The day begins like any other. Your client opens for business at 9:00 a.m. All employees are at their desks as customers begin calling, emailing, and walking in with various questions and needs. Except this time, when the employees attempt to access customer records from your client’s
computer network, they immediately notice something is wrong. None of the customer files will open. The data is a garbled mess. When one of the IT employees checks the network, an ominous message appears on the screen:
YOUR NETWORK HAS BEEN ENCRYPTED. CONTACT THIS NUMBER WITHIN 10 DAYS TO RECEIVE FURTHER INSTRUCTIONS ON HOW TO TRANSMIT PAYMENT FOR THE ENCRYPTION KEY.
Customers grow impatient and begin asking about the delay. Panicked, the IT employee contacts the Chief Operating Officer.
Unbeknownst to the COO, just the day before, a brand new employee clicked on a hyperlink embedded in an inconspicuous email from an unknown sender. When he clicked the link, his computer downloaded a discreet package. Inside was malicious computer code written in the basement of a twenty-year-old in Russia. The code wormed its way through the client’s network and encrypted all the customer data.
For you, too, the day begins like any other. You casually stroll into the office, when your assistant explains that you must speak with this COO immediately. You pick up the phone, and the COO lays out the situation. Then she desperately asks for help: “What should we do?!?”
Cyber threats hitting closer to home
Cybersecurity used to be something we heard about in passing on the nightly news. North Korea launching volleys of cyberattacks on South Korea. Data breaches at Fortune 500 companies such as Target. But times have changed. Today, cyberattacks are weapons of both war and crime. The FBI and U.S. State Department recently placed a bounty of $5 million on the head of a Russian cyber-criminal accused of developing the tools for ransomware attacks such as the one introduced above. As these tools proliferate throughout the criminal underworld, the attacks now target vulnerable local businesses.
Before October 2019, the leaders at the DCH Health System could not have anticipated that they would succumb to a ransomware attack across their three hospitals in Tuscaloosa, Northport, and Fayette. The package containing the malicious computer code encrypted DCH’s network, preventing doctors and nurses from accessing patient records. Emergency procedures were implemented and elective surgeries were canceled.
Data has inherent value. Medical records, for instance, are a treasure trove of valuable information that can be used against customers. The most basic example is personally identifying information. A criminal who gains access to a customer’s name, date of birth, and social security number could potentially engage in identity theft by opening credit cards or by taking out loans using the customer’s information. This was one of many concerns federal employees had after the data breach at the Office of Personnel Management was announced in 2015.9 In the case of Target in 2013, credit card information of 40 million customers was put at risk.
It has been well-documented that foreign governments, such as China, regularly attempt to steal data from U.S. businesses. Indeed, the U.S. Justice Department has started what it calls the “China Initiative” in an effort to reduce the rampant theft of intellectual property (IP). This IP has both commercial and military applications. For instance, in Huntsville, AL, where we live and work, there is a large presence of defense contractors who are working on advanced technologies such as missile defense. Even a layperson can notice the similarities of certain Chinese weapon systems that are released in short order after years of extensive research and development by the U.S.
Now, before a business can bid on certain government contracts, certifications and audits are required to verify that necessary precautions are in place before sensitive data is shared. Other federal rules also cover particular aspects of data breaches. But there is still no comprehensive federal statute covering data privacy and data-breach notification. With no federal preemption over data protection, the states are writing their own rules.
Alabama Data Breach Notification Act
As cybersecurity threats to businesses and consumers has increased, all 50 states have passed some form of data protection law. Alabama’s law took effect on June 1, 2018. Known as the Alabama Data Breach Notification Act, the law places certain requirements on “covered entities” to notify the affected individuals when “sensitive personally identifying information” (SPII) is disclosed.
Key to understanding the scope of the Act is the broad definition of SPII: a person’s name in combination with any one of six categories of information. SPII is the kind of data that can be used to commit fraud or identity theft. Any person, government, or business that “acquires or uses” SPII is a “covered entity” and is subject the Act.
Covered entities must notify affected individuals within 45 days of discovery of the breach. The notification must be in writing (by mail or email) and must include at least: (1) the date; (2) a description of the breached data; (3) actions taken to restore security and confidentiality; (4) steps the individual can take to protect against identity theft; and (5) contact information. If the breach affects more than 1,000 individuals, then additional notifications within 45 days are required, including to the Attorney General of the State of Alabama and to consumer reporting agencies.
The civil penalties written into the Act are for the failure to properly notify after a data breach or loss has occurred. Though the Act includes steps that covered entities should take both before and after a data breach, significantly, the Act does not punish covered entities for failing to take these steps. Courts have not yet interpreted this new law and there is no private right of action. Any action to enforce the law must be brought by Alabama’s Attorney General. Given how new this law still is, limited enforcement has occurred to date.
There are exemptions to the Act. Covered entities who are already complying with a federal law (e.g., HIPAA) governing data breach notification are exempt from the Act. Also exempt are covered entities complying with an Alabama law that is at least as stringent as the Act. Notwithstanding the foregoing, covered entities are still required to send notification to Alabama’s Attorney General if the 1,000-person threshold is exceeded.
Stop the bleeding
When the COO of your client asks “What should we do?!?”, you may not be familiar with cybersecurity law, or even how your own computer works. The first priority is to triage the situation. Whether your client uses an in-house or third-party IT provider, launch an immediate investigation to identify the problem. Where is the malicious code on the network? Is the data breach or loss ongoing? If the client has a comprehensive backup of its network and data, sometimes IT professionals can help quickly switch the client over to that backup, so that business continues uninterrupted. If a backup is not available, the infected components of the network may still be isolated—and the harm mitigated—with the help of outside experts.
Alabama’s law outlines several steps that our clients should take in investigating a data breach. At a minimum, they should: (1) assess the breach’s nature and scope; (2) identify any SPII involved; (3) determine the likelihood of substantial harm; and (4) restore the system’s security and confidentiality. The Act does not attach any civil penalties to these requirements. But failure to follow the guidance could open clients to actions for negligence, so consider the recommendations to be best practices.
If your client has procured insurance covering cyberattacks or data breaches, then it is vital the insurer be formally notified pursuant to the applicable policy. More insurers are writing cyber policies, many of which transfer to the insurer’s designee all rights to negotiate and settle. These negotiations are becoming more frequent and often raise serious questions regarding the legality of transacting business with criminals, especially when they are operating from sanctioned countries such as Iran or North Korea.
It might be appropriate to notify state or federal law enforcement depending on the nature of the breach. If you suspect a foreign national or criminal organization is involved, you should notify the local FBI field office. Clients sometimes worry about involving law enforcement, but their goal is to help, not to blame. Because they understand the digital footprints left by cyberweapons, law enforcement can be invaluable to the investigation.
Internal assessment and plan
When the dust settles, hindsight kicks in. What should the client have done differently to prevent or at least minimize the threat?
Every client that acquires or uses SPII should conduct an assessment of their own security threats. The underlying inquiry divides into four heads: (1) what is the nature of the data; (2) how is it currently stored; (3) what are the current threats; and (4) how is the data protected from these threats. While an in-house or third-party IT professional can assist with this process, the client’s leadership team should be briefed on the audit’s results in order to develop a plan that is tailored to the needs of the business. The plan should be documented and updated as new threats emerge.
There is no such thing as perfect cybersecurity, and clients are not required to spend unlimited resources to protect all data from all threats. The reasonableness of a specific plan must be determined and documented by the client’s leadership team. To illustrate, an assessment may reveal that a client does not maintain a complete backup of the data from its local server. There are numerous methods available to clients to back up data. Some clients choose to send daily backups to a secure, offsite, and offline storage facility. Others choose one of many cloud storage options that are now available on the marketplace. Either way, a comprehensive backup of a client’s data can reduce—and in some cases eliminate—the client’s financial harm suffered in the aftermath of a data breach.
Clients are free to contract away a significant amount of the risk and costs associated with cybersecurity. Before accepting proposals or bids for new projects, many clients include a prerequisite that the contracting party must certify that their network has been inspected by a third-party auditor. Others may specify the exact locations where certain data may be stored and accessed. In the event of a data breach or loss, the parties’ contract may place complete responsibility on one party to bear the costs of mitigating the loss and even reporting the loss to the appropriate parties. Contracts may also include indemnification against claims brought by those adversely affected.
Many kinds of contracts require that certificates of insurance be made available before work begins, and nothing prevents a client from mandating that another party procure cybersecurity insurance or other coverage for data breaches. Cyber-insurance is still a specialized product that can be cost prohibitive from some clients given the perceived threat to the data stored by the client. With or without insurance, there are significant costs that will be borne by the client following a cyberattack or data breach.
Finally, governing law provisions must not be overlooked given the wide array of reporting requirements and penalties structures that all 50 states have separately passed. So if a client does business in multiple states, carefully consider which states’ laws will govern.
Employee education and training
Nearly every large-scale data breach has one common element: an employee who inadvertently delivered “The Package” of malicious code onto the computer network. Even though employees are becoming more aware—for example, of email phishing attacks—cyberattacks are becoming more complex and harder to spot. For example, two parties to a real estate transaction may negotiate payment via wire transfer at closing. If a criminal knows that one party is expecting to receive wiring instructions, then they can impersonate the other party and send a fraudulent email with different account numbers. Sometimes the email address is spelled differently upon closer inspection, while at other times the correct email account has already been compromised when the wiring instructions are sent. In other words, otherwise diligent employees may miss any discrepancy.
Clients absolutely must educate their employees on cybersecurity best practices. Many precautions are basic, but lapses are daily exploited by criminals around the world. Three precautions are universally applicable. First, passwords and login credentials to a client’s network should be complex and reset on a scheduled basis. Access to certain data should be restricted by layered security tools such as multi-factor authentication. Second, employees should be trained on the dangers of clicking hyperlinks within emails or websites. There are numerous filters that are available on the market to either warn or prevent an employee from downloading external content onto a client’s network. Three, security patches for a client’s network, desktop, and mobile software should be kept up-to-date. Consider a security patch to be a vaccine to a known and diagnosed threat. Many clients fall prey to cyberattacks where the malicious code is specifically written to find and exploit software that is out of date.
Employees must be vigilant, because one click of the mouse can do irreversible damage to a client’s business. Training can be made part of new employee orientation and onboarding, but it should also be part of continuing education for the client’s employees. Some employees will require more training than others, but the only way to determine whether the training is working is to test the employees with real-world threats. While a written test can be effective, it is more beneficial to simulate threats through disguised emails or links. This can quickly identify those employees who need additional training and supervision.
What the future holds
Cyberattacks will only increase in frequency and severity. The weapons are cheaper for criminals to deploy, and more client information is stored digitally. The attack at DCH Health System should be a wakeup call for many of our Alabama clients. Now that every state has passed different forms of data protection laws, regulations will continue to be rolled out and enforced by various attorneys general.38 The DFAR already contains provisions requiring many federal contractors to be cybersecure. And the DoD’s new Cybersecurity Maturity Model—rolling out this year—will mandate “basic cyber hygiene” for every entity in the DoD’s supply chain.
Not surprisingly, federal preemption over data protection may be on the horizon. The piecemeal approach to legislating this issue at the state level is not sustainable.
Alabama’s law does not create a private right of action against clients who fail to comply,but that has not prevented litigants from using negligence per se or other theories to pursue recovery. DCH has been named in a class action lawsuit currently pending in the Northern District of Alabama. Similar class actions are popping up across the country. Clients should expect to be judged not only on the timeliness of their notifications but also on the reasonableness of their precautions.
Cloud computing has transformed the ways both we and our clients access and share information. The technology behind cloud computing is actually quite straightforward: you are using another computer to store the data that you access from your own computer. In 2000, clients might have purchased hardware from Microsoft such as a sever to host data locally at the client’s place of business. Two decades later, it is much more likely for clients to simply pay Microsoft a fee to store the data. This pushes much of the risk and associated costs back to Microsoft and away from the client. Microsoft expends considerable resources to maintain and keep current the network architecture supporting platforms such as OneDrive. There is built-in redundancy with storing data in the cloud as opposed to local drives. Even the U.S. Military—with all its sensitive data and programs—has awarded a $10 billion contract to Microsoft to run its cloud.
Maybe you will never get a panicked phone call from a client concerning a real-time cyberattack. If you do, hopefully your client previously completed an assessment and took reasonable precautions to protect its data. Gone are the days when clients can turn a blind eye to cyber threats. Today, the expectations have changed. We must help our clients take reasonable precautions to protect data and to timely notify those who are affected.
This article was originally published by the Alabama Defense Lawyers Association in the Spring 2020 issue of the Journal - Alabama Defense Lawyers Association, Vol. 36, No. 1.