Cybersecurity – Global Investigations Review
Cybercrime is a global threat that is constantly increasing in both volume and complexity. Perpetrators are using new technologies to commit cyberattacks against governments, corporates, critical infrastructure and individuals. According to the UK government’s Cyber Security Breaches Survey 2022, 39 per cent of businesses identified a cyberattack in the most recent 12-month survey period. Similar survey research in the United States suggests that from 2021 to the time of writing, there were 2,679 data breaches, and data compromises affected the data of approximately 351 million individuals.
To tackle ever-increasing levels of cybercrime, countries around the world are introducing new laws focused on cybersecurity and data protection. Armed with new legal frameworks, regulators and law enforcement are placing onerous obligations on organisations that fall victim to cybercrime. There are shorter deadlines in which to notify the authorities of data breaches, and ever-increasing fines and penalties for businesses that fail to respond swiftly and appropriately to a cyberattack.
This chapter examines the complex area of cybersecurity and considers recent cases, the particular issues that can arise in cyber investigations and how to respond to a cyberattack. It identifies key considerations for corporates and their advisers in this ever-evolving area.
31.1.1 What is cybercrime?
In the United Kingdom, cybercrime is an umbrella term used to define linked, but distinct, areas of criminal activity. The National Cyber Security Strategy 2016 to 2021 defined these two subcategories as follows:
- cyber-dependent crimes – crimes that can be committed only through the use of Information and Communications Technology (ICT) devices, where the devices are both the tool for committing the crime, and the target of the crime (e.g. developing and propagating malware for financial gain, hacking to steal, damage, distort or destroy data and/or network or activity); and
- cyber-enabled crimes – traditional crimes which can be increased in scale or reach by the use of computers, computer networks or other forms of ICT (such as cyber-enabled fraud and data theft).
In the United States, there is no uniform definition of cybercrime or cybersecurity, and the principal federal criminal law, the Computer Fraud and Abuse Act (CFAA), criminalises unauthorised access of computer systems. The Prosecuting Computer Crimes manual by the Department of Justice (DOJ) sets out that ‘[its] focus is on those crimes that use or target computer networks, which [the DOJ] interchangeably refer[s] to as “computer crime”, “cybercrime”, and “network crime”. Examples of computer crime include computer intrusions, denial of service attacks, viruses, and worms’.
The CFAA establishes the specific cybersecurity crimes of obtaining national security information, accessing a computer and obtaining information, trespassing in a government computer, accessing a computer to defraud and obtain value, intentionally damaging by knowing transmission, recklessly damaging by intentional access, negligently causing damage and loss by intentional access, trafficking in passwords and extortion involving computers.
Globally, cybercrime is a constantly evolving area, with perpetrators adapting their methods as new technologies become available. Several common types and techniques of cybercrime are as follows:
- Hacking is the targeted intrusion of a network, computer, mobile telephone, tablet or other electronic device.
- Malware is malicious software that interferes with computer operations and spreads across networks. Malware may be destructive, causing systems to crash or deleting files. It can also be used to steal data. Malware can be further sub-divided:
- Viruses are software programs loaded onto a user’s computer covertly that perform malicious actions.
- Trojans are malicious computer programs that present themselves as useful, routine or interesting to persuade the victim to install them. The Trojan program can then steal data or undertake other nefarious tasks under the guise of being the legitimate program.
- Spyware is software that gathers information from infected systems and monitors information such as keystrokes or websites visited by a computer user. Spyware can be used to steal passwords, or financial or other valuable information.
- Ransomware is software designed to block access to a computer system until a ransom is paid.
- Worms are self-replicating programs that spread from computer to computer, causing damage. They do not require human interaction and do not need to attach themselves to software programs.
- Phishing is the fraudulent practice of sending emails purporting to be from a reputable source to induce individuals to reveal personal information such as passwords or banking information.
- Fraudulent websites are increasingly common. They appear to be for legitimate businesses and trick victims into handing over financial information or payments.
- Denial of service (DoS) is a cyberattack in which the perpetrator disrupts a computer or other device to make it unavailable to users by disrupting the device’s normal functioning. DoS attacks typically function by overwhelming or flooding a targeted machine with requests until it can no longer process normal users.
- A distributed denial of service (DDoS) attack is the same as a DoS but targets multiple network resources at once.
- A deepfake is a form of media (e.g., a video, photo or voice recording) that has been manipulated, usually by artificial intelligence, to misrepresent an individual as doing or saying something that was not actually done or said.
New technologies bring fresh opportunities for cybercriminals, and artificial intelligence and 5G are already being exploited by malicious actors to identify security passwords and replicate victims’ voices in audio deepfake scams.
31.1.2 Motivations of cybercriminals
Financial gain remains a key motivator for malicious cyber actors. While some attacks are focused on the direct extraction of money, others seek to steal valuable information and either extract a ransom from the victim or sell the information to a third party.
While many cyberattacks are aimed at obtaining personal data through theft, other information (e.g., trade secrets, compromising information or information harmful to reputation) can be valuable.
Cyberattacks are increasingly being used for political and ideological reasons or to spread disinformation. Attacks can be a form of protest, and in those cases they usually focus on damage to infrastructure or control systems.
31.1.3 Recent cyberattacks
Cyberattacks make headlines across the world, causing enormous reputational damage for the entities involved. Enforcement action frequently follows data breaches, with ever-increasing financial penalties for corporates. Many regulators also bring criminal enforcement action.
In August 2022 a ransomware attack on a third-party software supplier caused widespread outages across the UK National Health Service (NHS), taking a number of NHS services, including urgent treatment centres, offline. This attack, some media reports suggested, marked the ending of a hiatus in attacks by cybercriminals on health institutions during the covid-19 pandemic, with a Kroll report identifying a 90 per cent increase in attacks in the three months to 30 June 2022 as compared with the previous quarter. UK public sector entities are a common target for cybercriminals with around 40 per cent of incidents managed by the National Cyber Security Centre between September 2020 and August 2021 impacting this sector.
In summer 2021, Amazon’s financial filings revealed that the Luxembourg data protection supervisory authority, the Commission Nationale pour la Protection des Données (CNPD), fined the retailer’s European arm (Amazon Europe Core Sàrl) €746 million for breaches of the EU General Data Protection Regulation (GDPR). The CNPD’s decision is not yet publicly available so little is known about the facts, and it may not relate to a cyber incident. It is nevertheless worth mentioning as it is the largest GDPR fine on record and indicative of the enormous financial repercussions of not complying with data laws. Amazon has stated it intends to defend itself vigorously in the matter.
The year 2020 ended and 2021 began with the SolarWinds’ Orion software breach, which impacted multiple US government agencies, including the US Treasury Department. Then in April 2021, Facebook confirmed that the personal information of more than 530 million users has been leaked and published on a hacking forum and is now subject to an investigation by the Irish Data Protection Commission.
Most significant in terms of pure tangible impact was a ransomware attack on Georgia-based Colonial Pipeline that reportedly arose from a single compromised password, which effectively closed the supply of a key oil pipeline stretching from Texas to the northeast of the United States that was responsible for delivering 45 per cent of the East Coast’s fuel. Colonial paid the hackers, an affiliate of a Russia-linked cybercrime group DarkSide, a US$4.4 million ransom shortly after the hack. In June 2021, the DOJ announced that it had traced and seized US$2.3 million of cryptocurrency that constituted a portion of the total ransom paid by Colonial.
Travelex, the world’s largest retail currency dealer, received prominent media coverage in January 2020 after it suffered a ransomware attack. Media reports attributed the hack to a cybergang called Sodinokibi, also known as REvil. Share value in Finablr, the parent company of Travelex, dropped in the week that followed the attack.
Following an extensive investigation, the Information Commissioner’s Office (ICO), which regulates data privacy in England and Wales, issued a notice of its intention to fine British Airways £183.39 million for infringements of data protection laws. The proposed fine related to a cyber incident notified to the ICO by British Airways in September 2018. The incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through the false site, customer details were being harvested by the attackers. The personal data of approximately 500,000 customers were compromised in the incident. British Airways was given the opportunity to make representations regarding the level of financial penalty. In the end, the ICO fined British Airways £20 million for failing to protect the personal and financial details of a number of its customers.
Equifax is a multinational data, analytics and technology company with an emphasis on consumer credit reporting. In early September 2017, the US parent company announced it had been the victim of a criminal cyberattack. Although UK systems were not breached, the attack compromised the personal information of some UK consumers. The data breach exposed the personal information of 147 million people. The company agreed to a global settlement with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB) and 50 US states and territories. The settlement included up to US$425 million to help people affected by the data breach.
Uber Technologies Inc was caught in a data controversy when it was reported that hackers stole the personal data of 57 million customers and drivers. Compromised data from the October 2016 attack included names, email addresses and phone numbers, the company reported. It was reported that the breach took place in 2016 but that Uber sought to conceal the event. The company is said to have paid hackers US$100,000 to delete the data that had been taken from Uber’s cloud-based servers.
The ICO fined Uber £385,000 in what it called ‘a series of avoidable data security flaws which allowed the details of around 2.7 million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company. This included full names, email addresses and phone numbers’.
The ICO was strong in its criticism of the company’s director of investigations, Steve Eckersley, saying:
This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.
The financial penalties in the United States totalled US$148 million. Lisa Madigan, the Illinois Attorney General, stated:
This is one of the most egregious cases we’ve ever seen in terms of notification; a yearlong delay is just inexcusable. And we’re not going to put up with companies, Uber or any other company, completely ignoring our laws that require notification of data breaches.
In October 2022, Uber’s former chief security officer was found guilty of criminal obstruction for failing to report a cybersecurity incident to authorities. The case will be of concern to data and security staff and no doubt shape their responses to cyberattacks.
31.2 Legal framework
31.2.1 United Kingdom
Within the United Kingdom, there are a number of different Acts and Regulations that may be applicable to a cyber incident, depending on the facts and the type of entity that has been targeted.
188.8.131.52 UK legislation criminalising cyberattacks
The Computer Misuse Act 1990 (CMA) is the key legislation in the United Kingdom relating to offences or attacks against computer systems. The CMA allows proceedings to be brought in England or Wales if, in the circumstances of the offending, there is at least one significant link with the United Kingdom.
The CMA criminalises unauthorised access to computer material, unauthorised access with intent to commit or facilitate commission of further offences, and unauthorised acts with intent to impair the operation of a computer, causing or creating risk of serious damage for example to the environment or economy.
Under section 3(1) of the Investigatory Powers Act 2016, which came into force in June 2018, it is an offence to intentionally intercept a communication in the United Kingdom, without lawful authority, in the course of its transmission by means of a public or private telecommunication system or a public postal service.
Additionally, some offences under the Data Protection Act 2018 (DPA), such as knowingly or recklessly obtaining or disclosing personal data without consent, procuring the disclosure of personal data to another person without consent, and selling personal data disclosed or retained without consent, can be relevant to cybercrime.
Many types of crime, of course, do not depend on computers or networks but are being committed with relative ease using the internet. These offences include fraud, intellectual property crime and sending malicious communications, which are dealt with under separate legislation.
184.108.40.206 UK laws leading to positive obligations for victims of cyberattacks
The United Kingdom has a robust set of laws relating to data breaches that commonly arise out of cyberattacks. The EU GDPR has been incorporated directly into UK law as the UK GDPR.
Article 5 of the UK GDPR sets out the key principles, rights and obligations for most processing of personal data, but it does not apply to processing for law enforcement purposes. The seven key principles are (1) lawfulness, fairness and transparency (2) purpose limitation, (3) data minimisation, (4) accuracy, (5) storage limitation, (6) integrity and confidentiality, and (7) accountability.
The UK GDPR is concerned with ‘personal data’, which means information about a particular identified or identifiable living individual; it includes employees, clients, business contacts, public officials and members of the public. If it is possible to identify someone from the details, or by combining the details with other information, then it will come within the scope of ‘personal data’. What identifies an individual includes names, numbers, cookie identifiers and internet protocol addresses.
The law is designed to be flexible and to take a risk-based approach to data protection. In reality, the legislation puts the onus on organisations to think about – and, if necessary, be able to justify – how they use data and process data.
The UK GDPR applies to the processing of personal data if it is completed wholly or partly by automated means or to the processing other than by automated means of personal data that forms part of, or is intended to form part of, a filing system. Processing includes collecting, recording, storing, using, analysing, combining, disclosing or deleting data. For the majority of organisations handling data, the processing test will easily be met.
Organisations that process personal data need to ensure they have appropriate security measures in place to protect the data held. This is the integrity and confidentiality principle (or security principle) of the UK GDPR. Under this principle, organisations must have appropriate technical and organisational measures in place. This may be achieved via risk analysis, organisational policies, and physical and technical actions. The costs of implementation when deciding what measures to take are relevant but must be appropriate to the circumstances of the organisation and the risk the processing poses.
The measures in place must enable custodians of personal data to restore access and availability of personal data in a timely manner in the event of a physical or cyber incident. There need to be processes in place to test the effectiveness of measures, and where improvements are required these should be implemented.
The UK GDPR does not define the security measures an organisation needs to have in place, but some industries are required to meet certain standards by their regulator or industry body; for example, the Financial Conduct Authority Handbook covers data security in financial services, which includes the risk that customer data is lost or stolen. Whether such requirements have been adhered to is likely to be relevant to enforcement action.
The DPA sets out the data protection framework in the United Kingdom alongside the UK GDPR. It contains three separate data protection regimes: Part 2 sets out a general processing regime (the UK GDPR); Part 3 sets out a separate regime for law enforcement authorities; and Part 4 sets out a separate regime for the three intelligence services. The DPA was amended on 1 January 2021 to reflect the United Kingdom leaving the European Union.
In May 2022 the UK government announced a Data Protection and Digital Information Bill, reforming the current UK data protection regime to reduce ‘the burdens on businesses that impede the responsible use of personal data’ and give ‘businesses the opportunity to protect personal data in the most proportionate and appropriate way’. The proposed changes will reform aspects of the UK GDPR, the DPA and the PECR.
The Network and Information Systems Regulations 2018 (NIS) are intended to combat the threats posed to network and information systems with a desire to improve the digital economy and society. NIS applies to operators of essential services and relevant digital service providers such as online search engines, online marketplaces and cloud computing services.
In March 2022, the Online Safety Bill 2022 was introduced. Although the bill is still passing through Parliament, it envisages an online safety regime protecting internet users from illegal and harmful content and imposing fines of up to the higher of £18 million or 10 per cent of global annual turnover for companies that do not comply. Manipulated media, such as deepfakes, are likely to be caught by the legislation and, as such, platforms hosting such content risk being fined.
Numerous other Acts of Parliament can be relevant to data breaches; the facts of any particular case will determine which Acts apply. The Acts can be as diverse as the Official Secrets Act 1989, dealing with information that can impact national security, and the Companies Act 2006, imposing duties on directors to promote the success of the company, inter alia, by adhering to the desirability of the company maintaining a reputation for high standards.
It is advisable to engage external counsel for specialist legal advice if dealing with a data breach.
31.2.2 United States
The United States has a medley of unrelated, and at times incompatible, federal and state laws and regulatory guidance, which either relate specifically to cybersecurity or have been interpreted to do so. There is no uniform national law that explicitly requires security of personal information across all industries and sectors.
This results in there being no generally accepted approach to defining ‘cybersecurity’ and no nationally recognised way companies can maintain systems and procedures to adequately address cybersecurity risks. The diversity of laws and the rapidly evolving regulatory environment mean that there are a number of potential public and private litigants, and businesses operating across the United States need to carefully assess their cybersecurity risks and compliance requirements.
So far in 2022, at the state level alone, at least 40 states have introduced or are considering more than 250 bills or resolutions that are significantly related to cybersecurity, and 24 states have enacted at least 41 cybersecurity-related bills. It is advisable to seek the assistance of external counsel when dealing with this specialised area of law.
220.127.116.11 Federal law
The CFAA provides for numerous cybersecurity-specific offences relating to unauthorised access of computer systems and related damage, trafficking and extortion. Notably, the US Supreme Court recently narrowed the scope of liability under the CFAA, holding that it only covers information obtained for an improper purpose if the person accessing the information was unauthorised to access it.
FTC and FTCA
The FTC is a federal agency tasked with protecting consumers and promoting competition in the United States through the enforcement of civil antitrust and consumer protections laws. The FTC has powers pursuant to the Federal Trade Commission Act (FTCA), which prohibits ‘unfair or deceptive acts or practices in or affecting commerce’, regardless of industry.
CFPB and CFPA
The CFPB, the US agency responsible for consumer protection in the financial sector, has power under the Consumer Financial Protection Act (CFPA) to bring civil enforcement actions in federal courts against regulated entities for unfair business practices that violate the CFPA, which can include failures to safeguard customers’ personal data. In August 2022, the CFPB published a circular underscoring its position that a failure of a bank or other financial firm to safeguard customers’ personal data can amount to an unfair practice violation of the CFPA, which suggests a renewed focus on the part of the CFPB to use existing regulation to tackle cybersecurity breaches.
Financial institutions and GLBA
The Gramm-Leach-Bliley Act (GLBA), enforced by multiple federal agencies, requires financial institutions to maintain safeguards for non-public information in the institutions’ control and to adopt ‘administrative, technical, and physical safeguards’ for the security of non-public personal information. In sum, it requires that financial institutions have policies and procedures reasonably designed to ensure the security and confidentiality of customer’s records and to protect against cybersecurity threats and unauthorised access and uses of customer records.
Various agencies have published guidelines pursuant to the GLBA, including the Interagency Guidelines adopted by the Office of the Comptroller of the Currency, the Federal Reserve System and the Federal Deposit Insurance Corporation. The guidelines prescribe steps for institutions, including involving the board in the development of a cybersecurity programme, conducting risk assessments and conducting due diligence and ongoing monitoring of service providers’ cybersecurity measures.
Publicly traded companies
The Securities and Exchange Commission (SEC) has published guidance on publicly traded companies’ disclosure obligations with respect to cybersecurity and on companies disclosing material cybersecurity risks and incidents to investors. The guidance recommends that publicly traded companies adopt controls and procedures that enable companies to identify cybersecurity risks and incidents, assess and analyse their impact on a company’s business, evaluate their significance and make timely disclosures. It also recommends that companies implement measures to prevent insider trading in the event of and during the investigation of a potential data breach.
While yet to be published, in March 2022, the SEC proposed a set of rules that, if adopted, will fundamentally change how US-listed companies will have to treat the reporting of, the management of, and the responsibility and oversight for cybersecurity incidents. Most notable in a variety of additional disclosure requirements that the proposed rules would impose would be the addition of a new Form 8-K item to publicly report specific information about a material cybersecurity incident within four business days of the occurrence of the incident, and then a further requirement to disclose material changes in the incident in the company’s proxy statement or Form 10-K.
Healthcare providers and HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) requires that healthcare providers, health plans, healthcare clearing houses, (and, in certain cases, business associates) adopt ‘administrative, technical, and physical safeguards’ to protect individually identifiable health information (protected health information (PHI)). HIPAA restricts access to and use of PHI while imposing related security standards (the Security Rule), and requires individuals affected by any breach of privacy to be notified (the Breach Notification Rule). Finally, HIPAA provides for civil and criminal penalties for the compromise of PHI maintained by entities covered by the statute (covered entities) and business associates.
The Federal Information Security Management Act (FISMA) defines a framework for managing information security that must be followed by all information systems used or operated by a US federal government agency and by third-party contractors who work on behalf of a federal agency in those branches. Failure by a contractor to comply with FISMA can result in loss of federal funding.
The Cybersecurity and Infrastructure Security Agency Act (CISAA) enables private entities to monitor information systems for cybersecurity purposes, operate ‘defensive measures’ for cybersecurity purposes and, most notably, share information about cyber-threat indicators or defensive measures with other private entities or the federal government, provided those private entities take steps to remove personal information before sharing any such cyber-threat indicators.
The Cyber Incident Reporting for Critical Infrastructure Act, enacted in March 2022, creates two new reporting requirements for relevant entities and requires federal agencies and organisations in critical infrastructure sectors (as defined by the Cybersecurity and Infrastructure Security Agency (CISA)) to report a cyberattack within 72 hours and a ransomware payment within 24 hours to CISA. These reporting requirements are not yet in effect and will remain this way until the Director of CISA promulgates implementing regulations.
18.104.22.168 State law
At least 25 states have laws that address data security practices of private sector entities, the majority of which require companies to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, and to protect the personal information from unauthorised access, destruction, use, modification or disclosure. As examples:
- New York requires that companies develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information including, but not limited to, disposal of data;
- California requires companies to implement and maintain reasonable security procedures and practices appropriate to the nature of the information; and
- Massachusetts requires companies to take specific steps to assess security risks, train employees, oversee service providers and implement other safeguards.
All 50 states, the District of Columbia and other US jurisdictions have imposed data breach notification requirements on private entities that collect or process personal data, which can require notice to consumers, regulators, law enforcement or credit bureaus. Some states only require notice if the business determines that there is a reasonable likelihood of harm, while others require notification regardless of the determination of likelihood of harm.
The requirements may also conflict. For example, Massachusetts prohibits any description of how a data breach occurred, while other states require a brief description of the incident. Notably, some state notification laws establish jurisdiction based on whether the data subject is in the state and so can apply to a company regardless of where it is located.
31.3 Proactive cybersecurity
Ciaran Martin, the former head of the United Kingdom’s National Cyber Security Centre stated in 2020: ‘Every organisation now knows they need to understand cyber security risk just as they need to understand financial, legal risk and so on.’ It is now a key function of business to have a comprehensive cybersecurity programme in place.
The UK GDPR specifically requires organisations to have a process for regular testing, assessment and evaluation of the effectiveness of any information security measures put in place; however, the type of tests and how regularly they are carried out is for the organisation to assess considering its circumstances.
Policies should be in place that are regularly reviewed (many organisations now review their policies every quarter, such is the pace of change in this area) and updated as part of a regular cybersecurity audit. Depending on the characteristics of the business, third parties, such as businesses in its supply chain, may need to form part of the audit and assessment process. It is common for cybercriminals to breach networks via trusted business partners.
Good cybersecurity relies on education and awareness. Regular training of staff is key and should include temporary and contract staff.
Physical security, concerning access to premises and equipment, also needs to be addressed. All organisations need to consider storage arrangements and secure disposal of records that are no longer required.
Computer and network security will, in most cases, require technical expertise. During the covid-19 pandemic, remote working raised new risks that all organisations should have been conscious of and should be working to reduce. Of particular concern are removable media and vulnerabilities of multiple internet connections.
There need to be protocols to cover password use, firewalls, regular updates for software, backup and restoration of electronic information and monitoring to detect breaches.
Organisations should have a cyber-breach response plan to assist in the detection of cybercrime and ensure incidents are responded to swiftly, efficiently and comprehensively. There should be a clear structure of responsibility to allow for accountability.
31.4 Conducting an effective investigation into a cyber breach
The aim of an investigation will be to understand the scope and impact of the cybersecurity incident. The findings of the investigation will be put to multiple uses, including preventing repetition of the incident, managing all the repercussions, helping with reputational damage, assisting with operational disruption and identifying harm to clients. This will also be key to enforcement action, so it is vital that the investigation be properly conducted. It is advisable to engage external legal counsel as soon as a breach has been detected or is suspected. This is particularly important for the protection of legal professional privilege.
The early stages of the investigation are likely to be critical and urgent. In Europe, the GDPR requires organisations to have robust breach detection and an investigation procedure in place. It is sensible to use the protocols that the organisation has in place with the benefit of legal advice. Records need to be kept of the breach and response, regardless of whether the matter is ultimately reported to the authorities.
Digital evidence is likely to need to be gathered, and care must be taken to establish a clear picture of what happened without compromising evidence. It may be necessary to engage third-party forensic experts. For privilege and continuity, this is best done through external legal counsel.
It is likely that there will be interviews with employees who may have contributed to the incident, for example, through downloading a malicious program. Staff who first responded to the incident and those who may have had their personal data compromised may all need to be interviewed. It is likely to be too early to anticipate all the legal actions that may flow from the incident, so it is sensible to secure evidence in accordance with the law so it can be used as required and, if necessary, at a trial. For example, in the United States, an Upjohn warning may be appropriate if interviewing staff. Local law advice from experienced cybersecurity counsel should be sought.
Dependent on where the cyberattack took place, where an organisation is located, where the data is held (which, with the use of cloud technologies, is now commonly multiple locations) and, in some cases, where the individuals whose data has been compromised are located, there are often several enforcement authorities with an interest in the event.
31.5.1 Enforcement in England and Wales
In most of the United Kingdom, the ICO is the independent authority in charge of upholding information rights in the public interest. In addition to enforcement activities, the ICO offers guidance and seeks to promote good practice by carrying out audits and monitoring compliance and complaints.
31.5.2 Reporting a breach in England and Wales
In England and Wales, there is a legal requirement that certain incidents must be reported to the ICO, and this must be done within hours of the breach. For example, if there has been a personal data breach, this must be reported to the ICO. A personal data breach is a breach of security leading to ‘the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. Such a breach must be reported within 72 hours of the organisation becoming aware of it, unless it can be demonstrated that it is unlikely to result in a risk to individuals’ rights and freedoms.
If there is a high risk to individuals’ rights and freedoms, the individuals concerned should be informed without delay.
Corporates and their advisers should assume that information provided to one data regulator will be passed on to others and that this could give rise to liabilities in multiple jurisdictions; however, the organisation should ensure it meets its reporting obligations in all jurisdictions applicable to the incident.
31.5.3 Enforcement in the United States
As referenced above, a range of general and industry-specific federal and state regulators may investigate and bring enforcement actions related to cybersecurity incidents. While too numerous and detailed to discuss for the purposes of this chapter, the FTC (which has general jurisdiction over companies operating in the United States), the SEC (which has jurisdiction over publicly traded companies) and the DOJ are active in bringing enforcement actions in relation to cybersecurity incidents.
Acting pursuant to the FTCA, which prohibits ‘unfair or deceptive acts or practices in or affecting commerce’, the FTC has brought cybersecurity-related enforcement actions on the basis of both ‘deceptive’ and ‘unfair’ practices by companies, including for misrepresenting data security practices, failure to properly safeguard personal data, failure to use adequate encryption for medical records, negligent supervision of service providers responsible for handling sensitive information, failure to provide adequate cybersecurity training to employees, failure to disclose privacy practices adequately and using data without informed consent.
The SEC has investigated and brought enforcement actions against public companies following cybersecurity incidents, including for companies’ failure to appropriately disclose material cybersecurity risks contrary to the SEC’s guidance.
The DOJ investigates and prosecutes cybercrime activities pursuant to the CFAA, as illustrated on 8 June 2021 when it indicted the chief operating officer of an Atlanta-based network security company for allegedly conducting a cyberattack on a medical centre in violation of the CFAA.
The New York Department of Financial Services (DFS), which supervises and regulates the activities of insurance companies, banking and other financial institutions in the state of New York, has investigation and enforcement powers pursuant to the DFS Cybersecurity Regulation. The regulation imposes strict cybersecurity rules on covered organisations and subjects them to the risk of financial penalty.
In July 2020, three years after the initial release of the DFS Cybersecurity Regulation, the DFS announced its first enforcement action against First American Title Insurance Company, seeking monetary penalties and injunctive relief for purported violations of six provisions of the DFS Cybersecurity Regulation. In March 2021, the DFS announced its first penalty pursuant to a settlement with Residential Mortgage Services, Inc, which imposed a US$1.5 million penalty in relation to a 2019 data breach disclosed to the DFS during a routine safety and soundness examination in 2020. In April 2021, DFS announced a US$3 million penalty pursuant to a settlement with National Securities Corporation in relation to four cyber breaches that occurred between 2018 and 2020 that exposed the sensitive and non-public personal data of National Securities’ customers. In August 2022, the DFS announced its first ever penalty against a cryptocurrency exchange, Robinhood Crypto, LLC: a US$30 million fine pursuant to a consent order for significant compliance issues, including violations of the DFS Cybersecurity Regulation.
The threat of civil litigation (class actions in particular) by private parties for damages arising from cybersecurity incidents is very real. Cybersecurity-related civil claims have been brought on a variety of theories, including for negligence, negligent misrepresentation, unfair or deceptive trade practices pursuant to state consumer protection statutes, breach of contract, breach of implied warranty and unjust enrichment.
One example of this followed the SolarWinds breach, where investors filed a class action suit on 1 April 2021 against SolarWinds, alleging that it had made materially false and misleading statements to the market in connection with the software breach. The class action is ongoing and is currently set for trial on 8 January 2024. Most recently, a Texas Federal Court largely denied SolarWinds’ attempt to dismiss the case.
In a separate matter, in September 2022, Ambry Genetics Corporation, a privately held genetics testing company, agreed to pay US$12.25 million to settle a class action arising from a data breach where it is alleged that personal information, including medical information and social security numbers, was improperly accessed.
31.5.4 Reporting a breach in the United States
A mass of general and industry-specific federal and state laws require notification of cybersecurity incidents. These are too numerous to discuss in detail for the purposes of this chapter. Given the range of possible notification requirements, it would be prudent for any company operating in the United States to map out all notification requirements applicable to its operations, and to identify processes for sharing of information with private and public entities pursuant to CISAA.