When the experts stop talking about “if” and start talking about “when,” you know a corner has been turned. That’s the situation with the vast array of cyberthreats facing organizations today. In the interview below, Mauricio Paez and Jeff Rabkin, partners in Jones Day’s Cybersecurity, Privacy & Data Protection practice, discuss the evolving nature of cyberrisk and the steps companies and government can and should take to prepare for “when.” Their remarks have been edited for length and style.
MCC: Please tell us about your backgrounds and Jones Day’s Cybersecurity, Privacy & Data Protection practice.
Paez: Ours is a global practice that provides clients with comprehensive services tailored to satisfy their overriding business objectives wherever they are – in the United States, Europe, Asia and Latin America. It is cross-practice oriented and designed to provide clients with privacy, data protection and cybersecurity advice in the context of their businesses and industries, including healthcare, financial services, utilities, critical infrastructure, transportation, and a host of other segments where cybersecurity and privacy are of significant importance.
We try to make sure that our service delivery adds the greatest value in each area of concern for our clients. In the transactional area, we deal with cybersecurity and privacy issues in the context of major corporate transactions, technology transactions and ventures. We help clients address privacy and cybersecurity compliance obligations under local and international laws and regulations. And, of critical importance, we help clients deal with disputes, whether in the form of civil litigation, government investigations and enforcement actions, or even government requests for information.
My personal practice started in the mid 1990s as a technology transactions law firm. By the late 1990s I had begun helping clients deal with data privacy and emerging cyber legal issues. Today, I spend 100 percent of my time helping clients deal with data privacy issues, cybersecurity liability risks, and cross-border international data protection obligations.
Rabkin: I come from an investigations and litigation background. I was a federal prosecutor in New York City and San Francisco for many years, which is when I became particularly interested in the intersection of law and technology. After I left the U.S. Department of Justice, I went to work for a consultancy that focused on cybercrime investigations and then joined California Attorney General Kamala Harris’ executive team, serving as her principal policy advisor on matters relating to law and technology, including privacy enforcement and cybercrime prosecution.
MCC: Cybersecurity is now under constant discussion. What should in-house counsel know about current threat levels and where they come from?
Rabkin: Current threat levels are high, and the bad actors responsible for cybersecurity problems are no longer single individuals. We are, unfortunately, in a world where we are dealing with highly sophisticated, well-funded and well-organized groups – whether they are criminal organizations working out of foreign jurisdictions, like Eastern Europe and Russia, hacktivist organizations, terrorist organizations or even state-sponsored organizations. The important thing to understand is that cybercrime has become a business model and so has cyberespionage. That requires us to respond with adequate resource levels.
Paez: It’s also important to know that these threats increasingly are manifesting themselves internally within the enterprise. Just as they’re looking at external threats, in-house counsel also need to look at internal threats and how to best identify, respond and contain them. There are a lot of issues, and greater complexity, when you’re dealing with internal bad actors. It isn’t just negligent conduct; it’s criminal conduct as well, often with an intent to monetize information from the corporate network, including trading on personal information. Internal threats require a different, more complex response because they raise other legal considerations, such as managing internal investigations, dealing with employee misconduct, implementing containment in a way that doesn’t disrupt the business, and referrals to law enforcement agencies.
Rabkin: Interestingly, we’ve also seen an evolution of cybersecurity problems over the last five years or so from nuisance-level problems, whether it was spam or botnets or something like that, to highly intrusive attacks designed to steal data and cause great harm.
Another manifestation of the threat is third-party provider risk. Companies that rely heavily on third parties for critical operations and technologies face additional risks. Third parties can provide a jumping-off point for ingress into the network, allowing for attacks, or they can be a source of malfeasance by personnel they manage who have access to the corporate network.
Today’s approach to risk management isn’t centered only on dealing with external threats and criminal conduct. It means dealing with internal threats and with third-party risks and relationships.
MCC: What can and should companies do to deal with this matrix of threats?
Rabkin: The first thing to do is prepare. Everybody who does this kind of work agrees that the mentality should be that it’s not a question of if we are going to have a cybersecurity problem, it’s a question of when. It’s fair to say that investors, consumers, regulators and others will take a very hard look at companies that have not taken steps to prepare an effective response to a major cybersecurity incident.
What specifically should companies do? First, understand the architecture of your IT environment, map your data, figure out where your digital assets are, how they’re stored, and how they’re being protected. Second, have an incident response plan. This is not just a paper document that you draw up and throw in a file somewhere but an actual plan that maps out how the organization, at a management level, is going to deal with a significant cyberincident, including cross-disciplinary, management-level participation. You also need to address communications issues. We typically recommend that someone at the C-suite-level lead the incident response team, because a severe cyberincident is like a natural disaster. It can be a very disruptive event in the life of a company. Third, go through a tabletop exercise and practice your plan using hypothetical scenarios of what a major data breach or other cyberincident would look like at your company. Then assess how you responded. There are various consultants that can assist with this kind of exercise, which is a critically important part of preparedness. Finally, take a look at your insurance coverage. These incidents can result in very expensive class action litigation and regulatory enforcement. Retaining counsel or having in-house counsel take a look at available insurance coverage is a very important part of preparedness.
Paez: A lot of the more sophisticated enterprises are looking at this as an enterprise risk issue. That means you have to think about putting in place appropriate protocols for communicating the evolving threats to executive management and, in some cases, the board, so that they can discharge their fiduciary obligations. It is important to create an appropriate risk matrix to ensure that the enterprise is responding in an appropriately balanced and proportional fashion. Not all incidents are equal. Getting the right resources in place is of critical importance. Finally, it’s important to have an appropriate governance structure that’s fully operationalized. That means it’s designed not just to achieve compliance but also to manage the evolving nature of the risk and prepare for it, particularly as it relates to third parties. As it relates to third-party risk management, it is critical for companies to develop and implement a third-party cyberrisk management governance framework. This typically starts with pre-contract due diligence, moves to contractual obligations and allocation of liabilities, and ends with post-contract oversight and risk management. These approaches allow the company to take a more holistic approach to managing and mitigating cyberrisks.
MCC: Let’s talk about cooperation with the government when a company has experienced a breach or other cyberincident. There seems to be a wide range of opinion.
Rabkin: We frequently counsel clients on this. Often companies will first learn of a data security problem from the government. It is not atypical to get a call from the FBI or another three-letter agency that lets you know you may have a cybersecurity problem. The question that arises is how much and when, if at all, should we cooperate with the government. Assuming your question primarily relates to cooperation with law enforcement authorities, rather than members of the intelligence community, what we ask clients to think about is the potential benefits of cooperating. For example, certain state laws allow you to delay providing notice of a data breach if doing so would interfere with an ongoing law enforcement investigation. That’s a potential benefit.
On the other hand, there are cautionary tales. A typical concern relates to the loss of control of an internal investigation you are conducting. Also, when law enforcement investigates, they may charge those responsible for the cyberattack, which may mean that something becomes public that otherwise would have remained private. That may not be in the company’s best interest.
This is really is a case-by-case determination. I don’t think it makes sense to take a black-and-white view. My personal experience is that the FBI and other federal law enforcement agencies are quite sensitive to these concerns. They have worked well with the corporate victims we have represented.
Paez: Companies that coordinate and cooperate with government agencies can also benefit from access to intelligence that can be useful for your internal investigation. Another benefit involves parallel approaches to responding, particularly to an internal theft where you’re conducting an investigation and hope to get assistance to prevent data from being destroyed or leaving the country. Cooperation can be very helpful in addressing those concerns.
MCC: As we head toward the U.S. elections, what role does and should the government play in protecting the country from cyberthreats?
Rabkin: All of the problems we’re discussing emanate from the fact that the government, at least in my view, is not adequately protecting U.S. businesses. As I said earlier, U.S. businesses are under attack from sophisticated, well-funded, organized groups that primarily work from jurisdictions that do not cooperate with us. The government needs to do a better job convincing other countries, especially Russia, China and nations in Eastern Europe, to work more closely with us and crack down on organized crime perpetrating attacks on U.S. businesses.
It would also be nice to see government become part of the solution and not just part of the problem. If a U.S. business suffers a severe data breach or other cybersecurity problem, there’s no equivalent of 911. Your house catches on fire, you expect to be able to call the fire department and have them come and help you put the fire out. There’s nothing like that for cybersecurity problems. It would be nice to see federal, state and even local governments provide resources to protect against, detect and remediate cyberattacks.
Paez: We also need to look at how the threat is evolving and have our elected leaders cooperate across ideological lines to come up with a comprehensive approach, one that is not just founded in legislative reform but also in appropriate resource allocation and multinational coordination and cooperation. Our leaders need to think about providing appropriate protections and safe harbors so businesses are not concerned that their responses may trigger liability issues such as a violation of the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, or other outdated laws that don’t take into consideration the current nature of technology and its risks.
MCC: In terms of the current legal framework, are other changes needed?
Paez: Absolutely. When a company suffers a cyberincident, they’re dealing with a patchwork of laws and approaches from many different states and federal agencies. We need a national standard for dealing with data security and breach notification, particularly as it relates to the compromise of personal information. We also need a national policy to consolidate and rationalize the varying security standards. Today, a business might need to deal with varying viewpoints from regulators or industry standard–setting bodies for cybersecurity, which can be very cumbersome, duplicative and operationally challenging. These need to be modernized to reflect the realities of information technology evolution and adoption, like the Internet of things ().” . Lastly, the approaches to information security policy and regulations are infused with politics and partisanship, which has made it very difficult for Congress to take appropriate legislative action. What’s needed is more of a partnership with private enterprise to come up with appropriate ways of addressing these issues that can be implemented quickly, adhered to appropriately, and that take into consideration the dynamic nature of technology and cyberrisks.
How should companies go about harmonizing privacy concerns with user data and other requests/demands from the government?
Rabkin: Pre-Snowden, most U.S. businesses were extremely compliant and solicitous of law enforcement and tended to just provide data and take down content without a high level of scrutiny. That’s really changed. Businesses now need to be aware that their customers, investors, stakeholders and constituents do not expect them to just blindly follow instructions provided to them by law enforcement. The most important thing is to have strong governance around these issues. You need well-thought-through and detailed policies and procedures that allow you to respond to law enforcement requests for user data and take-down demands in an objective and defensible way.
Paez: For a number of companies, this has become a business issue. We’ve seen significant tension between government with legitimate law enforcement objectives and businesses that seek to maintain the value of providing secure products with strong privacy protections. This tension has resulted in some high-profile disputes, and our political leaders need to modernize our outdated laws to clarify law enforcement’s legitimate need to access electronic information, while protecting the legitimate use and deployment of strong data security features in new consumer technology products. There is a significant demand for these data security features, and requiring circumvention or creation of security “backdoors” will have a significant business impact, not to mention the current legal uncertainty related to such government requests. Consumers of these products demand these security features, and our lawmakers need to fully appreciate that reality.
MCC: As the IoT and the connected economy continue to evolve, what future concerns should corporations be aware of, and how can the government balance regulation and innovation?
Paez: The IoT presents an incredible opportunity for new products and services with greater flexibility and added convenience. Not surprisingly, various policies are being formulated in the U.S., in a very fragmented way. Europe and China are taking a more comprehensive policy approach to IoT and digital economy matters. The challenges are that there are unanswered questions when it comes to how these devices will operate and how data will be generated. Some of these concerns are industry-related technical concerns, like data portability, the application of standards for device-to-device communications, and a host of other technical questions. The legal uncertainties are also challenging. For example, how do we handle traditional notions of personal privacy when it comes to data privacy choices and consent to processing in an area where it’s not practical and, in many cases, not feasible?
Another challenge is that the meaning of “Internet of Things” may vary depending on whom you ask. How you define it matters because that’s how you might dictate policy and how you might legally address privacy and liability concerns. There are a host of questions that need to be assessed and evaluated, but one thing is for sure: The IoT promises to revolutionize a number of industries, including consumer, industrial, healthcare, financial services and transportation. A good example is mobile health. Regulators are proactively looking at issues and have supported an industry dialogue to highlight where their concerns are. A major complicating factor is the international landscape. The fact is that the IoT, which relies on virtual environments and technologies, could be global right out of the gate and implicate global legal issues that would add an entirely new level of complexity to evaluating risks, compliance and liabilities. For all of these reasons, companies need to develop a comprehensive IoT strategy that takes into consideration legal uncertainties.
Published July 4, 2016.