Cyber risk assessments come in dozens of flavors. They can involve enterprise or product level analyses; focus on people, processes, or technology (or all three); be limited to certain systems or all of them; and relate to the company or its service providers (or both). But what all risk assessments have in common is that they identify lots of “opportunities” for improvement. For that reason, both regulators and private plaintiffs demand them in discovery. The absence of a risk assessment can be a red flag, and the presence of unaddressed recommendations arising out of risk assessments can form the basis for alleged liability in a data breach or even a security-vulnerability case.1
For legal counsel, risk assessments are relevant and useful in a number of respects. For example, risk assessments can play a key role in helping to evaluate the vendor management program, as well as helping to assess the vendors’ own security programs. They can also be leveraged to evaluate cyber or privacy issues related to an acquisition target, or leveraged by a target company to ready itself for acquisition or other major transaction (or even a cyber insurance underwriting). Risk assessments can also be used to benchmark a company’s overall security program or elements of its incident response against regulatory requirements, industry standards/best practices, or customer requirements. In some cases, an enforcement agency may request a risk assessment in the aftermath of a breach or as part of a settlement. Having a recent assessment already done in the ordinary course of operation can go a long way in demonstrating diligence and mitigating regulatory scrutiny.
As with any audit or assessment, the challenge for companies is prioritizing and executing on the remediation plan. While some companies have robust processes for identifying corrective actions, road maps, milestones, and funding requirements, many companies struggle—and thereby, unintentionally create an unfavorable paper trail and precedent.
This last point was driven home in the Financial Industry Regulatory Authority’s (FINRA) investigation and consent order against Sterne Agee in 2015.2 Sterne Agee is a registered broker-dealer based in Alabama. The company found itself embroiled in one of FINRA’s very few cyber enforcement actions, largely due to the following fact pattern:
- In May 2014, an employee inadvertently left a laptop with personal data related to over 350,000 consumers in a public restroom, and it was stolen. The laptop was not encrypted.
- Previously, as early as March 2009, the company recognized the need for laptop encryption but considered it a “moderate risk,” due to a low laptop count. As the number of laptops grew, the associated risk of not implementing encryption also grew.
- By 2010, the company had approved the purchase of Microsoft’s BitLocker encryption software.
- In 2010 and 2011, BitLocker was not installed on any laptops because the company needed additional IT personnel. Funding for those personnel was not approved until 2012.
- In 2012, when the newly hired personnel attempted to install BitLocker, it was found to be incompatible with the company’s laptops.
- Employee turnover subsequently delayed the company’s identification of a compatible encryption solution, but funding for the solution was not approved until June 2014—after the unencrypted laptop was stolen.
The Sterne Agee case is an extreme example of a simple proposition familiar to every lawyer: Repeated identification of the same risk can expose the company to potential liability. This proposition has made its way into regulator actions and class action complaints. For example, the FTC has explained that in cyber investigations, the agency requests and reviews “materials like audits or risk assessments that the company or its service providers have performed.”3 On the class action side, plaintiffs in the Equifax breach litigation alleged that the company failed to remediate known security deficiencies and repeatedly ignored warnings from third-party consultants. One senator summarized her findings on this point following congressional hearings and investigative activities:
- Equifax was warned of the vulnerability in the web application software Apache Struts that was used to breach its system, and emailed staff to tell them to fix the vulnerability—but then failed to confirm that the fixes were made.
- Equifax received a specific warning from the Department of Homeland Security about the precise vulnerability that hackers took advantage of to breach the company’s systems and several outside experts identified and reported weaknesses in Equifax’s cyber defenses before the breach occurred. But the company failed to heed—or was unable to effectively heed— these warnings.4
While it is certainly easy for outsiders to critique in hindsight, the tone and tenor of the allegations clearly set forth a road map for identifying key exposure points. We offer three thoughts on how lawyers might leverage cyber assessments to help proactively manage enterprise risk:
- Focus on Repeat Items
Lawyers should hone in on documented weaknesses, warnings, and action items that continue to show up from audit to audit or assessment to assessment, particularly those that map to noncompliance with a specific law, regulation, or contractual requirement (e.g., PCI DSS). Depending on their criticality and remedial potential (e.g., if fixes are reasonably available), these repeat items can form the basis for serious regulatory and private liability—particularly if any even arguably contribute to a future data breach. Of course, context is always relevant to assessing liability exposure. For example, remediation recommendations must be viewed in the context of whether the risk item was deemed “accepted risk” by the company; the probability of the risk event occurring is also relevant; and counsel should probe whether compensating controls exist to mitigate the risk item’s criticality for prioritization purposes. - Deploy Privilege Via Emails and “Drafts”
As discussed above, risk assessments are a double-edged sword—helping to identify security risks while simultaneously creating remediation risks for the enterprise. Thus, it bears repeating that even if a cyber audit or assessment might not qualify for privilege or work-product protections, there are strategies to shield legitimate debate and decision-making. Lawyers should be consulted precisely in situations where trade-offs must be made between remediation and resources—as these choices often carry significant legal compliance, regulatory, and litigation risk repercussions. Drafts of reports sent to counsel for legal advice, as well as emails and conversations that occur outside the four corners of an assessment, are almost always covered by the attorney-client privilege. - Focus on Assessments That Are Tightly Linked to Strict Legal Requirements
In our experience, risk assessments produce broad recommendations that cover a lot of ground, including actions that range from necessary to advisable to nice-to-have. Counsel should work with business and security teams to develop a defined schedule on the corporate calendar for conducting risk assessments in areas like HIPAA and PCI that produce specific, targeted remediation recommendations. In addition to being able to identify specific issues, there is value in being able to demonstrate a culture of compliance should the company experience a public breach or regulator investigation.
Read Tips from the Trenches: Make Your Company Less Attractive to Cyber Enforcement
This article has been published in PLI Current: The Journal of PLI Press, Vol. 3, No. 2 (Spring 2019), https://www.pli.edu/PLICurrent
A version of this article has been published in the Course Handbook for PLI’s Twentieth Annual Institute on Privacy and Data Security Law.
Sources
1 The FTC has exercised its prosecutorial discretion to investigate and bring actions against companies for security vulnerabilities even in the absence of any data breach. See, e.g., Complaint, FTC v. D-Link Corp., No. 3:17-cv-00039 (N.D. Cal. Jan. 5, 2017).
2 FINRA Letter of Acceptance, Waiver and Consent, Sterne, Agee & Leach, Inc. (Respondent), No. 2014041619501 (May 22, 2015).
3 See Eichorn, supra note 27.
4 Sen. Elizabeth Warren, Bad Credit: Uncovering Equifax’s Failure to Protect Americans’ Personal Information 1 (Feb. 2018), www.warren.senate.gov/files/ documents/2018_2_7_%20Equifax_Report.pdf