For the past six years, attorney Andrew Mutter says he has been like a storm crow crying out about the potential dangers from Cyber threats to employee, customer and other data held by most businesses. The Chattanooga native spent three years focusing on insurance and cybersecurity issues for the Atlanta law firm of King & Spalding before returning to his hometown and helping to establish the Cybersecurity group at the Chambliss law firm three years ago.
Mutter and attorney Paul Weidlich, a 30-year lawyer who also chairs the Intellectual Property Section for Chambliss, co-chair the firm's growing Cybersecurity group.
Chambliss provides three layers of assistance — reviewing procedures and practices for shortcomings, writing policies for data processing and contract liability, and representing clients in legal disputes arising from Cyber attacks.
Such attacks are growing, as evidenced by such major data breaches as the 2016 hack of 3 billion Yahoo accounts and 147.2 million customers affected by the Equifax breach in 2017. In the past six years, Target has twice been hit by Cyber attacks that forced costly settlements and shutdowns for the retail giant.
The Identity Theft Resource Center counts more than 10,000 breaches of business data since 2005 with the average cost of a malware attack on a company of $2.4 million.
"More clients are getting hit with this now or seeing others who have paid heavy costs for problems so they are taking this much more seriously than in the past," Mutter says.
Edge magazine talked with Mutter and Weidlich about cybersecurity and what businesses should do to limit their legal exposure to malware attacks and data breaches.
What types of businesses should be concerned about cybersecurity and the legal threat it presents?
Mutter: Unfortunately, everybody should be concerned because we're seeing businesses in all types of industries and of all sizes being a target of hacks or phishing attempts. Manufacturers are increasingly a target and that is an area where the industry is not aware of its vulnerability, particularly to ransomware or the type of information businesses gather about their clients.
Weidlich: Any company with sensitive data or personal information, whether that deals with individuals' health care, finances or other protected material. That includes most everybody and it's not a question of if, but when.
What advice do you initially give a business looking to improve its cybersecurity and minimize vulnerability to Cyber attacks?
Mutter: First, we try to figure out what type of data a business controls. Every business has HR data about their employees, which includes highly sensitive data about Social Security numbers, health care information, and other information. Companies also often have access to payment information or other sensitive data from their customers and they have proprietary data about their own operations.
IT (information technology) people provide hard technical expertise. We come in and tell them what they need from a legal standpoint. You have these kinds of classes of personal information; here is where they are stored; here is what you are doing with them; here are your obligations under the current laws; here are the risks, and here are the best practices in your industry to mitigate the risks and comply with the regulations.
Should you have a written policy that governs how data is collected, stored and used?
Mutter: Yes. We recommend that all companies have a written policy that shows you have thought about information security and are taking the proper steps to ensure cybersecurity. The written policy should outline who has access to the data that the company, what protocols need to be followed to gain access to that data and how often is patching and regular maintenance being done. We also recommend that you have an incident response team that says even before you have any breach that we defined steps that we follow and who we contact to both contain the risk and evaluate and investigate whether or not a breach has occurred. If you are trying to say later to a regulator or a plaintiff suing you that you did the best you could, you need to have an information security policy in place with a dedicated incident response team.
Weidlich: If you don't have an incident security policy in place, when a breach or other incident hits, it's going to be chaos. So you want to have written protocol so that when disaster hits, you've got steps to follow. These also need to be regularly evaluated and tested in conjunction with counsel, especially when new laws are passed.
Most laws governing cybersecurity stem from state statutes. How are laws and regulations changing regarding cybersecurity requirements and business liability for data breaches?
Mutter: Unfortunately right now in the United States, there is just a total patchwork quilt of regulations and rules that might apply to a business. Most states have notification laws, but they don't have hard requirements about what you have to do. But increasingly, states are adopting laws that require at least a standard of care, like a negligence standard.
If you don't have an incident security policy in place, when a breach or other incident hits, it's going to be chaos.
Ten to 15 years ago, we began seeing state notification laws that simply said if your data is breached, here are your obligations to let people know that their data may have been compromised or taken. These laws didn't say anything about what you needed to do to prevent a breach. In part, many states are waiting to see if the federal government will come in with establishing a kind of general framework for all companies and industries like what Europe has done with GDPR (the General Data Protection Regulation adopted by the European Union and implemented last year). That hasn't happened so you are seeing some states move ahead like in California, which has a very robust data privacy law that comes into effect the end of this year. The California law is modeled on the European system and is going to be very important for any business that sells into or does business with any person in California. (GDPR, which affects local businesses that do business in Europe, requires that any company that handles personal data must provide safeguards to protect data and use the highest-possible privacy settings by default. No personal data may be made available publicly without explicit, informed consent of the person or business providing the data.)
Businesses hit by phishing or malware attacks often have to suspend their operations. What advice do you give about writing contract language related to potential business interruptions from a data breach?
Mutter: Business interruptions can be really important and is sometimes lost in all of the discussion about what personal information you have. Is your business set up in a way that really relies upon IT or automation, and what is going to happen if that is disrupted by ransomware. If that system is frozen up, what is that damage going to be and will that mean you might breach contracts or incur other major expenses. A huge legal part of such a disruption is what are you contracts and service agreements with your customers or third-party providers. Who is going to be liable for damages if you are disrupted or you get disrupted because your service provider is breached. The Target data breach (in late 2013) is a great illustration of this. Target had hundreds of millions of dollars in liability from that breach and it started from their HVAC (heating, ventilation and air conditioning) vendor which was connected to their systems and the HVAC vendor was hacked. Who bears the liability in that situation? (Target ultimately paid $153.9 million in fines and legal settlements and estimated in 2016 that the total cost for the breach was at least $292 million.)
What should businesses that accept credit card and other third-party payments be aware of related to cybersecurity?
Mutter: If you are a merchant of some kind selling to the general public, you typically are taking credit card data and in order to do that you sign PCI DSS (Payment Card Industry Data Security Standard) agreements with the credit card. If you are not really making sure you are minimizing your risk of losing that data or if you are not offloading that totally to a third party for processing, you can be in a situation where the card processor holds your company. If you have been breached and the credit card companies feel it is your fault, they will hold back while they access a fine or a penalty on you for failure to comply with the contractual rules of PCI DSS. I've seen companies that nearly go bankrupt over this because they didn't realize what a liability that was.
How can cyber insurance help minimize risks for businesses?
Mutter: Everybody needs to be protected to some extent because a Cyber attack incident can be very costly. Almost all of the policies companies normally use to protect themselves have carve-outs for Cyber. So you need to buy this as a separate policy. You can have a healthy company, especially if it is a digitally focused startup, and all of sudden you have a $2 million liability on your lap that sinks the company.
What else do you recommend for IT security?
Mutter: Encryption is also key. A lot of companies have IT systems that have grown ad hoc and they haven't really thought of security in mind as a first priority. So it is key, in most instances, to make sure that sensitive data is being encrypted, both when it is being transferred to another party and when they are at risk in a system. Dual factor authentication is very important because that has been shown to be one of the best bulwarks against a malicious attack. Backing up your data is also important. We've seen clients get hit with ransomware and they don't have backups so when they get their system frozen they don't have back up systems that allow them to get back online.