As part of a 2016 series examining global risk, Metropolitan Corporate Counsel convened a roundtable on April 20 at Le Bernardin in New York to discuss legal issues related to cyber and data privacy. It was the first of four planned dinners on the broader topic of global risk that the publication is cohosting this year with Clifford Chance, one of the world’s leading international law firms.
To help promote candor and a valuable exchange of ideas that the participants and our readers can benefit from, the series has been limited to a dozen general counsel and chief legal or compliance officers of large multinational corporations. A precondition for their participation was respect for their anonymity as well as the anonymity of their companies.
In total, the 12 companies attending this year’s Risk Dinner Series have combined revenues of $250 billion. They represent a broad swath of industries, including pharacueticals, energy, transportation, manufacturing, heavy equipment, and consumer and retail goods and services.
MCC publisher Kristin Calve kicked off the proceedings by introducing Clifford Chance partners David DiBari (Americas head of Litigation & Dispute Resolution) and Guy Norman (global head of Corporate), who are serving as her cohosts this year. Former senior federal prosecutor Daniel Silver, a New York–based subject matter expert from Clifford Chance’s Litigation team, teed up the evening’s discussion by sharing insights gained from his time as chief of the National Security and Cybercrime Section at the U.S. Attorney’s Office for the Eastern District of New York.
Top-Level, Two-Pronged Concern
One of the early points that gained traction around the table was made by Norman, who noted that cyber and data privacy risk now comprise “a very serious concern at the board level.” Backing this up, he cited a recent survey by “Corporate Board Member” and FTI Consulting that suggested 90 percent of directors and 86 percent of general counsel at global companies are concerned about cyber-risk, with 77 percent believing that the cyber liability risk at their company has increased over the last two years. Contrast this with a 2014 survey by the Economist Intelligence Unit for Clifford Chance, which revealed that while 57 percent of global companies were worried about the prospect of a cyberattack, only 15 percent were actually focusing on cyber-risk at the board level.This increased interest in cybersecurity, Norman stated, goes beyond regulatory compliance and further relates to operations, civil liability and reputational damage. “High-profile examples occur almost daily in the international news,” he said, referring to breaches at Sony, Facebook, Home Depot and Ashley Madison.
He also raised the July 2015 incident in which hackers were able to override the controls of a moving Jeep from 10 miles away. Not only did this cause immediate damage to the share price of Fiat Chrysler Automobiles, having to recall 1.4 million vehicles, but also, according to Norman, “once you consider how this could affect aircraft, the whole subject becomes that much more scary.”
Silver then described what he called “the two related, intractable problems” with cyberenforcement: attribution and cooperation. The former describes how to identify and build a case “against one or more individuals to be apprehended and prosecuted,” and it is often resolved by “waiting for them to get sloppy and make a mistake.” The latter, said Silver, recognizes that for most executives at companies experiencing a breach, “picking up the phone and calling the FBI is not the first thing on the agenda.”
He highlighted this theme of government’s divided and often conflicting responsibilities of criminal enforcement against the perpetrators versus assessing regulatory penalties against the companies that, though they might be the victims, ought to have been more scrupulous in mitigating the risks.
According to Silver, some companies have learned to “leverage one agency against another. They’ll say [to regulators], ‘We’ve been working with the FBI on this for months.’ It won’t get them blanket immunity, but it could help them with some informal leniency.”
Silver continued that a company needs to identify its “crown jewels” of sensitive data and to have a tested, workable plan in place – with specific lines of authority and communication – to protect them. “No system is foolproof,” he said, “and you will have to deal with a data breach sooner or later.”
“Can We Trust the Government?”
One of the most urgent concerns expressed by the roundtable participants was the issue of when – or whether – to report a breach to authorities. Silver conceded that “a relatively low number” of companies that have been hacked actually volunteer that information to regulators or law enforcement. “They have to balance the risks of reporting against the risks of not reporting,” he said, noting that companies in more highly regulated industries – financial services, for example – are more likely to report than a manufacturer or retailer.
While he encouraged companies to report breaches, he noted that this raises the question: Report to whom? Silver suggested the first call ought to be to the U.S. Attorney’s Office – the agency at which he worked during his public service career – which could then advise the company on next steps.
This comment prompted one general counsel to ask, “But can we trust the government?” He cited Washington’s own issues with data security, from the Snowden affair to the recent hack of electronically filed tax returns.
Silver replied that, though skepticism of other agencies’ capabilities might be well-advised, “it shouldn’t extend to dealing with the FBI or Homeland Security.” These law enforcement professionals, he said, have protocols to quarantine sensitive information and that, to the best of his knowledge, data shared within the course of a criminal investigation has never been hacked.
Another general counsel stated that, after her company had been hacked, “the FBI turned out to be a really remarkable partner for us.”
Complicating the matter further is the surge of statutes and case law that have been promulgated around the world, as well as what Silver called the “regulatory pile-on.” Multinational enterprises, he said, need to be concerned with differing cultures and their social values, which might drive legal emphases toward employee privacy and away from the companies’ interests in attributing wrongdoing to specific individuals.
It was pointed out that data security breaches are most often caused by employees or other direct contributors to a company’s operations – vendors, contractors and so on. There might or might not be nefarious motives involved; breaches are as likely to result from carelessness as from displeasure with an employer. In either event though, a government that places a higher value on these individuals’ privacy than is generally accepted in the U.S. could hamper a company’s ability to conduct an internal investigation.
Much has changed since former National Security Agency contractor Edward Snowden revealed that the U.S. intelligence community had conducted electronic surveillance of at least 35 world leaders, including German Chancellor Angela Merkel. Many roundtable participants lamented that the atmosphere of mutual distrust among countries that are major trading partners has made regulatory compliance all the more difficult, especially for American subsidiaries of European or Japanese companies.
This discussion of differing regulatory environments among well-intentioned governments eventually led to the topic of governments – North Korea in particular – that have active programs in place to commit data breaches.
One general counsel noted that some countries simply do not have the same concern for intellectual property and that operating in these countries inevitably opens enterprises up to leaks. He discussed how his company had promulgated a global policy limiting the use of memory sticks – which was promptly countermanded by executives in China.
“When we finally found out,” he said, “we asked [the senior managers from China], ‘How many memory sticks were issued?’ ‘We don’t know.’ ‘Who has them?’ ‘We don’t know.’ ‘Do you take them back from employees when they leave?’ ‘We don’t know.’”
Data integrity is as much an issue in the former Soviet Union as it is in east Asia, according to Silver, who described the relationship between hackers and their home-country governments there as “amorphous.” DiBari described them as “modern-day privateers” who function with the tacit approval of their sovereign governments.
Eastern Europe, attendees noted, has a culture of – but by no means a monopoly on – the “bug bounty” business. Attendees agreed that Eastern European hackers offering to take care of a leak are largely extortionists, and typically they are already holding a company’s sensitive data for ransom. Some companies – though not many – have publicly stated that they will refuse to pay, but it would be challenging to prove their commitment to that position.
Mitigating the Risk
The consensus was that Germany and France tend to have the most stringent data security regulations, and multinational corporations would be prudent to adopt their standards worldwide.
DiBari also raised the subject of civil liability, where U.S. courts are the most active – in terms of both individual and class-action suits – and provide the best model for corporate behavior.
“If you’ve taken reasonable steps,” DiBari said, “you’ll be in a much better position to deal with litigation.”
The definition of “reasonable” in the context of cybersecurity, however, is a moving target. As Silver put it, “There’s no regulatory framework that mandates certain procedures.”
The Federal Trade Commission polices what it considers to be deceptive trade practices in the same manner that it did before the digital age began, according to Silver, and even then often cannot levy monetary penalties. The National Institute of Standards and Technology has issued guidelines, endorsed by regulators, for monitoring networks, but they do not carry the force of regulation themselves and are entirely voluntary. He also noted that the UK also has nonbinding guidelines, while the EU has yet to ratify the new data-sharing Privacy Shield, and the General Data Protection Regulation will likely not be enforced until 2018.
Still, adherence to voluntary guidelines demonstrates a company’s seriousness in mitigating its risk of a breach.
The assembled group was in broad agreement on the pressing need for consistent guidelines. In the present environment, “each individual has to become an expert on what kind of sensitive information they have,” noted one general counsel. “Export- controlled information has to be considered shipment by shipment,” lamented another, whose company has extensive International Traffic in Arms Regulations and Export Administration Regulations exposure.
Some insurance providers have begun issuing cyberinsurance, but it is unclear if many companies are buying. “It’s not a very good policy,” one general counsel stated. “It doesn’t protect against civil penalties, and there are all kinds of exclusions.”
And, of course, reputational damage cannot be repaired by an insurance payout. Mitigating the risk, then, might be a sounder strategy than having a guarantee that fines will be covered.
Information technology – far from a panacea – can provide some relief. Attendees noted that, although such solutions as encryption, dual authentication and data loss prevention systems might slow down the course of doing business, they have provided some piece of mind in compliance departments.
Legal v. IT
Many voices around the table had a less sanguine view, however, of how IT is managed in their own organizations.
Currently, the need for compliance has been made all the more urgent by the advent of cloud computing – the outsourcing of hardware, software, data, networks and service management. IT professionals are quick to embrace the cloud because it is more efficient and lower cost for a company that specializes in running data centers to host this infrastructure rather than for a company that specializes in selling insurance or operating restaurants. However, when data needs to be secured for reasons of national security, personally identifiable information or any other regulatory driver, then those responsible for compliance need to know where the data is hosted, where it is mirrored and how it is transmitted. Very often, the answers from IT are insufficient.
Part of the reason why the IT managers might not have ready answers is that they themselves are fighting a similar battle with lines of business that have their own shadow IT operations and are as much out of compliance with the CIO’s own architecture as they potentially are with the regulators.
“Financial institutions have a way of dealing with this by having a separate organization for change management,” DiBari said. This technique provides you with a tool so that “you can at least figure out what risk you’re taking on for the money you’re saving.”
This process-oriented approach is important because IT has a way of evolving faster than jurisprudence.
“We’re in two different worlds,” one general counsel said. “The law always seems to be five to 10 years behind the technology.”
That is manifested in the way many companies treat information security. Most corporations represented at the dinner have an infosec (information security) team that reports to the IT department and thus leaves itself open to charges that it cannot operate independently and serve the interests of the legal department if its brief differs from IT’s.
Even so, not everyone agreed that infosec ought to be removed from the department where the rest of the technological expertise is housed. Suppose, another general counsel countered, there were a serious data breach. Holding employees responsible for protecting the data it was their job to protect would be much easier if the infosec team continued to report to the CIO.
“I could see heads rolling in IT,” she said, “but not among the lawyers.”
Bringing It to the Board
Ultimately, as Norman noted early in the evening, cyber and data privacy are board-level responsibilities. This becomes an issue when there is nobody on the board with expertise. Management, then, must have a way of escalating the issue in a manner that educates and engages the directors.
One thought was to have the infosec team report to the internal audit function rather than to IT or legal. This provides a pipeline to the board’s audit committee.
The general counsel of another company described a two-hour tabletop simulation of a data breach in which her board’s audit committee agreed to participate.
The challenge is to demonstrate that data security is not only – or even primarily – a technology issue.
“It’s being perceived as an IT issue rather than a legal or compliance issue,” DiBari said.
Sometimes, attendees added, decision makers need to hear this sort of perspective from a third party rather than from those in subordinate positions. Outside experts – whether they are law firms or IT consultants – have a role in helping reframe the discussion of cyber and data privacy risk as a threat to the entire enterprise.
But an outside counsel with experience in these thorny new challenges can be particularly helpful.
“At first, a board member might say, ‘Why would I talk to a lawyer about cybersecurity? It’s an IT consulting concern,’” Norman said. Recalling the surveys he cited earlier, he summed up, “Look at the last two years and see how this topic has moved.”
David DiBari is the practice area leader for U.S. Litigation & Dispute Resolution and the managing partner of Clifford Chance’s Washington, D.C., office. He can be reached at email@example.com.
Guy Norman leads Clifford Chance’s global Corporate practice of nearly 200 partners. He specializes in corporate finance, M&A and takeovers. Based in London, he can be reached at firstname.lastname@example.org.
Daniel Silver, now in Clifford Chance’s Litigation & Dispute Resolution and Regulatory Enforcement & White Collar groups, spent nearly ten years as a federal prosecutor. He can be reached at email@example.com.