News

Partner Simon Fawell and Associate Alasdair Marshall comment, in CSO, re the cyber security and data protection related concerns CISO’s now experience.

Simon and Alasdair’s comments were published in CSO, 19 April 2022, and can be found here.

What are the most likely litigation risks a CISO should worry about and why?
In the UK, the threat of mass class actions for large scale breaches has diminished somewhat following the UK Supreme Court decision in Lloyd v Google which halted an ‘opt-out’ class action under the existing procedural frameworks and highlighted the difficulties with bringing mass data claims under the English rules. The Lloyd v Google decision hasn’t completely blocked the possibility for class actions in data privacy cases and there remain a number of claims running through the English courts that are framed differently and could yet have success. The decision is a fairly major set-back for claimants, though. That said, the pressure for individuals impacted by data breaches to be compensated is growing and it would not be surprising to see some form of opt-out class action regime being introduced for data privacy cases in the relatively near future. An ‘opt-out’ regime has already been introduced in the UK for competition claims and data privacy would be the next logical area for a similar approach.

Although the threat of mass class actions has diminished in the UK for the time being, the threat of litigation in the UK following a data breach remains very apparent, particularly where high value corporate data is potentially compromised. The GDPR (and related UK legislation) has led to a much greater awareness of data privacy issues and increased focus on contractual clauses in commercial deals. Where important information is lost, the damage can be extremely high. For example, were an intermediary or agent to have a breach incident and lose trade secrets or information that is potentially very damaging to another company’s reputation, that could lead to major litigation. In recent years, the Panama Papers, Solar Winds and Credit Suisse incidents highlight a growing number of individuals seeking to obtain sensitive information and publish it to the market.

The risk of litigation is not limited to corporates, either, with CISO’s who serve as company directors potentially the subject of shareholder actions for breach of duty where insufficient steps were taken to prevent a breach or the aftermath of the breach was handled badly. Regulatory fines, together with the practical and reputational fallout from a breach can have a heavy impact on share value. Equifax’s stock price reportedly dropped by some 31% (USD 5.3 billion) in the period following its high profile breach in 2017. Shareholder actions against directors have been on the rise in the UK and, where a data breach has led to a drop in value for shareholders claims against directors are increasingly being considered. This mirrors the trend in other jurisdictions such as the US where CISO’s have already been the subject of high profile claims for breach of duty.

What can be the impact and ramifications of facing such litigative action for businesses?
Aside from the obvious threat of damages claims, defending litigation can be both costly and time-consuming. While the English system allows for the winning party to recover legal costs from the loser, it is rare that the amount spent on legal fees and ancillary costs are clawed back in full. Litigation in England also requires significant CISO and board level attention which would be more productively focused on growing and protecting the business for the future.

Do you think CISOs are generally well enough prepared for litigation?
Some yes but others less so. The most important points are: (1) to have a plan in place for how to deal with a potential breach; and (2) to ensure that cyber insurance cover is fit for purpose.

Poor handling of a data breach can severely exacerbate the resulting fallout. When a breach happens there is a race against the clock to minimise its impact; secure systems; meet regulatory reporting requirements (there is a 48 hour requirement under the GDPR); and ensure that communication to affected individuals/companies and the market hits the mark. A simple example is the number of companies who lose valuable time because they don’t know whether the authority to instruct legal counsel and forensic teams lies with the CISO, the Board or the General Counsel. The level of preparation can go all the way through to a full ‘war game’ of how different breaches would be dealt with in order to stress test processes but, at the very least, the CISO should know the key advisors to be called and who internally should be making those calls.

For the most likely litigation risks, how can security leaders put themselves in the best position to prevent/mitigate?
Put simply, the best way for CISOs to prepare for litigation is to have an effective plan for how to deal with a breach. Key questions to answer in advance include:

• Who are the key service providers to call?
• What are the internal lines of communication? Who makes the call on instructing lawyers and other key advisors? Is it the CISO or does it require other approvals?
• If the system is down, how do key personnel handling the breach communicate securely?
• What type of breach is most likely to impact the company and who are the counterparties most likely to be affected?
• What do the data privacy clauses in contracts with counterparties require? Are there notification requirements in those contracts?
• Planning can range from, at a minimum, ensuring the answers to the questions above and others have been considered and the answers are known to the key individuals who will be handling a breach to having a full simulated breach to stress test processes.

It is also essential that the CISO is familiar with the terms of the company’s cyber-insurance policies, what is/is not covered and the notification requirements in the event of a breach. Insurers should generally be one of the first ports of call. Not only is it important to ensure that the cover bites, insurers are often also a good source of information and advice on how to handle certain aspects of a breach.

CISO’s should also be careful about what information is (and is not) recorded in the immediate aftermath of a breach. It is important to keep a clear audit trail of the decisions taken and why. However, while dealing with an immediately challenging situation, it is not unusual for ill-judged comments (often from high level personnel) to be recorded in writing which can be unhelpful in later legal proceedings. It is sensible, where possible, to have an in-person meeting among key personnel in the first instance to establish clear lines of communication and ensure that the audit trail accurately and clearly details the response process.