Chapter 17
Legal and Compliance
American Bar Association Cybersecurity Legal Task Force Harvey Rishikof, Chair, Advisory Committee to the Standing Committee on Law and National Security, USA Conor Sullivan, Law Clerk for the Standing Committee on National Security, USA
Lawyers. Tom reluctantly swiveled away from his workstation to face the creatures before him. There sat two of the breed, ties drawn tight around their necks and dark suits set in stark contrast to the beige office. His general counsel Alain, spoke first: “Tom, I know you asked our office to advise you today about what legal and compliance capability we can bring to bear for cybersecurity, so I brought with me one of our staff attorneys who’s had prior experience with cyber. As you know, lawyers are like wolves; we never travel alone. We actually have several worrisome conclusions which we think you really should consider.”
It is beneficial to spend some time understanding the legal paradigms that drive cyber law today. For our purposes, it is worth examining the legal frameworks in the two places modern organizations are perhaps the most likely to do business subject to cyber regulations: the European Union and the United States. Before doing so, let us overview how the regulatory dots are connected as in Table 17.1.
Table 17.1 Connecting the Regulatory Dots
| WHAT to Protect | WHY Protect It | Protect from WHOM | Protected by WHOM | Typical Methods |
| Personal data of employees and customers | Human rights/regulatory imposts versus Big Data, identity stealers, etc. | Hackers/criminals for profit/gain Hackers for ideological reasons States/governments for access/gain (e.g., FBI/Apple 2016) | Organizations Regulators | Regulations Enforcement Compliance |
| Intangible organization assets (e.g., trade secrets, other intellectual property) | For business sustainability (optional to organizations) | Hackers/criminals for profit/gain Hackers for ideological reasons States/governments for access/gain (e.g., FBI/Apple 2016) | Organizations | Regulations Enforcement Compliance |
| Market infrastructure (e.g., finance, telecom and energy markets) | For national security (sometimes regulatory imposts) | Terrorists Other states/governments for gain Own states/governments for access/gain (e.g., FBI/Apple 2016) | Organization security Government security agencies | Regulations Enforcement Compliance |
European Union and International Regulatory Schemes
The European Union has recently established a unified cyber law system beyond the 1995 EU Data Protection Directive.1 The current EU Data Protection Directive was enacted in 1995, and was the original effort at determining data regulations within the European Union.2 In this directive, the processing of personal data—data which could be used to identify an individual—must be transparent, have a legitimate purpose, used in a means proportional to the reason the data was initially collected, and provide some information to the subject about their retained rights to the data.3
The upcoming application of the General Data Protection Regulation (GDPR) builds on these protections for personal data, placing further obligations on data processors—notably to create a data protection officer (DPO), creating a lead supervisory authority for EU cyber regulations, creating a “right to erasure,” and increasing the requirements for consumer consent to data collection.4 These imposts are placed on the organization processing or controlling the data to the extent it happens within the European Union, or regardless of where the processing takes place—as long as the data processed is related to goods or services offered within the European Union.5 The GDPR also known as EU Regulations (EU) 2016/679 has been passed by the European Parliament, but will not be phased in until May 25, 2018.6
Transfer of Data Out of the EU, Including the United States
The GDPR also updates the 1995 Data Protection Directive’s limitations on the transfer of personal data to countries outside of the European Union, further defining what determines that a country provides “adequate protection” of the data to avoid ancillary agreements.7 The United States has negotiated an exception to this rule in the “E.U.–U.S. Privacy Shield,” which went into effect in August 2016.8 The Privacy Shield provides companies that transfer data across the Atlantic with a clear set of legal standards and protections surrounding consumer data that must be followed to participate in commerce with the European Union. U.S. corporations will be subject to compliance review with the U.S. Department of Commerce, as well as redress mechanisms set up to ensure that access to the data by government agencies will be as limited as possible.9
An auxiliary bill working its way through the EU government is the Network and Information Security Directive (NISD). It has similarities to the GDPR by way of its broad footing but mainly concerns nations and critical infrastructure (CI).10 Under NISD, countries are to designate cyber response contact points in their governments and specific companies as “operators of essential services,” while the selected companies have expanded cybersecurity expectations and an incident notification requirements.11
Post-Brexit United Kingdom
In regards to the United Kingdom’s planned withdrawal from the European Union, in all likelihood the United Kingdom will continue to abide by EU privacy laws until the exact moment the union is broken, but there is little beyond conjecture to determine what would happen post-“Brexit.”12 Assuming that there is no “adequacy decision” immediately available from the European Commission when the United Kingdom exits—determining that the United Kingdom’s cyber laws are strong enough to be compliant with the EU policies—companies would have to implement “standard contractual clauses” or “binding corporate rules” to transfer data from the European Union to the United Kingdom immediately after the exit.13 These clauses are approved by the EU government as sufficient to provide adequate safeguards to the privacy and data rights of EU citizens.14
International Organization for Standardization (ISO)
The ISO is an international nongovernmental organization dedicated to setting international standards for organization activity. ISO 27001 and 27002 encompass the ISO’s take on managing information security risks, providing a method to identify risks, plan to address them, and implement controls. ISO 27001 is organized in a “plan-do-check-act” manner similar to other ISO programs, making interaction with other ISO programs, such as ISO 22301 for business continuity management systems, possible if not encouraged. While compliance with ISO standards are not outright required by regulations, the close relationship between cybersecurity methods, risk management, and organization planning makes ISO’s organizational offerings across multiple perspectives potentially advantageous.
U.S. Regulations
The U.S. national security paradigm has changed massively since the “age of innocence” pre-September 11. If that time of innocence is termed as “Security 1.0,” the world now anxiously sits in “Security 3.0” awaiting the emergence of “Security 4.0.”
The events of 9/11 led to the quick enactment of “Security 2.0” where regulations prioritized physical security and critical infrastructure security, but cybersecurity was still largely focused on preventing mischievous hackers more than malicious disruption of critical infrastructure.
“Security 3.0” defines the modern world as we know it where there is recognition of the importance data plays to the world and there are some regulations to protect personal information, but what overall role the government should play in ensuring cybersecurity is still in flux. Threats from criminals, hackers, espionage, and potentially the military in a time of war has created a volatile space. Creating a single common cybersecurity framework has been challenging when faced with questions of federalism, agency politicking, and technological advancement.
Finally, “Security 4.0” seems to be emerging from an increasingly interconnected world, driven by a Big Data economy and the increasing Internet of Things. In this era, regulators and organizations will have to focus more on proactive prevention of cyber events rather than reactions, and not just for organizations within their nation—but for organizations that span the world. Security 4.0 presents new, monumental challenges to the existing national security paradigms which will only be addressed with time.
Cybersecurity Negligence Remains Undefined
One method to avoid traditional negligence liability in a U.S. court is by proving that the standard of care, set by the legislature or judicial precedent, has been met. But as yet there has been no clear, defined standard of care set in the question of cybersecurity negligence.15 Instead, a patchwork of state, federal, and international laws and regulations have combined to form a rough guideline: steps to secure data must be “reasonable” or “appropriate”—taking the relevant circumstances into account—in order to avoid liability.16 To satisfy this requirement of reasonableness, a company should use a risk assessment process and craft a cybersecurity plan based off the findings.17
Until recently, there was little guidance beyond industry report recommendations on what sort of process or measures were enough to be “reasonable” for companies in industries without specific cyber regulations.18 Currently, the U.S. private sector has been gravitating toward the U.S. National Institute of Standards and Technology’s (NIST) published cyber framework. NIST was originally given the responsibility to create the framework by Executive Order 13636, but the responsibility was then codified by the Cybersecurity Enhancement Act of 2014. Adapting to the NIST framework is currently voluntary for non–critical infrastructure (CI) companies, but company partnerships between non-NIST-compliant companies and CI are restricted, driving further adoption of the NIST standards throughout the economy. A similar scheme is rapidly being implemented within the federal contracting industry, requiring contractors to adopt specific data security standards to remain competitive for government contracts. As a result, more public-private business transactions are voluntarily becoming dependent on both parties having a NIST satisfactory level of cybersecurity. (Chapter 6 surveys standards and frameworks and contains a detailed section on NIST).
Specific U.S. Industry/Sector Regulations
While general laws on cybersecurity are sparse in the United States, some specific industries are highly regulated. As mentioned previously, critical infrastructure (CI) organizations must abide by the NIST framework as well as cooperate with the Department of Homeland Security, the Cyber Threat Intelligence Integration Center, and law enforcement with regard to cyber incident reporting and response.
The telecommunications sector is voluntarily covered by the NIST framework and is encouraged to hold regular meetings between the FCC and individual companies to discuss cyber programs for risk management.
Energy producers have similarly been put on the NIST framework from the Department of Energy’s Cybersecurity Framework Implementation Guidance and our regulated by specific regulatory bodies, such as the Federal Energy Regulatory Commission.
For government contractors, there has been a similar strengthening of cyber rules. In August 2015, the Department of Defense (DOD) released for the Defense Industrial Base (DIB) a revised version of the “Safeguarding Rule,” which requires companies contracting with DOD to implement a more expansive set of security controls.
Many other federal agencies are considering similar rules, with the Office of Management and Budget considering a comparable rule to apply to all contractors.
Financial services have had significant past regulation in regards to cyber, requiring compliance with rules set down by the Federal Financial Institution Examination Council on behalf of a slew of federal regulatory agencies. Companies that deal in securities and futures have been similarly regulated to necessitate the adoption of an information system security program (ISSP). The ISSP must meet certain generally accepted standards or risk censure by regulating organizations, pushing more industries into adopting the NIST framework. The Securities and Exchange Commission (SEC) has signaled an increased emphasis on advisors having adequate cyber policy, rather than on responses to a breach and the harm suffered by the client. The Financial Industry Regulatory Authority (FINRA) has also created a report on cybersecurity best practices, pertaining to cybersecurity planning for broker-dealers.
The health care industry must abide by a series of regulations under the Health Insurance Portability and Accountability Act (HIPAA), which were split into a “Privacy Rule” and “Security Rule.” The Privacy Rule establishes standards for the protection of certain personal health information.19 The Security Rule acts on the protections laid out by the Privacy Rule by addressing “technical and nontechnical safeguards that organizations called ‘covered entities’ must put in place to secure individuals’ ‘electronic protected health information’ (e-PHI).”20 The Security Rule seeks to ensure the protection of personal health information while allowing new technologies to improve patient care.21
The previous examples are just a selection of some industries with specific regulatory schemes already being developed. Tom would be well served by asking his legal counsel to compile a more comprehensive list of regulations that pertain to his specific industry, simply to ensure that if regulations or guidelines exist, they are either being met or are being addressed in upcoming plans.
General Fiduciary Duty in the United States
The FTC has brought several regulatory actions against companies for failing to prevent unauthorized access to consumer information as “unfair or deceptive acts.”22 The settlements from these cases can involve increased information security requirements or long running independent audit schemes.23 There are also state and federal laws that support private actions against companies for unfair and deceptive trade practices, data breach notification, and failure to timely notify—in addition to negligence or breach of contract claims.24 There is no single federal notification rule, so depending on which state the corporation has interests, differing state regimes apply.
Corporate boards have a general duty to protect corporate assets, reputation, and goodwill.25 This typically includes overseeing systems to manage risk to the organization’s operations—including cyber risks.26 While the technical nature of cyber-based threats may be foreign to the typical corporate board, the same common-sense, due-diligence approach that the board applies to other duties should be applied to cyber as well. The directors should have an understanding of the cyber risks that face the company and create an appropriate advisory team to determine what the “best practices” are to mitigate those risks. Boards should also engage in oversight of the programs in place, procedures, trainings, and any disclosures.27
The general trend of U.S. cyber regulations seems to point toward increased adoption of a “best practices” regime. While noncritical industries may not be directly regulated into following the NIST framework, the costs of not adopting such practices may outweigh the benefits, considering the potential legal penalties, regulatory fees, and loss of organization opportunities with more regulated industry.
Forecasting the Future U.S. Cyber Regulatory Environment
The general trend of U.S. cyber regulations seems to point toward increased adoption of a NIST-driven “best practices” regime. While noncritical industries may not be directly regulated into following the NIST framework, the costs of not adopting some clear cybersecurity practices may outweigh the benefits—considering the continuing growth in cyber attacks against organizations in conjunction with potential legal penalties, regulatory fees, and loss of organization opportunities for those who lack “adequate” or “reasonable” protection schemes.
However, it should be noted that NIST is not the end-all-be-all of cyber resources. Standards from the SANS Institute, Open Web Application Security Project, and the Control Objectives for Information and Related Technology have also been referenced in recent regulatory expansions, offering readily available ancillary standards by which a company could use to design a legally “reasonable” cyber program.
Counsel’s Advice and “Boom” Planning
In the cybersecurity world, a cyber-event is typically referred to as a boom, with all pre-event planning actions taking place left of boom and all reactionary measures happening right of boom. In the context of this boom centric framework, a typical CEO should seek to foster a multidisciplinary team to deal with cyber concerns. In planning or in response to a cyber incident, coordinated action will be needed across multiple disciplines to help mitigate damage and recover functionality.28 A CEO will also seek close cooperation with legal counsel both left of boom and right of boom. Cybersecurity lawyers can help protect networks, systems, and data before they are compromised, as well as help mitigate the consequences of any cyber incident that does occur.29
Table 17.2 represents a RASCI-style summary of the role of legal counsel and compliance both before and during/after a boom.
Table 17.2 RASCI Matrix Role for Legal Counsel and Compliance
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Takes ownership within their enterprise function to assess, treat, monitor, and report cyber legal risk and regulatory * Engages stakeholders as regulations change and plans to accommodate regulatory expansion towards widely accepted standards * Pre-defines issues by principles of currency, reasonableness, and preparedness (e.g., cross-border alternate IT processing arrangements during a crisis) * Directs documentation of the cyber risk management “process” * Reviews past contracts, manages future contracts and contractual compliance * Determines if information-sharing partnerships with government or other parties may benefit |
* Legal counsel member of board-level advisory cyber committee | * CRO, CISO * Privacy officer monitoring of risk and organization impacts from privacy laws and compliance, or data protection officer under 2018 EU regulations |
* Board and CEO governance, principles, and risk oversight for fiduciary duties and “reasonable” action for the “processes” to assess and manage cyber risk * Cyber strategy and implementation of entire “process-oriented” cycle of cyber defense planning, including committee creation, application, simulation, auditing, and recordation * Cybersecurity policies and procedures * Cyber standards and frameworks * Cybersecurity incident and crisis management * Recordation of all C-suite and boardroom planning, discussion, and actions * Insurance terms and conditions * Identifying, analyzing, evaluating, and treating cyber risks |
* By board-level audit process of regular reviews * Business continuity management * By ITC/InfoSec, risk manager, and business continuity plans for cybersecurity |
| During/after cyber crisis (post-“boom”) | * Member of crisis response teams set in action with constant documentation of steps taken and reports sent to C-suite * Internal investigation to record events and actions in preparation for legal action(s) for or against * Manages any bailiffs to assess collection of technical traces for future litigation * Manages any “active defense” and authorization from the foreign network owner before operations are commenced to help limit liability for actions taken * Prosecuting or defending cyber lawsuits * Disclosure of breach to partners in the private and public sector * Notifications to the public and owners of contractually transferred data |
* CRO, CISO, HR, CorpComms * Bailiffs |
* For advice—either as in-house or outside counsel depending on the potential need to preserve privilege—established immediately and sustained throughout the response | * Of ITC/InfoSec escalation from incident to crisis management and recovery * By digital forensic software managed by ITC/InfoSec * By the internal ITC crisis investigation team report as an input to legal action * By CFO on financial estimations of impacts and prosecution financial support |
Left of Boom
According to A Playbook for Cyber Events, “The most important period of time in a company’s response to a cyber incident likely occurs before the incident occurs.”30 Cyber breaches can happen quickly, not be detected for months, and then erupt into a volcano of trouble when discovered. Because of this volatility, the best way for a CEO to prepare the company for the legal requirements and ramifications of a breach is in substantial planning left of boom.
Without a specifically articulated regulatory standards for liability in a cyber incident scenario, the CEO and board should take steps to combat allegations of negligence or a violation of their fiduciary duty by showing that a reasonable degree of security has been put in place to guard against a cyber incident. While the definition of what qualifies as a reasonable degree of security is still up for debate, a process-oriented form of reasonableness is now widely adopted.31 To satisfy a process-oriented standard, the CEO should develop a process to identify risks, delineate plans to deal with those risks, then implement the plans with requisite oversight.32 Actions taken toward fulfilling a process may have to be proven to regulators, shareholders, and judges in the event of a data incident, which makes the recordation of all C-suite and boardroom planning, discussion, and actions imminently important.
The basic process could be designed and executed by a board level advisory committee, comprised of multidisciplinary professionals with some cyber familiarity. This cyber committee would be responsible for identifying cyber risk points and sensitive data, leading the creation and practicing of incident response plans, and ensuring that new security measures are constantly being incorporated into company’s cyber security apparatus—such as widespread data encryption practices depending on the data system.33 A system for reporting cyber intrusions internally, with external partners in government or industry, and with regulatory or contractually required contacts should be developed and tested.
A board-level audit process should also be created to regularly review the advisory committee’s actions, plans, and recommendations. As previously mentioned, the audit’s methodology and findings should be written and preserved, as well as boardroom discussion over the audit’s results. In addition to audits, cyber incident simulations can help identify holes in a potential cyber response plan, as well as demonstrate dedication to a reasonable degree of “process” protection.
Legal should be deeply involved in the left of boom timeframe beyond articulating any applicable state or industry data regulations and directing documentation of the process. Past contracts should be revisited to ensure that included standards for the protection of proprietary information are being met, while future contracts should be written and examined with cybersecurity risks in mind.
Legal can help determine whether information sharing partnerships with government or with similar companies might be beneficial to a company’s cybersecurity prospects.
There should also be a discussion over the purchase of specific cyber insurance for organizations, which manage considerable cyber risks.
Boom and Right of Boom
After a boom occurs and the organization is notified of the breach, a quick reaction holds the key to mitigating damage from the breach—thus mitigating the potential expansion of liability from the breach.
The first response to a boom should come from the implementation of the prepared plan. Any response teams should be set in action with constant documentation of steps taken, with reports sent to the C-suite. A conversation with legal counsel—either with in-house or outside counsel depending on the potential need to preserve privilege—should be established immediately and sustained throughout the response to the crisis.
From the input of legal counsel, compliance with notification and data protection regulations pertaining to the subject industry should be adhered to. Beyond notification requirements, disclosure of the breach to partners in the private and public sector may create opportunities to gain further resources and information to mitigate damage. There may be some worry that disclosure to the government or public could harm the reputation of the company, this risk should be discussed and a strategy set. Owners of contractually transferred data should be notified as to the status of the breach and the confidentiality of their data. Notifying the public, and specifically those who might have had information disclosed by the breach, also warrants discussion with legal and other relevant parts of the company.
As the response plan is implemented, an internal investigation should be created to record events and actions. If possible, observing the movements and tactics of the attackers within information systems can help inform how to scrub their access to the system, as well as providing known failure points to strengthen in future defensive measures.
While an active defense, actively hacking back the hacking party, might seem attractive as a means to harry the offenders or to find out what data has been stolen, from a legal perspective it may do more harm than good. Using active defense beyond one’s own networks can expose private organizations to expanded liability, including liability for attacking another network.34 If an active defense is necessary, receiving authorization from the foreign network owner before operations are commenced could help limit liability for actions taken.
Conclusion
The following cyber risk management statement represents those organization capabilities CEO and board expect to be demonstrated in terms of cyber risk legal and compliance.
Notes
About the Cybersecurity Legal Task Force
The American Bar Association’s Cybersecurity Legal Task Force examines the risks posed by criminals, terrorists, and nations that hope to steal personal and financial information, disrupt critical infrastructure, and wage a new kind of warfare on a battlefield of ones and zeros. The Task Force serves as a facilitator of collaboration, information exchange, and policy identification in the emerging field of cybersecurity law.
About Harvey Rishikof
Harvey Rishikof is co-chair of the American Bar Association National Cybersecurity Legal Task Force. He formerly served as Chair of the American Bar Association Standing Committee on Law and National Security and currently serves as its Advisory Committee Chair. He is senior counsel at Crowell & Moring, LLP and is the former dean of the National War College in Washington, D.C., where he also chaired the department of national security strategy. Mr. Rishikof is a lifetime member of the American Law Institute and the Council on Foreign Relations. Mr. Rishikof was a senior policy advisor to the Director of National Counterintelligence, ODNI, a federal law clerk in the Third Circuit for the Honorable Leonard I. Garth, a social studies tutor at Harvard University, attorney at Hale and Dorr, AA to the Chief Justice of the United States, legal counsel for the deputy director of the Federal Bureau of Investigation, and dean of Roger Williams School of Law. Currently, he is also an advisor to the Harvard Law Journal on national security and serves on the Board of Visitors at the National Intelligence University. He has written numerous articles, law reviews and book chapters. Mr. Rishikof and Roger George recently co-authored The National Security Enterprise: Navigating the Labyrinth (Georgetown Press, 2011); Patriots Debate with Steward Baker and Bernard Horowitz (ABA Press, 2012); and A Playbook for Cyber Events. (ABA Press, 2014).
About Conor Sullivan
Conor is a joint Law and Masters of Public Administration candidate from Syracuse University’s College of Law and Maxwell School of Citizenship slated to graduate in 2018. He is specializing in national security law and is currently working as a Summer Law Clerk for the American Bar Association’s Standing Committee on National Security. Conor has had work published by the Syracuse University Honors Program, The End of the Means: Using the Arab Spring Revolutions as a Case Study for Machiavelli’s The Prince, as well as by the National Defense University Press, Responding to Russia after the NATO Summit: Unmanned Aerial Systems Overmatch in the Black Sea.