Cybersecurity: Legal implications and risk management
What's inside
In an increasingly interconnected world, cyber risk is firmly at the top of the boardroom agenda, and having an effective data breach response programme is no longer optional.
Cybersecurity crisis management
The internet knows no borders, neither do we. Our global team of cybersecurity response experts work across borders, combining data protection, privacy, regulatory, white collar and litigation expertise in order to deliver seamless crisis management and legal advice, whenever and wherever needed.
The digitalization and free flow of information has transformed global business. However, with increased opportunities have come new and increased risks, together with complex legislative regimes that can vary significantly by jurisdiction, and are constantly evolving. Even the most conscientious company can become the victim of a cybersecurity incident, such as the stealing of client or company information, or a ransomware attack. We work with a wide range of multinational companies to manage their cybersecurity risks, developing rapid response plans, providing time-critical crisis management advice, and working with clients to manage any resulting legal issues that may arise.
Key issues
Why?
Reputation
Fines
Breach of contract
M&A due diligence
Insurance
Proprietary information
Litigation
Criminal offences
Negligence
Be prepared
Risk Assessment
Key Information
Assets
Key Systems
Threat Analysis
Security Measures
Toolkit
Scripts
Internal and
External
Communications
Employee contacts
Response Plan
Live Training
Business Continuity Plan
Key considerations
Customer/individual rights
Requests for data
Data Protection Authority Complaints
Group litigation orders
Resolution mechanisms
B2B relationships
Contractual obligations
Contractual liability
Tort
Reputationmanagement
Media strategy
Customer interaction
Employee engagement
Commercial
Proprietary
Information/Trade Secrets
System Disruption
Regulatory issues
Data Protection Authority
Financial Regulators
Market authorities
Other regulators
Privacy & data protection
Jurisdictions involved
Reporting obligations
individuals
authorities
Evidence
Law Enforcement Involvement
Legal Privilege
Preservation of Evidence
Response
Crisis Team
Legal (internal and external)
IT/IT Forensics
PR
Regulatory
DPO
Executive committee
HR
Vendor manager
Key Actions
Work with forensic investigators to:
Identify and contain breach
Gather/preserve evidence
Maximise legal privilege coverage
Contact crisis team
Bring in external partners
Identify key risks and priorities based on nature of breach
Assess notification requirements
Communications
Regulatory notifications
Articles
2024
SEC Will Prioritize AI, Cybersecurity, and Crypto in its 2025 Examination Priorities
On October 21, 2024, the US Securities and Exchange Commission ("SEC") Division of Examinations ("Examination Division") announced its 2025 Examination Priorities ("Report").Investment advisers and broker-dealers should ensure that policies, procedures and surveillance efforts related to these priorities address concerns outlined in the Report.
SEC Enforcement Heats up on Key Public Company Topics: Cyber Disclosure, Director Independence and Regulation FD
The U.S. Securities and Exchange Commission's ("SEC") Division of Enforcement has recently brought a spate of enforcement actions relating to key topics for public companies. These include enforcement actions related to cybersecurity incident disclosure, director independence and Regulation Fair Disclosure ("Reg FD") violations, which are described below, and actions based on Section 13 and 16 beneficial ownership filings, as discussed in our prior alert.
Judge Rejects SEC’s Aggressive Approach to Cybersecurity Enforcement
On July 18, 2024, a New York federal judge dismissed most of the US Securities and Exchange Commission's ("SEC") claims against SolarWinds Corp. ("SolarWinds" or the "Company") and its Chief Information Security Officer ("CISO"), Timothy G. Brown, in connection with the Company's cybersecurity practice.
SEC’s Corp Fin Director Issues Statement on Cybersecurity Incident Disclosures
On May 21, 2024, the SEC's Director of the Division of Corporation Finance issued a statement on cybersecurity incident disclosures in light of the SEC's new cybersecurity disclosure rules. Our summary of this statement and key take-aways from White & Case's survey of cybersecurity disclosures is below.
The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies
On October 30, 2023, the US Securities and Exchange Commission ("SEC") announced that it filed charges against SolarWinds Corp. ("SolarWinds" or the "Company") and its Chief Information Security Officer ("CISO") in connection with the SEC Division of Enforcement's ("Enforcement Division") investigation of a cyberattack.
On July 26, 2023, the Securities and Exchange Commission ("SEC"), in a 3-2 vote, adopted rules that will require public companies to make prescribed cybersecurity disclosures.
Shaping the future of digital and cybersecurity governance
In this brief three-minute video, London-based partner Lawson Caisley, Chair of White & Case's Global Cyber Risk Committee, shares his insights on governing cyber risk at the corporate level and some of the challenges of cyber risk management in the boardroom. Filmed at the Digital Directors Network (DDN) Domino 2023 conference on digital and cybersecurity governance.
In this short three-minute video, Washington, DC–based partner F. Paul Pittman discusses the implications of the proposed new SEC rules on cybersecurity governance and what corporate boards can do now. Filmed at the Digital Directors Network (DDN) Domino 2023 conference on digital and cybersecurity governance.
The potential for cybersecurity threats and attacks looms large and the technology companies developing new products and services play a constant game of cat-and-mouse with hackers and cybercriminals for control of cyberspace. Here are six points to consider when analyzing cybersecurity risks and protections.
Directors face personal liability over cybersecurity failures
In an article for The Times, White & Case partner Lawson Caisley discusses why it could become increasingly common for UK directors to "face personal liability and regulatory censure as a result of their company suffering or mishandling a cyberbreach".
Director liability for cyber breaches: transatlantic warning signs?
Two legal cases in the US in the past month suggest that regulators and prosecutors are becoming more determined to take personal action against directors and senior executives who fail to deal adequately with cyber security breaches.
On March 9, 2022, the Securities and Exchange Commission ("SEC") proposed rules that would require public companies to make prescribed cybersecurity disclosures.
In The Legal 500's newly released In-House Lawyer Magazine a group of White & Case lawyers has contributed a legal briefing on trends in German commercial litigation.
AAA plc & ors v Persons Unknown: Cyber Activism or Blackmail?
In recent years, demands for payments in cryptocurrencies have become the ransom of choice for cyber extortionists and other online frauds. As a result, the English Court's powers are increasingly being called upon.
Ninth Circuit Decision Highlights Importance of Updating Risk Factors to Address Material Developments, including those relating to Cybersecurity Risks.
Cybersecurity Enforcement: New York Department of Financial Services issues first penalty under Cybersecurity Regulation
Consistent with its increasing activity in the cybersecurity enforcement space, in March 2021, the NYDFS issued its first penalty under the Cybersecurity Regulation. This client alert explores the settlement and offers takeaways on the areas of focus by the NYDFS in enforcement actions under the Cybersecurity Regulation.
Compensating non-material damages based on Article 82 GDPR
Is a data subject entitled to compensation from a controller or processor if the data subject's GDPR rights have been infringed, even if they have not suffered any kind of material damage?
Cybersecurity Risk: Top 5 strategies to build resilience
The fourth webinar in our 2020 Autumn Webinar Series covered crucial steps you should be taking to protect against cybersecurity threats and what you should do when disaster strikes.
Before the Dust Settles: The California Privacy Rights Act Ballot Initiative Modifies and Expands California Privacy Law
Hot on the heels of the California Attorney General's rulemaking process for the California Consumer Privacy Act ("CCPA"), California voters have passed a ballot initiative to expand and create new privacy rights for consumers.
UK law enforcement can now obtain an order against a person in or operating in the US for the production of or access to electronic data under a new ‘landmark’ US-UK data sharing agreement.
The COVID-19 crisis has exposed many companies to more cyber threats. Tim Hickman and John Timmons discuss what businesses need to do should a major incident occur.
Trending: Legal protection for cryptoasset stakeholders
Recent decisions in Singapore and New Zealand confirm that the courts are prepared to act to provide greater certainty and support to stakeholders in cryptoassets.
Recovering the ransom: High Court confirms Bitcoin status as property
The High Court has determined that Bitcoin (and other similar cryptocurrencies) can be considered property under English law, and could be the subject of a proprietary injunction. The Court granted the injunction to assist an insurance company to recover Bitcoin that it had transferred in order to satisfy a malware ransom demand.
Navigating Privacy and Cyber Incident Notification and Disclosure Requirements
Organisations are facing increasing uncertainty in assessing global notification and disclosure obligations and making a determination of whether to notify or disclose a privacy violation or security incident in today's complex regulatory environment. This article offers six steps companies should consider when navigating this complex process.
Proposal on the Application of the NIS Regulations post-Brexit
This article examines the impact of the UK Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations) on organisations post Brexit and their obligations under applicable cybersecurity law.
UK courts can now order US entities to provide electronic data to UK law enforcement, under a new 'landmark' US UK data sharing agreement.
The agreement has been heralded as a step towards removing barriers that can prevent speedy disclosure of electronic data and impede cross-border law enforcement. The US UK agreement is expected to be the template for similar bilateral agreements in future. But should we be concerned about how easily the authorities can access this data, and are there sufficient checks and balances in place to ensure it is used judiciously?
A 'landmark' data access agreement
On 28 February 2020, the US-UK Agreement on 'Access to Electronic Data for the Purpose of Countering Serious Crime' came into force. The Agreement is a designated international co operation arrangement under the UK's Crime (Overseas Production Orders) Act 2019 (the 2019 Act). Together with the 2019 Act, it enables UK law enforcement to obtain overseas production orders (OPOs) in the UK courts against service providers operating or based in the US. An OPO requires the service provider to produce or provide access to specified electronic data, wherever it is stored. A service provider will be in scope if it is a private entity that provides the public with communications or data storage / processing services, or if it stores or processes data on behalf of such entities.
The Agreement also enables US law enforcement to obtain data from UK service providers, building on the framework established by the US Cloud Act. However, the biggest service providers are located in the US, meaning that UK law enforcement are the principal beneficiaries of the Agreement.
Previously, in order to obtain material held overseas by non-UK entities, UK authorities had to request mutual legal assistance (MLA) from local authorities. As acknowledged in the Explanatory Memorandum to the Agreement, the MLA process requires considerable resources and it can often be several months or even years before the material sought is produced, which can impede a criminal investigation or prosecution.1 The Agreement and 2019 Act speed this up dramatically. Under the 2019 Act, once an OPO is served (which must be within three months of being issued by the UK court), the material must be produced within seven days, although this may be made longer or shorter by the issuing judge.
It is important to note that the Agreement and the 2019 Act do not specify penalties for failing to comply with an OPO. A US company's refusal to comply with an OPO could lead to its directors being in civil contempt of court, which is punishable by a fine or imprisonment. However, as confirmed by the UK's Supreme Court,2 civil contempt of court is not an extraditable offence, and it is unlikely in practice that such penalties could be enforced against a director who remained outside the UK courts' jurisdiction (although a director who came within the jurisdiction – e.g. on a UK business trip – could be exposed to enforcement action). It should also be borne in mind that the MLA process is still available to UK / US authorities and could (if used) result in an order being made against the US provider by a US court.
The 2019 Act is designed to provide the one size fits all framework for OPOs, but the substance of how any particular agreement should operate is to be found in the bilateral treaties that may be agreed between States. As a result, it is possible that the OPO regime may operate slightly differently depending on the terms of the applicable designated international co operation agreement. As such, it is interesting to see that the 2019 Act and the Agreement are not perfectly aligned. For example, under the Agreement, an OPO may be made in relation to any 'serious crime', which is defined as an offence with a maximum penalty of at least three years' imprisonment. Under the 2019 Act, an OPO may be made in relation to any indictable offence.3
An interesting feature is the status of encrypted material. The Agreement makes no mention of the format in which the material is to be provided. The 2019 Act requires that the electronic data is produced or accessible in a visible and legible form, which suggests material must be decrypted. However, in English law, accessing encrypted data is governed by Part III of the Regulation of Investigatory Powers Act 2000 (RIPA). The DOJ has addressed the question of decryption under the US Cloud Act, which it described as 'encryption neutral' and not creating '…any new authority for law enforcement to compel service providers to decrypt communications. Neither does it prevent service providers from assisting in such decryption, or prevent countries from addressing decryption requirements in their own domestic laws.'4 In short, despite the wording of the 2019 Act, if encrypted material is provided, the UK authorities must turn to the provisions of RIPA.
What safeguards exist?
Sewn into the Agreement are a number of safeguards that limit the scope of this new regime. For example, there are targeting restrictions, which include a prohibition on OPOs that may be used to infringe freedom of speech or to disadvantage certain groups, and a prohibition on issuing an OPO on behalf of a third country, or the US / UK sharing any data received with a third country without the other's consent. Importantly, the Agreement also prohibits OPOs that seek to obtain data or information about certain categories of persons in the receiving country. For example, UK courts cannot issue an OPO in order to get data or information about a US corporation, US citizen, national or permanent resident, or any person located in US territory.
The OPO must be targeted at specific accounts and identify its objective. OPOs must also be subject to review or oversight by a judicial body or independent authority.
The Agreement also envisages the designation of an authority by the UK's Home Secretary, which will transmit the OPOs. The Agreement requires that the designated authority review an OPO to ensure it complies with the Agreement. This requirement is satisfied by section 9 of the 2019 Act, by which the Home Secretary has designated herself as the relevant authority. This should ensure that any variation between the Agreement, or other designated co operation arrangement, is reconciled. In addition, the remedy of judicial review against the Home Secretary's decision to transmit the OPO remains available.
Notwithstanding the availability of judicial review, one of the criticisms of the 2019 Act is that an application for an OPO may be made without notice, and the tight timetable for the production of material sought does not allow much time for a legal challenge. The 2019 Act allows an issuing judge to include a non disclosure requirement in an OPO, which prevents the recipient from disclosing the existence of the order or its contents to any person without the leave of a judge or written permission from the law enforcement officer who obtained it. The service provider who receives the OPO is likely to be a neutral party in any criminal investigation or prosecution, and there does not appear to be any good reason for the absence of a notice requirement in order to allow a challenge to be made prior to the OPO being issued. As currently drafted, a recipient of an OPO may receive – but is not entitled to – notice, and is likely to first become aware of the OPO when it is served.
Another concern is the lack of clarity about the oversight mechanism. The 2019 Act provides for an application to be made to vary or revoke an OPO. The recipient of an OPO, as a 'person affected by the order', can make the application, which must be based on one of the specified grounds. In short, it must be demonstrated that the requirements for making an OPO under the 2019 Act have not been met.
The Agreement provides for an additional process for raising an objection that is not mentioned in the 2019 Act. It provides that an objection in the first instance should generally be made with the designated authority in the issuing state, in the UK, the Secretary of State, in a reasonable time after receipt of the OPO. The Secretary of State is required to respond to those objections and, if not resolved, the objections may be raised with the designated authority in the receiving state. The two designated authorities can then confer 'in an effort to resolve' the objections. Whether the recipient of the OPO will be privy to this process of decision making is unclear.
Another significant safeguard is that an OPO must not conflict with domestic data privacy laws. This means that a UK recipient of an OPO must also comply with GDPR obligations (as incorporated into UK law following the end of the Brexit transition period). In addition, the UK will not provide data where it is to be used in relation to an offence attracting the death penalty, and the US will not provide data in relation to targeted US persons (as noted above) or in relation to specific offences that may raise freedom of speech concerns.5 The 2019 Act also prohibits UK authorities seeking to obtain legally privileged information or certain types of confidential personal data (e.g. relating to an identifiable individual's health).
How will the data access agreement work in practice in the UK?
Under the 2019 Act, the Serious Fraud Office, the Financial Conduct Authority, Her Majesty's Revenue and Customs, the police or any other "appropriate officer"6 can apply to the court for an OPO.
To be successful, the enforcement authorities will need to satisfy a UK judge that, among other things, the intended recipient of the OPO has possession or control of the data, that the data is likely to be of "substantial value" to the investigation or proceedings and that accessing or producing the data is in the public interest.
If the application is successful and the order is granted by the UK court, the Secretary of State will serve it directly on the recipient.
As noted above, failure to comply with the OPO could constitute a civil contempt of court, which could result in a potential fine or up to two years in prison for the receiving entity's directors (although enforcement is likely to be challenging).7 In practice, the prospect of reputational damage is likely to be a more immediate concern for the receiving entity.
Where the OPO recipient chooses to comply, the seven day deadline for producing the data is likely to exert significant pressure, particularly as the burden will fall on them to identify and exclude data that may be privileged, confidential or subject to GDPR concerns. All of this has the potential to be overly burdensome for companies that possess and control vast amounts of electronic data.
A new reality for criminal investigations?
The Agreement will remain in place for five years and whether it proves to be as useful as it was proclaimed will be proven by how many OPOs are issued, how prolific they are and the success of any challenge. In practice, UK based law enforcement authorities should be able to get access to data held abroad more quickly and more easily than ever before. However, this will depend on the willingness of US service providers to comply with OPOs (given the limited consequences for non compliance) and the extent to which relevant data is encrypted.
As it currently stands, no OPOs have been publicly reported, and the relative lack of 'teeth' may mean that law enforcement have to resort to the previously used and cumbersome MLA process in some instances. The OPO is novel and perhaps imperfect, but it is part of the drive to ensure swifter and less bureaucratic access to data relevant to criminal investigations. Although not yet concluded, the EU is in the process of negotiating a similar agreement with the US to create a European Production Order (EPO), in recognition of the fact that more than half of all criminal investigations include a cross border request to access electronic evidence. Imperfect or not, OPOs or similar powers are here to stay in one form or another. Although in the US, data access agreements are made under the US Cloud Act, the OPO regime and any future EPO framework may differ, so companies with operations in different jurisdictions will have to become familiar with both.
If OPOs do become the favoured process, companies that store vast amounts of electronic data would do well to prepare now. Communications service providers and companies that store or process data must be ready to respond at short notice. Mapping out cloud data, knowing and documenting where data is stored and being sure that people in the business are keeping this information up to date will be essential. A good understanding of legal privilege and data protection legislation will be necessary, too.
No company (or shareholder) wants directors or officers held in contempt of court, but it would be wise to decide upon the strategy to be adopted, as very little time will be permitted to 'take stock' once an OPO has been served. There is a balance to be struck between the reputational damage caused by a finding of contempt and being seen as obstructive to investigations involving what may be very serious crimes, including terrorism and child sex abuse, and undermining consumer confidence.
Should an OPO be challenged, complied with or ignored? This is the question many service providers will have to grapple with. Responding will require flexibility and a framework for action that ensures the most suitable response, whilst also taking into account the lingering background presence of the slow but sharp-toothed MLA process.