Result of Breach Investigation Signal Heightened Importance of In-House Counsel Understanding and Being Involved With Cybersecurity Issues
Yahoo disclosed this week in a public filing that its internal legal and executive team “did not properly comprehend or investigate, and therefore failed to act sufficiently upon” information that the company’s security team had about ongoing breaches.1 The disclosure singled out the company’s internal legal team, which reportedly had “sufficient information to warrant substantial further inquiry in 2014, and … did not sufficiently pursue it.”
These disclosures drive home the point that managing the enterprise risk associated with a company’s data and information systems is a complicated aspect of corporate governance that must be treated similarly to how other enterprise risks are handled, albeit with specialized security and legal expertise, and that internal counsel should not hesitate to bring whatever resources are needed to bear to support its understanding and management of that risk. As more companies find their assets and key revenue streams intrinsically tied to information systems and the associated data, the need to prioritize proactively protecting these will outpace the priorities of simply having a response to a breach.
The Yahoo disclosures also underscore the need for placing a much higher priority on diligence relating to information systems in mergers and acquisitions, posing challenges for buyers who may struggle to assess the cybersecurity profile of a target business when the target business itself may lack knowledge of what it should protect and whether that has been done effectively. Beyond the risks contained within the target business, a buyer needs to ensure that it is not creating new risks to itself from integrating any insecure systems of the target company into its own. And any doubts that these issues can also have large financial consequences can be laid to rest–the sequence of reported Yahoo breaches has already led Verizon to renegotiate the price of its bid to acquire Yahoo downward by $350 million. Other costs due to the breach response were disclosed by Yahoo to be in the range of $16 million in forensic and legal fees to date.
New York State Implements Cybersecurity Requirements for Financial Services Companies
New cybersecurity requirements for financial services companies set forth by the New York State Department of Financial Services (DFS) entered into force on March 1, 2017, after a 2-month delay and some minor amendments.2 The DFS will require covered entities, primarily financial services firms and insurers, to focus on the risks presented by third party service providers via a mandated Third Party Service Provider Security Policy, and to carry out risk assessments and implement tailored security programs. A covered entity will need to have a policy in place to deal with cybersecurity, and the regulations spell out the areas that will need to be addressed. The risk assessments in particular will benefit from being carried out with legal counsel to provide privilege for certain aspects of the decision-making.
The regulations also break new ground in imposing detailed technical requirements for encryption of data in-transit and at rest – a basic security measure that, while not an industry practice, is nevertheless strongly recommended within the security community, as well as broader implementation of multi-factor authentication for accessing internal systems and higher level system accounts. Companies will need to review their existing systems and their planning for IT acquisitions and improvements to ensure that these will be compatible with the new requirements.
The DFS regulations also adopt a short 72-hour time frame for reporting incidents, similar to the timeline set out under Article 33 of the EU’s General Data Protection Regulation that will enter into force in 2018. Many companies will face difficulties being able to investigate suspected incidents quickly enough to make an informed decision whether to disclose and having in place a practiced incident response plan and team will be key.
The DFS regulations require covered entities to annually certify compliance – with the obligation to do so falling to the chair of the board or a senior officer, and mandate that entities designate a qualified individual as a chief information security officer.