When it comes to data breaches, risk assessment requirements haven’t changed over the years, because the risk itself to an organization has not changed. More often than not, the risk has proven to be a gateway for ransomware to remove an organization’s data control and give it to an outside party without authorization or the threat of exposing who is taking control. CrowdStrike’s Annual Threat Report reveals an increase in ransomware, as the company observed an 82% increase in ransomware-related data leaks in 2021, with 2,686 attacks for the year, compared to 1,474 in 2020.
Technical and administrative controls are required to help protect any organization. The basic table stakes for data threat protection can be viewed as:
- Having an information security program to implement and test security controls throughout the organization and third parties who have access to the network.
- Having an effective risk and vulnerability management process.
- And the most important—understanding what you have for data and which repositories they reside in.
This may seem like a simple list for any organization to follow, but when cloud providers are added to the equation, the responsibility for data protection becomes obscured. Simply put: cloud providers don’t make claims to security. They write this many times and in different ways in contracts to specifically point out that security is the customer’s responsibility. In some cases, the customer may pay a premium for the cloud provider’s “efforts” to secure their data but it often comes with a disclaimer: if something happens, we are not responsible.
Compounding a cloud provider’s data security responsibility is privacy by design or the concept that integrates privacy into the entire IT infrastructure creation—including on-prem—and down through the corporate policies that govern all its operations. To adhere to this concept is to apply an abstraction layer within the technology stack that allows for easy identification, classification, movement, and deletion of data. If it’s built into the network as some cloud providers are doing, everything becomes easier to identify, clarify, move, or delete according to certain compliance standards. But unfortunately, there is no easy way to hold a cloud platform provider liable—it all comes back to the terms of the contract.
Ransomware: A Legal Defense to Follow
If a company took the necessary steps to protect its data but unfortunately is still being held hostage by ransomware (and the associated cloud provider is claiming no responsibility), the company must adhere to specific state regulations, which vary from state to state. For example, the California Privacy Rights Act (CPRA), passed in November 2020, added to the California Consumer Privacy Act (CCPA) an express obligation for covered businesses to adopt reasonable security safeguards to protect personal information. However the meaning of “reasonable safeguards” is not entirely clear in California and their website suggests looking to the 20 CIS controls at least as a starting point for securing personal information.
By contrast, Texas law requires businesses to implement and maintain reasonable cybersecurity, which they should do through a written program for managing cyber risk and protecting sensitive customer information. The law referenced is the Texas Identity Theft Enforcement and Protection Act which specifically states, “[a] business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.” A 2019 document by SpencerFane lists six areas to improve cybersecurity imposed on Neiman Marcus by the Texas Identity Theft Enforcement and Protection Act to improve its cybersecurity and protection of consumer data:
- Implement a written cyber risk management program.
- Obtain a security risk assessment.
- Implement appropriate safeguards to monitor network activity.
- Keep current on software security updates.
- Implement appropriate administrative, technical, and physical safeguards.
- Ensure that such safeguards as well as its written cyber risk management program are appropriate considering, a. Its size and complexity, b. The nature and scope of its activities, and c. The sensitivity of the personal information it maintains.
Regardless of what state the company’s headquarters resides in and which responsible or reasonable security safeguards definition is applied, the best legal defense that an organization has in the event of an attack is to show a lack of “injury.” Legally, it comes down to this; an individual suing a company must prove they have been affected (e.g. credit score, finances, reputation, or their health), or they don’t have a case. They need some unique and specified “injury” to say, “this is what your data protection negligence cost me.”
When a large data breach occurs, such as the Neiman Marcus case stated above, there’s an assumption that possibly hundreds of individuals can show specific injury.
In this event, the case goes to a settlement where they will be labeled as a downstream injury to these parties. It may not be today (the Neiman Marcus data breach occurred in 2013), but it will most likely happen and organizations need to be prepared.
Be Prepared and Never Make Legal Decisions On Your Own
In the event of legal actions, organizations should never make legal opinions on their own. When customers have an issue they go straight to their typical attorneys. They don’t go to lawyers that specialize in information security or privacy. Organizations need to seek counsel from lawyers who have a more nuanced understanding of ransomware—specialists that are intellectuals and know the difference between specific technologies to make appropriate judgment calls about proper data encryption.
Here are several of the most commonly asked questions and answers organizations ponder in the event of a ransomware attack:
- What is the best way for a ransomware-struck enterprise to protect itself against the possibility of a class-action suit? Demonstrate they have an information security program implemented and have tested these security controls throughout parties doing business with the company. They need to show they have an effective risk and vulnerability management process in place and are actively following it. Ninety-Nine percent of all data security breaches are network-related and involve data compliance. There needs to be a breach-response process in place that speaks to a specific compliance mandate that is tied to the organization.
- How do you determine which compliance tasks need to be followed? Organizations need to do an independent assessment to find out all the legal requirements that are germane to their business from a local, state, and national level.
- What is the likelihood of a lawsuit succeeding? Each organization needs to make the effort to show that they took a reasonable course and they did their due diligence and care with regards to the protection process. If they can demonstrate that, the suit has a lower probability of succeeding.
- Is there a concrete way to prevent a security breach from happening? No company can stop a professional group from getting in if they are being targeted. Companies need an attorney in place to make the distinction about the occurrence; i.e. did the breach occur because the company was negligent, or did it occur because the company was a victim of a crime? There always needs to be some sort of accountability and the best defense against this is for the lawyer and the security assessment person to measure the company’s specific profile and guide them in what they need to do—with respect to what they can do.
For example, what Bank of America can afford to do is not the same as what a local furniture store can do to protect itself against a lawsuit. However, both organizations have to establish reasonable cybersecurity safeguards based upon the company’s size—it requires expert legal counsel to make this distinction. The legal perspective must be applied to the company size and the compliance rules (HIPAA, GDPR, etc.) applicable.
When an organization is attacked by a malicious, professional group, they’re not going to stop that group from breaching their systems. In the event of a breach, companies need to show that data privacy and protection protocols are in place, which shows a reasonable and ongoing action that sufficiently protects data in today’s environment. In addition, they need to clearly demonstrate that an outside party circumvented these controls and policies to gain access—because lawyers will be making a determination between negligence or crime.
There always needs to be some sort of accountability. The best defense against legal action is for lawyers and any security assessment teams to measure an organization’s security profile and guide them appropriately. Keep in mind that what a large corporation such as Bank of America can afford for legal counsel is not the same as what a smaller local company can afford. However, both companies have to do what’s reasonable based on the level of security they can afford. In the end, it all goes back to due diligence and document, document, document!
Robert Pacheco, MCG Managing Partner is a well-respected IT and security professional with extensive experience and training in information security, organizational security, compliance, governance, program development, risk assessments, security management, vulnerability assessments, and security architecture. He has experience serving as a security manager for and assessing the security platforms of a variety of organizations, from Fortune 100 companies to state entities, top sports entertainment brands, and small businesses in many different industries. Pacheco holds a Bachelor’s degree from Florida State University.
MCG is not a legal expert entity and this document is not a replacement for legal counsel.