Listen to and download the podcast on Apple podcasts, Google podcasts and Spotify.
Headlines around the world have been telling us to prepare for an increase in cyber attacks. All businesses are on high alert, looking to secure their systems and protect themselves from hackers. But it’s not always that easy. In 2021, when hackers launched an attack against Colonial Pipeline , it caused a disruption in fuel supplies to the US and caused long lines at the pump. How did they do it? The Colonial CEO told U.S. senators that it came down to the theft of a single password.
It’s not just large corporations that are vulnerable. Every company in every jurisdiction is vulnerable. Aside from dealing with an attack, businesses are increasingly facing the prospect of litigation in the aftermath of cybersecurity breaches – from consumers seeking compensation after their data has been stolen to shareholders seeking compensation after stocks plummet.
So what do companies need to know? We asked Vassi Illiadis, a counsel based in Hogan Lovells’ Los Angeles and Silicon Valley offices, who, focuses on data privacy, litigation and investigations, and Arwen Handley, a financial services litigation and investigations partner based in London.
Q: We’re seeing a heightened risk of cyber attacks and it’s only getting worse. According to Cybersecurity Ventures, cybercrime costs are going to reach $10.5 trillion dollars annually by 2025. What’s driving this increased risk?
Arwen: I think many commentators have linked this to the COVID pandemic: there was a significant increase in ransomware attacks over the period of lockdown. One of the reasons for that was thought to be linked to the fact that the number of people working remotely outside office networks had increased hugely. If you’ve got some or most of your employees working from home, there’s increased potential for office procedures to be short circuited. Or maybe staff might not be paying so much attention to, for example, phishing emails as they would do when they’re in the office.
Apart from the pandemic, it seems that ransomware attacks are on the increase in any event. The amount of the ransoms that are being demanded is also increasing. It’s clearly proven to be quite a good business model in the sense that many companies quite understandably, after careful consideration, choose to pay the ransom demanded and move on. The more these tactics work, the more likely that existing threat actors will continue their current operations and that new groups will commence operations.
Q: What should companies be thinking about if there is a ransomware attack?
Vassi: The legal landscape of whether to pay a ransom still remains complicated and uncertain, so it’s not a straightforward answer. There is, of course, going to be legal risk. I’ll give you an example. If the hackers are sanctioned persons, then a company in the US who pays the ransom to that sanctioned organisation or individual may be subject to an enforcement action and civil penalties by the US Department of Treasury’s Office of Foreign Assets Control. In 2020, OFAC issued guidance and it said definitively that companies may be subject to civil penalties if they are paying ransom to individuals on OFAC’s specially designated nationals and blocked persons lists. And so that is a significant risk in determining whether to pay a ransom. But even if you pay the ransom, the data may not actually be recovered or the stolen data may have already been published on the dark web or YouTube, for example. So paying a ransom isn’t going to guarantee that you’re going to get your data back in every case, or that your data hasn’t already been published and disseminated. So it is a significant risk, and I think the legal landscape for that reason still remains very uncertain.
Arwen: A company may not have any reasonable cause to suspect that a payment is going to be made to a person or an entity on a sanctions list. Clearly you can’t turn a blind eye and you need to do some due diligence. You can try and find out who is making the ransom demand. But sometimes you just don’t know. If it turns out that that the threat actor was on a sanctions list, in Europe, this lack of any reasonable cause to have suspected that the threat actor was subject to sanctions would be a defence to any claim that the paying company had breached sanctions requirements.
This also used to be the position in the UK. Historically, the UK’s regulator, the Office for Financial Sanctions Implementation (OFSI) has only been able to levy a monetary penalty for breach of sanctions if the paying entity knew or had reasonable cause to suspect that they were paying a sanctioned person or company. However, the UK Parliament has recently passed a new act, the Economic Crime (Transparency and Enforcement) Act 2022, and this is going to change the position. The UK will now approach the issue like the US does. This new Act will enable OFSI to levy penalties essentially on a strict liability basis. So the requirement to have reasonable cause to suspect that a breach of sanctions has taken place is going to be removed. At the time of writing, that part of the legislation is not yet in force, but it is likely to be in force before long. This will obviously present real issues in dealing with a ransom demand and it’s all the more reason to be diligent, take advice, and use third parties to try and identify the identity of the threat actor. It may also be possible to liaise with the relevant sanctions authorities to appraise them of the position: that’s something that companies should certainly seek legal advice on.
Q: Vassi, you counsel clients on data security in the US. Can you walk us through the risks of a breach?
Vassi: First and foremost, there’s reputational risk. That is what our clients face more than anything else. Data security incidents are becoming more and more prevalent across industries and involve companies of varying sizes. A company’s reputation is undoubtedly impacted when consumer data or PHI has been involved in an incident, or a ransomware attack of a critical system for example, and commercially sensitive information has been accessed. That’s a big deal for our clients. So I would say reputational risk is first and foremost one of the bigger risks.
And of course, there is business disruption risk with ransomware in particular. We’re talking about completely ceasing operations or access to a particular system, and we’re seeing that ransomware continues to be the most prevalent type of data security incident today, and it can be absolutely debilitating to an organisation’s critical assets.
In addition to business disruption and reputational risk, we’re seeing regulators in the U.S. in particular, acutely focused on data security incidents. We see regulatory inquiries, investigations and potential enforcement actions following these types of incidents from regulators like the state attorney generals across the U.S., the Federal Trade Commission, industry specific regulators for example, insurance regulators, financial services regulators and we’re also seeing congressional inquiries as well following an incident.
Q: Arwen, is the situation comparable in the UK?
Arwen: In the UK, the UK GDPR governs the processing of personal data, and the Information Commissioner’s Office (ICO) is the independent authority tasked with upholding information rights in the public interest. The ICO regularly investigates firms in relation to breaches of the requirements of the UK GDPR, and issues fines, for example, if companies don’t have appropriate technical and organisational measures including to protect against unauthorised or unlawful processing.
Financial services regulators in the UK have put cyber security at the top of their regulatory agenda in recent years. There have been numerous publications and consultations on the topic, and cyber and operational resilience is a huge area of focus. Regulators have emphasised the need for financial institutions to have effective IT security arrangements, and a focus on cyber security issues within senior management. And that’s not just for the institution itself: there’s also emphasis on the importance of assessing third party providers. The regulators have become quite concerned about the reliance of many market participants on a handful of cloud service providers, and the systemic risk that this could present in the event of a cyberattack on one of those providers. So, the UK Prudential Regulation Authority (PRA) is exploring ways to access more data from cloud providers, including on the operational resilience of their services. I’ve also seen reports that the PRA will be developing broader coordinated wargames, which model more than one of the cloud service providers failing at the same time. So that’s a real area of focus, too.
Q: What about the litigation side of things?
Vassi: In the U.S., we have a very active litigation landscape following data breaches and cyber attacks, and I think we’re seeing litigation from a couple of different areas. First, we’re seeing an increase in shareholder suits, derivative lawsuits and fraud in securities class actions. We’ve seen mounting shareholder litigation following ransomware events. We’re also seeing allegations that boards of directors breached their duty of loyalty by failing to respond to red flags that an organisation was susceptible to hackers or had a heightened cyber risk and measures weren’t taken to address or mitigate that risk in a timely fashion. Or it could be that companies misrepresented the risk of data intrusions. I would say in the past five years, we’ve seen settlements upwards of $80 million in these types of shareholder suits. In addition to shareholder risk, we’re also seeing consumer class actions, which has been happening for a decade now. Ransomware class actions in particular are a developing area, and that’s even when a company’s investigations can show that the motive of the ransomware attack was business disruption rather than the theft of data.
Finally, we’re also seeing claims that a company failed to do more to prevent the attack in the first place, which is similar to what shareholders are alleging in their suits. We mentioned Colonial Pipeline. We saw claims that consumers were forced to pay higher prices for a product or a service during an outage caused by a ransomware attack. And when one lawsuit is filed against a company in the wake of these incidents, we often see additional lawsuits being filed. So this is still a very active area in the United States.
Arwen: I think it’s interesting to compare the situation in England. We don’t have the same class action system in England, as I’m sure everyone knows. That’s not to say that claimant firms aren’t trying to get these actions off the ground because they are. It’s just a bit more difficult here. There have also been a couple of recent cases which have knocked back some of the ways in which claimants have tried to bring claims for losses suffered as a result of a data breach.
The first case was a decision by the UK Supreme Court about the use of the English representative action procedure to bring data breach claims. The idea of a representative action is that, where you have one or more persons with the “same interest” in a claim, that claim can be brought by one person as a representative of the whole group. Judgement will then be binding then on all the persons represented in the claim. Claimant firms have tried to use this representative action procedure to found a collective action on behalf of consumers. In this case, the Supreme Court ruled that in circumstances where an individual assessment of damages was required (i.e., where each claimant has a different damages claim) representative actions were not available.
The second case related to the causes of action that can be pleaded in a data breach case. Claimants have previously brought claims in tort, e.g., arguing that private information is being misused and they’ve suffered damage because of that – using our tort of misuse of private information – and for breach of confidence. The English High Court determined in this case that the claimant couldn’t seek damages on the basis of misuse of personal information or breach of confidence in respect of a data breach which followed a cyber attack. One of the reasons was because both of those causes of action required a positive wrongful act by the defendant: here the breach resulted from an external attack, so there was no positive wrongful act by the defendant itself.
Q: As companies prepare for an increased risk of cyber attacks, what is the most important thing that they should be doing?
Arwen: Critically think about where vulnerabilities are and where you can strengthen those vulnerabilities. As we’ve indicated, a chain is only as strong as its weakest link so think not only about your own organisation’s arrangements, but also about the third parties that you interact with. What do you know about their security? Could an incursion into the third party systems bleed into yours? And if so, how can you address that risk? Do you have IT security audit rights, for example, you could use in order to understand how that third party is set up? And I think it’s also important to look internally. It’s absolutely critical to provide regular reminders and refreshers for your own staff. Give them clear examples of what to look out for and provide a way that they can report possible attempts to infiltrate the company. So having a central place, for example, to report possible phishing attacks. It’s also important to be clear that it’s everyone’s responsibility to guard against a cyber attack.
Vassi: I would say, cyber risk is here to stay. This is the world we are living in and corporate leaders need to prioritise it. Cyber risk management should be a regular line item in board meetings. Just a couple of months ago, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) sent guidance to the National Association of Corporate Directors. That guidance details what they describe as urgent focus areas for every organisation’s C-suite and board. And that includes empowering CSOs to become involved in business decision making processes for risk to the company, encouraging senior management to lower the threshold for the reporting of data security incidents and testing and table topping a company’s incident response plan. That’s also a critical piece of advice that I’d give to an organisation. I think part of this is also considering whether to invest in a dedicated cyber legal role if a company doesn’t have one already. We’re starting to see this kind of role pop up more frequently. There’s been a shift in viewing cybersecurity merely as a technology issue. Now it has become an essential element of overall enterprise risk management and legal should play a role in that in the company. And certainly the C-suite and the board should be kept apprised of any cyber risk that would significantly impact an organisation and its critical assets.