It was a busy week for companies and government agencies struggling to combat the growing threat of cyber-attacks, with some bad news and some good news. Here’s what you need to know, and how we can help.
What you Need to know
First, the bad news:
- Lawsuits against Target move forward and lawsuits against Home Depot pile up: Target faces over 90 lawsuits arising from its data breach last holiday season, including suits filed by consumers, banks, credit card companies, and shareholders. Last week a federal judge in Minnesota rejected Target’s efforts to dismiss the lawsuits by the banks, clearing the way for banks to go after merchants for alleged negligence in cybersecurity. Meanwhile, Home Depot revealed in its most recent quarterly SEC filing that it already faces at least 44 lawsuits, as well as investigations by multiple state and federal regulators, arising from the breach it announced just three months ago. The price tag from the breach so far is reportedly $28 million, but that number will likely grow exponentially in the months ahead. It has also been reported that Home Depot, like Target, suffered the breach in part because hackers were able to get into its system through a third-party vendor.
- Destructive malware used in Sony Pictures attack and Iran-based hacking group attacks targets worldwide: Sony Pictures has been victimized by an attack that resulted in the leak of several completed films as well as information about executive compensation and other personal information about employees. The malware used in the attack reportedly wipes data from computers in a way that makes it nearly impossible, if not impossible, to recover it. The FBI is warning other US businesses that they face a similar threat. Meanwhile, the FBI also released an alert to US businesses in multiple sectors about coordinated cyber-attacks originating from Iran. A private security firm released a report about the same hacking group, indicating that victims included a defense contractor as well as companies in the energy, transportation, automotive, and medical services sectors.
Now, the good – or at least encouraging – news:
- FTC declines to pursue case against Verizon: The FTC recently ended an investigation into allegations regarding Verizon’s security practices for customer routers. But unlike FTC investigations into more than 50 other companies, this inquiry ended without a consent decree requiring fines or burdensome compliance audits. On the contrary, the FTC closed its inquiry without taking any action based on Verizon’s strong, proactive remedial measures and the quality of its overall data security practices relating to routers.
- DOJ Criminal Division announces new Cybersecurity Unit: Leslie Caldwell, the Assistant Attorney General for DOJ’s Criminal Division, announced the formation of a new Cybersecurity Unit within the Criminal Division’s Computer Crime and Intellectual Property Section. The new unit will act as a central hub to provide legal guidance and expertise for US and foreign law enforcement agencies and to support cybersecurity activities by public and private sector partners. Those functions are not now – indeed, CCIPS does all of them right now. But CCIPS has historically lacked the resources to tackle the increasingly global cybercrime problem on the scale it requires, so if the creation of the new Unit means more high-level attention and resources to the effort, then it’s a great step. But the critical test will be whether new resources are devoted to the section to support the new Unit, so it is more than just a new line on an organizational chart.
What you need to do now
The key takeaways from these developments are:
- Test your privacy and security program: If you get breached, you will be sued and investigated. Just ask Target and Home Depot. That means it’s important to have a vetted cybersecurity program in place before a breach occurs, and to test and adapt that program as risks and threats evolve. The best way to defend yourself later when courts and regulators are looking at your conduct is to take proactive measures now, before an incident occurs. Steptoe can help you review and revise your security program, under the protection of the attorney-client privilege, to mitigate your risk of an incident now and to reduce your litigation exposure later. We’ve released a free data breach toolkit to help companies better understand how to address these risks.
- Test your incident response plan and team: Poor breach response can make a bad situation much, much worse. A breach is a crisis, and Steptoe can help you test your company’s ability to respond to all aspects of the crisis – including technical, legal, and public relations — through a breach simulation. That way you can be confident that when the real thing occurs, your people will be able to handle it effectively.
- Your vendors’ cybersecurity practices could pose a risk to your network: Target and Home Depot both demonstrate that a hacker can get into your system though one of your vendors or suppliers. How much do you know about your vendors’ cybersecurity practices? Do you have contracts with your vendors that obligate them to maintain certain levels of security, and to indemnify you for a breach on your system? Steptoe can review your vendor management program to help protect you from this third-party risk.
- Law enforcement engagement and information-sharing are critical: Sharing of cyber-threat information between the government and private sector has never been more important. And one of the most challenging parts of breach response is the question of whether and how to engage with law enforcement. Steptoe has unparalleled government cyber experience and relationships, including former DOJ, FBI, DOD, and DHS officials with responsibility for cybercrime and cybersecurity.
If you have questions about these recent developments or would like to discuss steps to address your cybersecurity and litigation risks, please contact our cybersecurity team: Stewart Baker at 202.429.6402; Michael Vatis at 212.506.3927; or Jason Weinstein at 202.429.8061.