JONES DAY TALKS®: Cyber Risks: A False Sense of Security – Episode 1
Cybersecurity risk is evolving and expanding. Traditionally, cybersecurity risk has been equated with cyber attacks and associated legal consequences. That risk is undoubtedly real: All internet connected systems remain vulnerable to increasingly sophisticated, persistent threat actors, including nation states and well-funded criminal organizations, who can circumvent even robust defenses to intrude into systems and expose companies to a wide variety of regulatory investigations and litigation. But companies increasingly face cybersecurity legal risk even absent a data breach. Emerging theories of liability – largely arising from inconsistencies between representations companies make about their cybersecurity and their actual cybersecurity posture – are presenting new, substantial civil and potentially criminal legal exposures for companies.
In the first installment of a multi-part JONES DAY TALKS® series, partners Lisa Ropple, Justin Herdman, and Grayson Yeargin discuss today’s rapidly growing and changing cybersecurity requirements, and the potential legal consequences of not meeting those obligations.
Podcast: Play in new window | Download
SUBSCRIBE TO JONES DAY TALKS®
Subscribe on Apple Podcasts
Subscribe on Android
Subscribe on Google Play
Subscribe on Stitcher
Read the full transcript below:
Dave Dalton:
The risk associated with data breaches are well-known and growing. Any information tech connected to the internet is vulnerable to cyber attacks, which now originate from persistent and sophisticated threat actors, including nation states and well-funded criminal organizations. These risks potentially expose companies and organizations to regulatory violations and civil litigation. In the first in a series of podcasts, we're calling A False Sense of Security, Jones Day Lisa Ropple the discussion with partners, Justin Herdman and Grayson Yeargin, focusing on what is expected and required in terms of cybersecurity and the potential consequences of not meeting those requirements. No matter where you work and no matter what your role, this is information you want to hear. I'm Dave Dalton, you're listening to JONES DAY TALKS®.
Dave Dalton:
Jones Day partner, Justin Herdman, is a former United States attorney. Based in our Cleveland office, he's now a trial lawyer representing businesses and individuals involved in high stakes government investigations, criminal litigation and civil actions. Justin's practice is focused on obtaining favorable results in matters, arising from alleged violations of state and federal laws. And Washington based partner, Grayson Yeargin, concentrates his practice on assisting clients with compliance with regulatory requirements and guiding them through government investigations. He represents government contractors, private sector companies, and individuals involved with disputes with the government.
Dave Dalton:
Finally, Lisa Ropple is a leading data breach lawyer and co-leader of Jones Day's global cybersecurity, privacy and data protection practice. She has extensive experience advising companies across many industries in all aspects of cyber data incident response, and has represented clients in connection with some of the largest, highest profile data breaches in history. Lisa will direct today's discussion, so I'm going to toss to her. Justin, Grayson and Lisa, welcome. Lisa, thanks, especially for being here. There's a lot to cover, so take it away.
Lisa Ropple:
Thank you, Dave. And thanks to Justin and Grayson for joining us today. This is the first of a series of podcasts that we'll be holding about cybersecurity legal risk. Traditionally, the concept of cyber risk has been understood primarily as a risk of a cyber attack or a data breach and the many significant consequence that can follow from it. That risk, of course, is very well known and it's very real to all of us.
Lisa Ropple:
We see cyber attacks in the news every day. They're continuing and sophistication and impact, despite companies investing more and more resources all the time and deploying new technologies and approaches to try to defend against them. Virtually any IT system we know that's connected to the internet, it's vulnerable, and we're seeing an ever-growing array of well-organized and well-funded threat actors, including nation state sponsored actors and international criminal rings whose full-time profession is to exploit these vulnerabilities.
Lisa Ropple:
We're especially seeing over the last year, just a ton of ransomware attacks that have been extremely damaging to companies of all sizes in all industries. This, of course, continues to be a risk for companies that they have to prepare for. It's really, in my mind, one of the top risks that a company can face, because a significant attack can inflict serious damage on a company very publicly because of breach notification laws and across all fronts. It can affect your operations right away. It can tarnish your reputation, short-term, long-term.
Lisa Ropple:
It can cost millions of dollars to investigate and remediate and can spawn investigations by governmental entities all around the world and litigation with potential big ticket exposure. That litigation, those investigations, can result in steep monetary damages and settlements, but can also result in the imposition of really onerous consent decrees. They can last as long as 20 years, and they can require a huge investment of resources to comply with them, and also a real competitive disadvantage.
Lisa Ropple:
So this type of cyber risk is, as traditionally understood, definitely is on the table, it's going to continue to be on the table, it's a very significant risk companies have to face. But what is less well known and is the topic of this podcast and a series of podcasts that we're going to hold on this topic is that cybersecurity legal risk landscape is dramatically changing and it's not limited anymore to data breaches and their aftermath. We're starting to see other emerging potential liabilities arising from company's cybersecurity posture that aren't related to data breaches at all.
Lisa Ropple:
These liabilities, as we're going to talk about with Justin and Grayson, are in large part from a rise from companies representations about its cybersecurity compliance and posture. Representations that might be made in contracts, securities filings, or marketing, or otherwise, and gaps between those representations and the actual state of cyber security, it can present substantial liability. That's what we're going to talk about today. Not just civil, but potentially criminal as well. So with that, I'm going to kick it off by asking Justin to help us dig into this topic, which we've titled A False Sense of Security. So Justin, why the title?
Justin Herdman:
Well, as you said, Lisa, I think most of our listeners, as we all know, are familiar with data breaches and the types of liability that can flow from them as you laid out. But what we're seeing now is really an emerging area of risk and it's driven by a couple of different developments. The first is that there are conflicting and vague international statutory or regulatory frameworks, all of which require reasonable security measures to protect data and personal information.
Justin Herdman:
We see these in three main areas for most of our clients and their customers, those are the United States, Europe and China. For instance, in the US, you have a number of different federal statutes that are in play, ones that our listeners will be familiar with, like HIPAA, but also more obscure ones like a FISMA. There's also state laws and state regulatory frameworks that play as well. Europe has a regulatory regime called GDPR, and China also has its own regulatory laws. That law is important, it's paramount, and it's one of the reasons why there is emerging risk in this area.
Justin Herdman:
Another related part to this is that there's increasing pressure to provide cybersecurity representations in contracts or other types of insurances to the public or customers via third party audit certifications or other types of public facing materials or representations. And particularly for government customers, especially here in the United States, there are requirements that vendors have to make really increasingly burdensome commitments with respect to their cybersecurity measures. All of this translates into high cost for cybersecurity and compliance.
Justin Herdman:
But if you think about it, incentives for companies are not necessarily aligned to address cybersecurity risk. The required investment that companies have to make to meet what they're certifying are their standards, it does not always translate directly into profit, because most companies are not directly selling cybersecurity itself, and the incentive then to invest in cybersecurity is often displaced by other competing interests. So what we started to see more and more of is a proliferation of third-party audit certifications. In many ways they have improved the overall situation, because it is a fairly consistent application of standards, but there's also unintended consequences to these third-party audit certifications.
Justin Herdman:
Companies, especially in the legal or compliance departments, they may think that they're in compliance by relying on these third party audits, but it's very frequent that successful certification under those third-party audits does not necessarily equate to compliance. This is what could create these significant risks and the company's legal or compliance department may not be aware at all that significant risks have been created here.
Lisa Ropple:
Oh, that's interesting. Let's talk a little bit more about that last point. Grayson, why is there a disconnect between successful certification and compliance?
Grayson Yeargin:
Sure. Thanks, Lisa. I think this builds a lot off of what Justin was just saying, which is this particular instance is the result of unintended consequences that flow from the different incentives that apply to the different players in this field. Just a little bit of background to lay the groundwork here. It makes sense that before you and trust the company with incident information that a party, and especially the government, is going to want to know that the environment that that company is using is secure. And also, they want to know that it's secure before a problem happens, as opposed to after things have already gone awry.
Grayson Yeargin:
This has really led to the use of third party assessments, certifications, the use of auditors, the development of standards, so that there is a common ground, there's common playbook or the different companies to understand, and the different players to understand that they're meeting these certain requirements. Out of this, you've seen the NIST standards begin to develop, the ISO standards also come out of that. And now, especially more in the government framework, you're seeing a lot of certifications that are being required.
Grayson Yeargin:
These have traditionally been around such as the SOC certifications, but the government is really taking it to the next level now likely, because of the more secure information that they have, but the government's taking the lead on really developing some robust requirements here. They've historically had high level certifications like FedRAMP and other similar processes, but now they're moving towards more of a scalable approach that increases the level of what needs to be shown and the level of certification that expands with the level of security that's needed. We really see that right now in the CMMC or the Cybersecurity Maturity Model Certification program that's being rolled out with the DOD.
Grayson Yeargin:
All of this leads to these third party certifications or these internal assessments that are appropriate. Again, that is what creates these different incentives internally at the company, and potentially externally as well. Auditors that are performing the assessments, internal folks that are responsible for these assessments, oftentimes, the assessments themselves are not designed to do a deep dive into what's actually going on at the company. They are designed to test and show compliance, but there is sometimes a tendency to play to the auditors or play to the assessors in these situations.
Grayson Yeargin:
These snapshots that come out of these certifications don't always show what the real picture is. Sometimes there are things such as select a presentation of information or artifacts that are appropriate to show different levels of compliance. What may end up, at the end of the day, is that a company or an entity receives a certification that may not tell the whole story. This, again, leads to the title of our presentation here. It does lead to a false sense of security. The certification may not be accurate.
Grayson Yeargin:
Then, once that certification has been built into a contract, or into representations, or even just used as a public or customer facing type of information or document, that can lead to a mismatch between what's really going on and what's being represented. That can flow to a lot of legal problems that we're talking about today.
Lisa Ropple:
Thanks Grayson. We do see this play out in the breech context and have from the very earliest breaches back in the mid and early 2000s, where companies obtain certification, they had third parties, assessors that certified they met various industry standards. I'll throw out. PCI as just one of the examples. Almost every big company that has suffered a payment card breach has received a PCI certification of compliance. As you say, those assessments really do create, in senior management, a confidence that might be misplaced, right?
Lisa Ropple:
They're surprised in the light of having these certifications, when there is a big breach and regulators and litigants come after them, they're surprised that those certifications are quickly disregarded by regulators and easily punctured, right, as being not accurate reflections of the cybersecurity posture internally. So very interesting, I've seen a lot of companies surprised by that. So Justin, what are the practical consequences of this kind of a gap between what a company says, what third-party security assessors conclude, and what the actual reality of their cybersecurity posture is?
Justin Herdman:
Right? The most obvious consequence is one, again, I think listeners would be familiar with the idea that non-compliance is going to lead to some sort of a breach or a cyber security failure. What stems from that is all the negative consequences that we've already talked about, or which again, listeners are already familiar with. But that false sense of security can lead to other potential consequences and exposure on a variety of different fronts. So if you think about it, your sales personnel, or even management, in some instances, they might be signing commercial or especially government contracts that have certified compliance or have otherwise made some commitments that the company, in fact, can't satisfy.
Justin Herdman:
So you can understand why there would be exposure and potential liability under those circumstances, but the company may also be making similar certifications in mandated government disclosures or other types of government filings. The company might be marketing based on representations related to their cybersecurity posture, or in some other context might be giving representations and warranties that simply aren't true, or can't be satisfied. All of those potential areas of risks, they compound upon themselves. I think you can see that there are plenty of areas of potential exposure there, civil or criminal, for any company who's in a position like this.
Lisa Ropple:
Thank you, Justin. Why don't we start with those potential civil liabilities that could arise from this? Grayson, do you want to walk us through those?
Grayson Yeargin:
Sure. I would really divide these up into four different broad categories of civil exposure here. As you'll see, as I kind of walk through these, as Justin just laid out, these affirmative statements or these representations all make each of these lines of exposure just easier to tee up and to prove. I'm not saying that these lines didn't exist before, but these new affirmative statements, representation, certifications, you can imagine, they just make it easier to bring a case and to potentially be successful in a case in these situations.
Grayson Yeargin:
But the first, I would say, is relatively straightforward, this would be civil liability between private parties in lawsuits based on the representations that were made that may not match what's really going on. These would be your standard breach, fraud type of claims that can be asserted between two parties. They could, of course, in certain situations, lead to punitive damages, so they can be rather substantial in and of themselves. The second category I would describe would be securities litigation focus. These would be related to failures to disclose security, risks, known gaps, or potentially inaccurate statements, or also affirmative statements that may turn out not to be true.
Grayson Yeargin:
As our listeners are unsure, familiar, this type of securities litigation is common in other areas, and certainly we'll be expanding into this particular area as well. The third one, and one I want to draw particular attention to, is False Claims Act liability. This is one that really comes into play when you're dealing with government contracts, sales to the government, public sector connections to your contracts. But I want to stress that this does exist for both federal and state. There is a federal False Claims Act, but there's also multiple state statutes as well that can lead to this type of exposure.
Grayson Yeargin:
The real issue of these FCA type cases is that they can lead to trouble damages and penalties that can quickly stack up. But we're starting to see more cases in this area actually get through the system. This includes these types of cases that can be brought by private parties, known as relaters, under the qui tam provisions that are often included in these. The Federal False Claims Act has a well-established plaintiff's bar and qui tam provisions that do allow private parties to bring actions, whistleblowers, competitors, in the name of the government, and to proceed with those particular matters that can lead to government investigations, or even just the private parties pursuing it on their own.
Grayson Yeargin:
This is definitely at the forefront of attention, now. Just in December, 2020, Deputy Attorney General Granston predicted that cybersecurity fraud could lead to a significant increase in FCA activity. So we think we're seeing the beginning of that, and it's something that it's identified, and we certainly believe it's going to be a trend going forward. The fourth area that I'll just touch on briefly is not really civil exposure, but it's administrative consequences that can flow from these issues.
Grayson Yeargin:
These can be very severe, especially depending on where a company may operate and how much of its business is tied up in this type of activity. But there can be consequences that flow from problems between the mismatch of these statements or certifications in reality that lead to the loss of the certifications or authority to operate, the inability to be qualified to receive certain contracts in the future, and in worst case scenarios, even suspension or debarment if problems are shown to be so significant that the contractor is not considered, what the term is used as presently responsible for being able to meet these requirements. So those are the main areas of civil and administrative exposure.
Lisa Ropple:
Thanks, Grayson. Just to underscore that the False Claims Act liability, in particular, isn't just a theoretical risk. It's actual. We're starting to see cases back in 2019. I think the first False Claims Act settlement came out and these cases percolate under seal for a long time. So it was in the offing for a while before the public became aware of it. This is sort of a wake-up call that this isn't, again, theoretical. This is a real risk and it might be the leading edge of the next wave of cybersecurity focus, in particular. Let me turn to you, Justin, to talk a little bit about the criminal side of this, which False Claims Act liability can involve, and other theories potentially of a criminal kind that might be implicated here.
Justin Herdman:
Yeah. This is truly the worst case scenario, when we're talking about criminal liability. But if you think about what it is that we're discussing here, it makes sense why there would be exposure on the criminal front. If a company is making commitments, particularly if management knows that the company could not fulfill the promises that are being made, or the representations that are being made, you can understand why there would be potential criminal liability with those facts. This is particularly concerning, because if you have executives in management who have authorized false statements or certifications, and they knew that they were false, we're talking about the potential for personal individual liability on the criminal side here.
Justin Herdman:
In terms of trying to pull back a little bit and thinking about emerging areas of risk, it's actually useful to look through a framework that most of the listeners would be familiar with when it comes to compliance and we're talking about potential criminal liability. I would say it's helpful to look at this through the lens of the FCPA. 20 years ago, companies were frequently certifying compliance with the Foreign Corrupt Practices Act, but a series of prosecutions really began to highlight the inadequate nature of controls, the lack of audits around this area, and the fact that there were just not sufficient measures in place to prevent violations of the Foreign Corrupt Practices Act throughout the corporate world.
Justin Herdman:
If you think about it like that, you can see why an emerging area of risk, such as what we're discussing in this podcast, is so concerning to us when we're talking about criminal liability. You cannot ignore the criminal exposure that attaches to false statements that are made in response to government mandated disclosures or whether they're made in connection with government contracts. While we've seen historically, under similar fact patterns, these cases can be resolved civilly and typically are, the reality is that anytime you're talking about exposure to False Claims Act investigations, you're usually talking about an investigation that's been dual tracked out of a US Attorney's office or another prosecutor's office.
Justin Herdman:
You'd have investigators with both civil authority and criminal authority who are looking into the same set of facts and determining whether or not there is civil liability or criminal liability based on those facts. For criminal investigators, typically, what they're going to be focused on is identifying individual misconduct and trying to look to see if that misconduct rises to the level of a federal criminal prosecution. Also, I would just point out, prosecutors are typically very creative when it comes to using certain federal criminal statutes, namely wire fraud.
Justin Herdman:
We have seen cases, recent cases, where wire fraud prosecutions have been brought on the basis of false claims that were made online, even when they were done in the context of marketing. That has resulted in criminal prosecutions, federal criminal prosecutions. To sum up, the prospect for a criminal inquiry or investigation at a minimum under these circumstances is a very real possibility. Again, we're talking about worst case scenario here, but it's definitely worth taking into serious account, because nobody, let alone a company, wants to be dealing with a federal criminal investigation.
Lisa Ropple:
Well, that's definitely very sobering, Justin. I'm certain that senior management in many companies are not aware of this potential exposure, right, that many listeners companies may still be thinking about cyber risk in terms of the risk of breach, and that's it. So this is really, to me, a game changer, this new emerging scope of potential liability. What can companies do to reduce the risks, Grayson?
Grayson Yeargin:
Sure, I'll start off here, yeah. The number one thing that they can do is to really get a handle on what is being required. What are they actually representing that they are doing, and what do the certifications say, and what do the contracts say the companies are entering into? As we mentioned at the beginning, there is an ever expanding range of requirements that are being put out there at the regional level, the international level, the national level, and a state level. These can all be different.
Grayson Yeargin:
Really, there needs to be an active and ongoing effort to track and understand what it is that is actually being required in these particular instances. The second, I really can't stress this enough, because in the matters that work with companies on these, and this is an instance where I think a bit more effort at the very beginning or activity at the beginning would save a lot of heartache later on, and that's to increase your communication internally and to really understand your compliance posture as a company. So increased communication between legal security and the technical teams goes a long way in being able to anticipate and then potentially resolve some of these problems before they ever happen.
Grayson Yeargin:
It's important to empower your compliance and legal teams as well to make sure that they can be coordinated and that folks listen to each other. This also greatly helps in preserving privilege and making sure that if you are identifying weaknesses internally, that you are doing it in such a way that you can handle it without necessarily exposing yourself at the same time as you go through. Then also, there are a lot of technical consultants out there that are very much in the weeds and have seen how these issues have been handled across the industry. Oftentimes, it can make sense to involve a technical expert or a technical consultant to assist in assessing these particular issues. Justin, I'm sure you've got a few more to add here.
Justin Herdman:
I would just add on, this is the type of risk that we would encourage folks to raise to, at a minimum, the executive suite level, but really, this is going to, over time, require more and more board attention. That's for a couple reasons. You obviously want to be raising the awareness around emergent risks to leadership in the company, but you also, and I think more importantly, from a compliance or legal standpoint, you want to make sure that addressing these risks is getting the resourcing that's required to ensure that there's compliance. That's a really important point. By raising the awareness, it can lead naturally, and should lead naturally, to resourcing. Another point I would make, there is a lot of learning to be done around this space.
Justin Herdman:
If you're just talking about what the regulatory frameworks are, these are very complicated sets of rules and laws that are in place, and that's going to require a lot of learning for your in-house legal or compliance team. That's just one example, but I think that there's a place for some substantial in-house training for the people who are going to work on these risks, also over time, to ensure that that compliance effort is filtered out to the folks who are actually dealing face-to-face with customers, who are going to be subject to the auditing that's underway to make sure that the people who are fronting with the third party certification companies have been properly trained on this as well. This is something that outside counsel can assist with, both from a subject matter expertise standpoint, but also to help ensure that there's attorney-client privilege and protection around any of these measures.
Lisa Ropple:
Thanks, Justin. I'll just add to that two points, which is first, just a very practical point. In some companies, cyber doesn't have an owner in the legal department. Privacy may, especially if you're a regulated entity with HIPAA, and you have a lot of experience, and a lot of requirements that you have to comply with that have been around for decades, but cyber in most or many companies actually sometimes falls between the cracks, or zoned by litigators in the context of a breach, or is owned by privacy folks who really don't have expertise in cyber. It is an emerging expertise that needs to be covered in the legal department.
Lisa Ropple:
One practical suggestion I'd raise is that companies should think about who would own it. And not only in the context of a breach, but have someone get smart on the topic, and be trained, and up-to-date, and serve as liaison with the technical security teams, to Grayson's earlier point. That's just a practical tip, but one that you want to be proactive about. Then, the second tip or comment I'd make is that unlike in privacy, companies don't have an obligation necessarily to make representations about their cybersecurity posture online. I listened to Justin talk about potential for wire fraud, and from a criminal perspective, and the hair goes up on my neck.
Lisa Ropple:
But I also think about, boy, there's an easy way to avoid that. As a general proposition, just limiting your cybersecurity representations to where you need to make them as a matter of law would go a long way to reduce risk. Also taking a look at your representations, to the extent you do make them, across audiences and across channels, making sure that they're consistent. That's another very important angle and we see a lot with companies, that marketing might be saying one thing and information security might be saying another thing to vendors. Then, the lawyers themselves might be saying something different in the context of deals or government contracting.
Lisa Ropple:
Just again, another practical way to reduce risk here may be to limit what you say, but make sure when you say it, you say it the same way every time. So thanks, Justin. Thank you, Grayson, for joining me today for this podcast. It's very interesting. As I mentioned at the top, this is the first podcast in a series of podcasts that are going to be focusing on this emerging area of cybersecurity risk. Our next session, we'll focus on a new potential reporting requirement relating to government customers. We will be looking at a whole bunch of risks from various angles as they emerge. This is a very dynamic area and we look forward to keeping everybody up to date on it.
Dave Dalton:
Lisa, that was great. You covered a lot of information and we're looking forward to additional podcasts in this series in the coming weeks. You can find biographies and contact information for Justin, Grayson, and Lisa at jonesday.com. While you're there, take a few minutes and check out the content on our insights page. You'll find more podcasts, videos, white papers, client commentaries, blogs, and other useful information. Subscribed to JONES DAY TALKS® at Apple Podcast and wherever else podcasts are found.
Dave Dalton:
As always, we thank you for listening. JONES DAY TALKS® is produced by Tom Kondilas. I'm Dave Dalton, we'll talk to you next time. Thank you for listening to JONES DAY TALKS®, comments heard on JONES DAY TALKS® should not be construed as legal advice regarding any specific facts or circumstances. The opinions expressed on JONES DAY TALKS® are those of lawyers appearing on the program and do not necessarily reflect those of the firm. For more information, please visit jonesday.com.