Companies cite cybersecurity and data protection issues as top drivers of new disputes over the next few years, according to the recently released 17th Annual Litigation Trends Survey by Norton Rose Fulbright. This survey polls hundreds of in-house litigation leaders from global corporations on the latest trends they are seeing in litigation.
As companies face increasingly sophisticated attacks by cyber threat actors, business leaders and legal counsel have expressed growing concerns about their exposure to these incidents, both in terms of damage to the company’s systems, customer relationships, and reputation, as well as the cost of follow-on litigation. As such, companies are having to take proactive steps to protect themselves, prevent an incident from happening in the first place, improve compliance with a growing patchwork of regulations, and hone their response should a cyber incident occur.
Companies Feel Increasingly Exposed
This year’s survey reports that the vast majority of respondents, 66%, reported feeling more exposed to cybersecurity disputes in 2021, up from less than half (44%) in 2020. Respondents reported several factors increased their exposure to cybersecurity disputes, including the changing legal/regulatory landscape, the storage of significant volumes of client and nonpublic data, the impact of Covid-19 and more prevalent remote work practices and its impact on IT infrastructure, the adaptability and growing capabilities of cyber actors, and mistrust towards employees regarding their capabilities to identify and prevent cyber-attacks. Respondents who felt less exposed or the same exposure as prior years to cyber-related disputes reported that they trust their organization’s IT security and other internal controls, and have allocated increased resources towards improving cybersecurity practices.
Consistent with prior years, respondents cited class actions as a significant source of concern on the litigation front. But an increasing number of respondents identified data privacy/cyber breach class actions as particularly troubling. Respondents report that the rise in class actions relating to cyber incidents can be explained in part because the overall growing number of cyber incidents has resulted in cyber-related class actions becoming more commonplace, but also because plaintiffs’ bars are increasingly tracking data security breaches and consumer breach notifications for incidents that may support a class action.
Changing Regulatory Landscape
Respondents across industry sectors identified the proliferation of data protection regulations around the world, most notably the European Union’s General Data Protection Regulation (GDPR), China’s newly enacted Personal Information Protection Law (PIPL), and the growing patchwork of U.S. data protection regulations, as creating significant risks for companies both from a regulatory and litigation standpoint. As cyber attacks become more common and publicized, businesses report feeling increased scrutiny from regulators regarding the steps taken to increase their IT security and protect personal data.
In reaction to the rise in cyber incidents, there are a growing number of state and federal laws in the United States that require companies to implement policies, procedures, and safeguards to protect information in nonpublic business information and personal information.
The U.S. Securities and Exchange Commission (SEC) released a proposal in February 2022 aimed at enhancing cybersecurity risk management programs, for registered investment advisers, investment companies, and business development companies. The proposed rule would require covered entities to conduct periodic risk assessments of cybersecurity risks, implement security controls designed to minimize user-related risk and prevent unauthorized access to IT systems, conduct routine systems monitoring, oversee third-party service providers who have access to IT systems, and implement measures to detect and recover from a cybersecurity incident. Notably companies would be required to report significant cybersecurity incidents to the SEC within 48-hours of having “reasonable basis to conclude” that a significant incident has occurred. If the rule is implemented as proposed, covered entities will need to quickly investigate cyber incidents to determine whether they have a reporting obligation, making it all the more critical for businesses to have a sophisticated incident response plan in place.
Similarly, the New York Department of Financial Services (NYDFS), which regulates financial institutions and third-party service providers, requires covered entities to maintain a cybersecurity program designed to protect the entities’ IT systems from cyber threats. This program must include development of risk-based policies, procedures and controls for the secure disposal “of any nonpublic information” that is no longer necessary for a legitimate business purpose. NYDFS recently issued multi-million dollar penalties to companies for violations of these cybersecurity regulations, including the alleged failure to implement access controls such as multi-factor authentication (MFA), failure to report cyber events, and failure to implement comprehensive cybersecurity procedures including a comprehensive cyber risk assessment.
Employing a Multi-Pronged Approach
Companies report that they employ many approaches to prevent and protect themselves against a cyber incident, which can largely be broken down into three categories: employee training, use of encryption for high risk or highly sensitive systems, and independent review and assessment of internal controls and practices. Employees form the backbone of a good incident response program, and companies are increasingly training employees to detect and flag phishing attacks, including by conducting phishing simulations to test employee engagement and responsiveness.
Companies also use encryption and other tools to safeguard data that would put the company at greater risk if stolen. In-house legal departments say that they are often engaged to provide strategic advice on handling sensitive data types and assessing company data to account for both the evolving data protection regulatory landscape and information types of particular significance (including nonpublic client data).
Respondents report that they are taking steps to mitigate their cybersecurity risks by investing in internal controls and oversight. This includes providing additional resources and staffing to in-house litigation teams to assess and monitor compliance with data protection regulations, as well as investments in IT security and software to prevent attacks happening in the first place. This may also include obtaining or enhancing cyber insurance and incident response services aimed at mitigating the immediate consequences of an attack.
While many companies are taking steps to invest in training, compliance, and new tools to strengthen their security systems to protect against a cyber threat, these strategies all require significant investment. Legal departments find themselves at the forefront of many of these risk-based decisions around resource allocation and increasingly seek expert legal advice from outside counsel specializing in data protection to guide their recommendations. Given the continued proliferation of cyber-attacks on businesses of all sizes, concerns about cybersecurity disputes are expected to continue to grow in the coming years.
About the Authors:
Andrea L. D'Ambra is a partner in the New York office of Norton Rose Fulbright and the U.S. Head of Technology and the U.S. Head of eDiscovery and Information Governance. She is responsible for spearheading the firm's outreach to technology sector clients in the United States and is a recognized thought leader in the areas of cybersecurity, data privacy, eDiscovery, and information governance.
Susana Medeiros is an associate in the New York office of Norton Rose Fulbright and member of the information governance, privacy and cybersecurity group, who counsels clients on information governance, data disposition, eDiscovery and cyber incident response issues.