Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released an updated Cybersecurity Framework that revises NIST’s baseline recommendations for the design of cybersecurity risk management programs. In announcing its release, Commerce Secretary Wilbur Ross described the updated Framework as “a must do for all CEOs” and recommended that “every company” adopt the Framework as its “first line of defense.” As with the prior version, the updated NIST Framework provides a useful tool to guide and benchmark company approaches to cybersecurity risk and will impact how regulators evaluate cybersecurity programs and incident responses across sectors. Continue reading
Corporations have reputations, just like individuals. However, the costs of protecting a corporate reputation, or the costs of losing one, are not well understood. Negative reputation shocks can be costly, and recent scandals at well-known firms such as News Corp. and Volkswagen have reaffirmed the fragility of corporate reputations. However, corporations can also invest in technologies such as corporate social responsibility (CSR) to build their reputations or to provide insurance against a future reputation shock. In a recent paper, we find that negative reputation shocks are at least partially insurable through CSR and that firms actively invest in CSR as the result of a negative reputation shock. Continue reading
In recent years, companies have heightened their focus on cybersecurity issues, dedicating substantially more resources to mitigating escalating cyber risks. Increasingly, these efforts include purchasing some form of cyber insurance.
Any cyber insurance policy should supplement, rather than replace, a cybersecurity risk mitigation program. While such a policy may be a useful element of a multifaceted strategy, cyber insurance is far from a panacea. First, the size and types of damages resulting from a catastrophic cyber incursion can exceed even significant policy limits. Additionally, cyber insurance coverage is unlikely to extend to reputational losses or intellectual property theft. Moreover, the cyber insurance market is relatively young and policy forms are still evolving. Thus, cyber insurance does not have the same claims history or established understanding of policy terms that can be found in more mature insurance markets. Continue reading
[Following personal reflections on his return to private life from public service, former U.S. Secretary of Homeland Security Jeh Charles Johnson delivered the following keynote address at the Global Cyber Threats: Corporate and Governmental Challenges to Protecting Private Data cybersecurity conference held by the Program on Corporate Compliance and Enforcement at New York University School of Law on April 6, 2018.]
Like millions of other Americans, my world was rocked by the terrorist attack that occurred a few blocks from here on September 11, 2001. Like many of you, I am a New Yorker, and was in Manhattan that day. September 11 also happens to be my birthday. I have a vivid recollection of the day, both before and after 8:46 a.m., when the first plane hit the World Trade Center. At 9:59 a.m., when the first tower collapsed, it was perhaps the only time in my life when my mind could not believe what my eyes were seeing. Neither would I have been able to comprehend then that 15 years later, there would be something called the Department of Homeland Security, that I would lead it, and that the Secretary’s New York office would occupy the 50th floor of a taller, stronger World Trade Center tower standing in the same place. Continue reading
On March 23, 2018, Congress passed the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), amending key aspects of U.S. surveillance law and providing a framework for cross-border data access for law enforcement purposes. The Act addresses two problems that have been the subject of heated debate for the past five years. First, by amending the Stored Communications Act, 18 U.S.C. §§ 2701 et seq. (SCA), the CLOUD Act clarifies that American law enforcement authorities can compel providers of electronic communication services — such as major email service providers and social media networks — to produce data stored outside the United States. Second, the Act establishes new rules facilitating foreign law enforcement access to data stored inside the United States. In short, this new legislation impacts any provider that may receive either U.S. or foreign orders to produce data in furtherance of criminal investigations. Continue reading
Yesterday, in keeping with a heightened governmental focus on cybersecurity, as exemplified by the Justice Department’s formation of a new Cyber-Digital Task Force earlier this week, the Securities and Exchange Commission announced new guidance on cybersecurity disclosures by public companies (the “Guidance”).
Much of the Guidance tracks 2011 interpretive guidance from the SEC’s Division of Corporation Finance and retains a focus on “material” cyber risks and incidents. However, the expanded details and heightened pressure to disclose indicated in the Guidance, along with its issuance by the Commission itself, signal that the SEC expects public companies to consider more detailed disclosure of cyber risks and incidents, and to maintain “comprehensive” policies and procedures in this area. The SEC is also encouraging, though not requiring, forward-leaning approaches, such as with respect to disclosures about the company’s cyber risk management programs and the engagement of the board of directors with management on cybersecurity issues. SEC Chairman Jay Clayton has also directed SEC staff to monitor corporate cyber disclosures. Continue reading
In today’s world, data breaches are a regular occurrence. The size and scale varies, and they have different causes, but those matters are irrelevant if you are a data subject affected – you just want the situation resolved and compensation for any losses you suffer. Who should be responsible for those breaches? Where a company has not taken sufficient steps to safeguard personal data, the answer is obvious. But what about where a rogue employee leaks personal data with the deliberate intention of harming his employer? The English High Court has recently decided that even in that instance, the employer is liable to data subjects. Although there is no specific case on this point, we believe that a similar outcome would be reached in an action under US law. Continue reading
In our memo last year, we acknowledged that it was close to impossible to predict the likely impact that the newly elected Trump administration would have on white-collar and regulatory enforcement. (White Collar and Regulatory Enforcement: What to Expect in 2017) Instead, we set out a list of initiatives we urged the new administration to consider, including clarifying standards for when cooperation credit would be given, reducing the use of monitors, and giving greater weight to a company’s pre-existing compliance program when exercising prosecutorial discretion, among other suggestions. While the DOJ under Attorney General Jeff Sessions has, for example, taken some steps toward clarifying the applicable standards for cooperation and increasing incentives to disclose misconduct in the FCPA area, few other policy choices or shifts in approach have been articulated or implemented. Continue reading
Large-scale data breaches can give rise to a host of legal problems for the breached entity, ranging from consumer class action litigation to congressional inquiries and state attorneys general investigations. Increasingly, issuers are also facing the specter of federal securities fraud litigation.
The existence of securities fraud litigation following a cyber breach is, to some extent, not surprising. Lawyer-driven securities litigation often follows stock price declines, even declines that are ostensibly unrelated to any prior public disclosure by an issuer. Until recently, significant declines in stock price following disclosures of cyber breaches were rare. But that is changing. The recent securities fraud class actions brought against Yahoo! and Equifax demonstrate this point; in both of those cases, significant stock price declines followed the disclosure of the breach. Similar cases can be expected whenever stock price declines follow cyber breach disclosures. Continue reading