation industry; the chemical manufacturing industry; the telecommunications industry and any industry that may bring companies into contact with national defense information. Violations of these provisions can result in regulatory investigation, civil penalty, loss of government contracts and, in certain cases, criminal prosecution.
Nearly all 50 states have adopted breach notification laws requiring companies to notify individuals whose personal identifying information may have been exposed as the result of a network intrusion. State consumer protection laws also often offer a cause of action for litigants who allege harm resulting from a network intrusion.
Many contracts with vendors, customers or affiliates include data security or confidentiality clauses. Your company should review your contracts to determine which may potentially expose you to litigation and whether your company can take steps to mitigate this risk. Finally, common law theories such as implied contract, negligence and breach of fiduciary duty may also present a risk of litigation.
A company that suffers a network intrusion also must consider the risk the intrusion poses to its ongoing business. Increasingly, proprietary technology, information and other intellectual property are a company's most valuable assets. Companies may therefore suffer staggering commercial loss if, as the result of an intrusion, market competitors gain access to such technology and information. In such cases, companies should consider accelerating patent applications associated with such intellectual property and monitoring published patent applications for a period following the intrusion to detect any applications that appear to be based on information misappropriated during the intrusion. A similar strategy can be employed to protect trade secrets.
Reputational harm, though often hard to quantify, can pose the greatest threat to a company. Simply put, if your company's customers and business partners do not perceive your network to be secure, they may not want to entrust your company with their sensitive data. A victim company should assume that a breach will become public and prepare a communications strategy that addresses each of its important relationships and constituencies. Your company should prepare a communications strategy before it suffers an intrusion and should update the strategy as investigation of the intrusion and remediation of the network continue.