Why Data Protection is Now a Board Responsibility, Part 1

There’s a New Cyber Sheriff in Town

“Data protection” is an umbrella concept that incorporates both cybersecurity and data privacy.  The European Union has been the leader in advancing this concept first with its Data Protection Directive and now with its General Data Protection Regulation.  The influence of these laws on the U.S. has been profound.  Recently, the SEC issued guidance for publicly-traded companies mandating, among other things, notification of data breaches within four days and publication of the company’s cybersecurity risk management processes.  Such national-level breach notification mandates have appeared in other contexts in the U.S. as well as the EU.  Moreover, the advent of generative artificial intelligence has greatly amplified the power of cyber threat actors. Private companies that conduct business with public companies or may merge with a public company will likely wish to adhere to these standards as well.  Overall, data protection is now a board-level matter.

Data Protection: The Fusion of Cybersecurity and Privacy

In October 1995, the European Union passed into law the Data Protection Directive, simply referred to as the “Directive.”  It represented the first “comprehensive” EU-wide law for the protection of personal data; it was “comprehensive” in the sense that it regulated any type of business as well as government bodies and nonprofit organizations.

The Directive incorporated nearly all of the principles articulated by a ground breaking set of recommendations published in 1980 by the Organisation for Economic Co-operation and Development (OECD).^[1]  What made the Directive special was its (1)  recognition that cybersecurity and privacy had to be addressed holistically; (2)  applicability to any entity outside the EU that directed goods or services into the EU; and (3) protection of anyone inside the “four walls” of the EU, even tourists.  The Directive was replaced in 2016 by the General Data Protection Regulation (GDPR); the Regulation greatly expanded protections for personal data.  

In the U.S., historically, cybersecurity and privacy were addressed legislatively on separate “tracks,” with two sets of professionals tasked to comply with them in distinct professions, typically IT and legal, respectively.  Today, the influence of the GDPR in the U.S. has translated into those two tracks steadily merging and, as a result, the adoption of the EU model of data protection here.  This series will discuss the evolution of data protection and its applicability to privately-held organizations.

The SEC’s Unprecedented Actions Against SolarWinds and Its CISO

On October 2023, the SEC filed what can only be described as an unprecedented enforcement action against Austin-based IT software provider SolarWinds and its CISO, Timothy Brown.^[2]  The action follows what has been called “the boldest supply-chain hack ever,” an intrusion into the company’s IT infrastructure and the compromise of its flagship technology, Orion.^[3]  One analysis of the attack concluded that “advanced security measures may not be enough to protect data from accelerating threats” and that enterprises should presume that attackers will eventually get through and prepare accordingly.^[4]

At the time of the compromise, Orion was used by about 33,000 public and private sector customers, including the U.S. Treasury Department, the U.S. Department of Commerce's National Telecommunications and Information Administration, as well as the U.S. Department of Homeland Security and nearly all of the Fortune 500.  The threat actor group APT29, a/k/a Cozy Bear, was credited with the attack and is alleged to have been working for the Russian Foreign Intelligence Service (SVR).  The attack has been referred to since as “SUNBURST.”

The 68-page complaint makes several allegations:

• SolarWinds’ CISO failed to ensure that other senior executives sufficiently understood the severity of cybersecurity risks;
• The CISO misled a prospective customer by calling “partially mitigated” cybersecurity issues “fully mitigated” in order to induce it to enter into a contract with SolarWinds;
• The company’s incident response plan, which the CISO helped implement and maintain, dictated that only incidents that impacted several customers were reported upward for possible disclosure, leading to the concealment of multiple cybersecurity issues that had the “potential” to materially impact SolarWinds; and
• There were boilerplate disclosures regarding “generic and hypothetical cybersecurity risks that most companies face” did “nothing to alert investors” to the elevated risks at SolarWinds.^[5]

An analysis of the action by Holland & Knight articulates why it is unprecedented:

• It represented the SEC's first scienter (i.e., based on “criminal mind”) fraud charges related to public company cybersecurity disclosures; 
• Its first litigated enforcement action involving the same, and 
• Its first cybersecurity lawsuit against an individual.^[6]

SolarWinds, in a blog post, stated that “we categorically deny those allegations” and that they plan to defend vigorously against the charges.^[7]

The New SEC Regulations Have Raised the Bar

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosurewasadopted on July 26, 2023, by the SEC and set to go in effect during late December, 2023.  It features two principal mandates for companies that are subject to the SEC:

• Disclose a “cybersecurity incident” on Form 8-K within four business days after determining the incident is “material” and
• Provide insight into cybersecurity risk management, strategy, and governance by the board and by management on Form 10-K.

At first blush this may not seem particularly onerous, but the final regulations come in at 186 pages.  This is not only noteworthy given that the draft came in at 129 pages but is truly remarkable still given that the regulation it replaces is only 24 pages.  There is much here to absorb for cybersecurity professionals and, consequently, a need to explain the implications to the board.  

Overall, the new regulations appear to represent a recognition (if not a resignation) by the SEC that the litany of seemingly endless cyberattacks, ransomware or otherwise, has to both be (1) identified quickly when they occur but (2) also be proactively addressed, given that many of these companies operate critical infrastructure.  

Much has been made about some aspects of the regulations. In particular, the change from the draft requiring a company to note who on the board has cybersecurity experience to instead note who on the management team has such experience has precipitated some criticism; the change was seen by some as letting directors “off the hook.”

However, the management team must address reactive and proactive aspects of cybersecurity on a day-to-day basis in any event, and so this criticism seems misplaced.  In addition, a future round of changes to the regulation will surprise no one if they require identification of cybersecurity experience from both the board and management.

Another aspect of the new regulations that has been met with criticism is the mandate (with a narrow exception) to report incidents within the 4-day window even if law enforcement agencies ask the victim company not to.  Arguably, this is a bit of political brinkmanship on the part of the SEC vis-à-vis other agencies, and while it may seem petty, executive leadership teams have to navigate such rules with regularity.

The Federalization and Globalization of Incident Notification

Incident and breach notification requirements have been part of federal law for many years but have been “sectoral” in nature; i.e., only applicable to certain industries such as healthcare and financial services.  Even then, traditional notification requirements have not been particularly onerous.  Under the HITECH Act, for example, notice of a breach must be provided to an affected individual “without unreasonable delay” and in no case later than 60 days after the discovery of the breach.  In internet time, however, 60 days might as well be 60 years – the amount of harm that can be done by threat actors in a short time is substantial.  Indeed, an affected individual may well learn of the breach from the news media long before being “officially” notified.  

The Colonial Pipeline ransomware attack in May 2021 demonstrated the urgency for swifter notification.  It resulted in a chaotic shortage of fuel supplies in the eastern seaboard, including Washington D.C., for 4 days.  As a result, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was passed by Congress and signed into law the following March.  The statute mandates notification of cybersecurity incidents by providers of critical infrastructure within 72 hours of their occurrence.  Moreover, it requires reporting the payment of ransom no later than 24 hours following the payment.

In January 2023, the EU analog to CIRCIA came into force.  Known as the “NIS 2 Directive,” the law mandates notification by providers of critical infrastructure of cybersecurity incidents within 24 hours, with more substantive notification required within 72 hours.  This aggressive notification posture has been adopted New York state’s Department of Financial Services’ data protection regulations (72 hours) and by Canada, with its proposed version of CIRCIA (immediate notification).  Overall, the trend both here in the U.S. and globally is for relatively short notification windows, which underscores the need for planning and preparation by executive leadership teams.

Artificial Intelligence as a Force Multiplier for Threat Actors

The appearance of generative artificial intelligence (GAI) software ChatGPT in late November of 2022 has dramatically altered the cybersecurity threat landscape in a relatively short period of time.  The Voice of SecOps Report, a survey of 652 senior cybersecurity experts from companies with more than 1,000 employees published in June 2023 revealed some disturbing trends with respect to GAI:

1. Three-quarters of respondents have witnessed an increase in attacks over the past 12 months, with 85% attributing this rise to bad actors using generative AI.
2. Nearly half (46%) of respondents believe generative AI increases their organization's vulnerability to attacks, with growing privacy concerns (39%), undetectable phishing attacks (37%), and an increase in the volume/velocity of attacks (33%) the top three threats cited.
3. Other generative AI threats mentioned include increased deepfakes (33%) and insider attacks (31%).

Supporting the notion of GAI amplifying the abilities of malware is the June 6, 2023 edition of CSO Online, which raised the specter of GAI:

“A recent series of proof-of-concept attacks show how a benign-seeming executable file can be crafted such that at every runtime, it makes an API call to ChatGPT. Rather than just reproduce examples of already-written code snippets, ChatGPT can be prompted to generate dynamic, mutating versions of malicious code at each call, making the resulting vulnerability exploits difficult to detect by cybersecurity tools.” [emphasis added]

The threats posed by GAI demonstrate why cybersecurity is going to get much more difficult and underscore why boards must consequently be much more conversant with cybersecurity and much more involved in oversight of management’s efforts to protect the company and the public.

Cybersecurity Insurance Will Not Save the Day

Even prior to Russia’s invasion of Ukraine in February 2022, insurance carriers were paying extraordinary sums for claims related to ransomware and other electronic attacks.  Consequently, rates for cybersecurity insurance for policies have risen significantly, while limits have dropped in a similar manner.  According to cyber insurance broker Marsh, cyber insurance rates rose by 130% in the United States and by 92% in Britain in the fourth quarter of 2021.^[8]

With respect to the war, according to a March 31, 2022 report in Reuters, “Lloyd's of London, one of the world's biggest players in cyber and other commercial insurance policies, said last week that it faced ‘major’ claims from the invasion.”  On August 16, 2022, Lloyd’s stated: “We are therefore requiring that all standalone cyber-attack policies…must include, unless agreed by Lloyd’s, a suitable clause excluding liability for losses arising from any state backed cyber-attack[.]”

That said, damages from war or similar state-sponsored attacks are generally excluded from insurance coverage, though the terms of policy don’t always exclude electronic attacks.  For example, in January 2023, a New Jersey court ruled in favor of the insured, Merck & Co, over a $1.4 billion insurance claim for the 2017 NotPetya cyberattack against Ukraine.  The attack is attributed to Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service, and also known as Sandworm.  The attack was the largest to date, causing some $10 billion in damage worldwide.

Premiums increased in 2023 as well, though at the more moderate rate of 11% for the first quarter, according to Marsh.  While this is welcome news for insureds, coverage limits are still about half of what they were in prior years.  Also, insureds must withstand extensive carrier due diligence, including cybersecurity program questionnaires that exceed 100 questions and may ever require the assistance of third parties to complete.

Where cyber insurance shines is the opportunity to engage with pre-approved (or “panel”) counsel ahead of an attack and establish attorney-client privilege early in the event of an attack and preserve it during the course of a response and subsequent investigation.  Also available are pre-approved incident response firms that can lead remediation efforts and develop reports with some precision as the source of the attack and its scope.  In this sense, cybersecurity insurance should not be viewed as a defense, but rather as a remediation mechanism.

Why Should Privately-Held Companies Care?

Only public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 (the “Exchange Act”) must comply with the new SEC cybersecurity regulations.  So, why should privately-held companies care?  Three reasons:

• Every state has cybersecurity and data breach notification statutes governing all businesses, public and private, that direct goods and/or services to its respective residents; this applies (presumably) even to companies outside the U.S.  As of this writing, 13 states also have comprehensive privacy statutes with the same applicability, and more are almost certainly on the way.   The SEC regulations (and state insurance regulations) were heavily influenced by New York state’s data protection regulation, which applies to any business that is required to be licensed by the Department of Financial Services.  That regulation was recently expanded and will likely again precipitate changes at federal level over time.

• The prosecution of SolarWinds and its CISO has provided a model for states’ Attorneys General to follow.  Over the past 25 years, state AGs have been very aggressive in banding together and pursuing companies that violate both statutory and common law protections for consumer data and have extracted enormous settlements from businesses that do not wish to risk a jury trial.  For example, a 50-state coalition of AGs settled with Equifax over its 2017 breach for $175 million, plus $425 million restitution fund, plus an injunction to improve its cybersecurity program.^[9]  The cost of the improvements was at least $1 billion.^[10] 

• Privately-held companies that wish to be purchased by publicly-traded companies know that they will have their data protection practices scrutinized by suitors.  When Verizon purchased Yahoo!, it discovered that the company had been the victim of substantial data breaches at least three times, and this was concealed during the due diligence process.  Subsequently, $350 million of the purchase price had to be returned to Verizon.

There’s No Turning Back for Boards

Under the duty of loyalty to the company established by Caremark, directors can be held liable for corporate failures if they do not make a good faith effort to ensure that the company has a system of controls in place.  They can also be held liable if they consciously fail to monitor or oversee its operations.^[11]  That potential for liability was extended this year to officers (presumably including the CISO).^[12]  Arguably, the system of controls that protects a company’s information and IT systems is just as important as the once protecting a company’s financial integrity.  Indeed, we may be one cyberattack away from Congress establishing a Sarbanes-Oxley for cybersecurity, if the attack on Colonial Pipeline that precipitated CIRCIA is any indicator.  Also, there is a growing body of case law lowering the Caremark bar when activity that merits oversight is considered “mission critical” to the company.  Overall, the promulgation of the new SEC cybersecurity rules coupled with the aggressive position taking by the Commission against SolarWinds and its CISO mean that the world has changed for boards, and there’s no turning back – they will, by necessity, now be intimately involved in all things data protection.

ABOUT SCOTT M. GIORDANO, ESQ., FIP, CISSP, CCSP

Scott M. Giordano is an attorney with more than 25 years of legal, technology, and risk management consulting experience.  An IAPP Fellow of Information Privacy, a Certified Information Security Systems Professional (CISSP), and a Certified Cloud Security Professional (CCSP), Scott was most recently the General Counsel of Spirion LLC, a privacy technology firm.  There Scott also served as the company’s subject matter expert on multinational data protection and its intersection with technology, export compliance, internal investigations, information governance, and risk management.  Prior to joining Spirion, he served as Director, Data Protection for Robert Half Legal and established the global privacy program for Esterline Technologies Corporation in Bellevue, WA.

Scott is a member of the bar in Washington state, California, and the District of Columbia.

^[1] Guidelines on the Protection of Privacy and Transborder Flows of Personal Data; The Organization for Economic Co-Operation and Development, last modified 5 January 1999, found at https://bja.ojp.gov/sites/g/files/xyckuh186/files/media/document/oecd_fips.pdf. 

^[2] SECURITIES AND EXCHANGE COMMISSION VS. SOLARWINDS CORP. AND TIMOTHY BROWN, found at https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023-227.pdf. 

^[3] Kim Zetter, The Untold Story of the Boldest Supply-Chain Hack Ever.  WIRED (May 2, 2023), found at https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/. 

^[4] Gary Ogasawara, What SolarWinds Taught Enterprises About Data Protection. Information Week, (June 10, 2021), found at https://www.informationweek.com/cyber-resilience/what-solarwinds-taught-enterprises-about-data-protection#close-modal.

^[5] SEC Sues SolarWinds and its CISO for Fraud and Other Violations Related to Massive Data Breach. JD Supra (Nov. 8, 2023), found at https://www.jdsupra.com/legalnews/sec-sues-solarwinds-and-its-ciso-for-9758980/. 

^[6] Holland & Knight, Winds of Change: SEC's SolarWinds Lawsuit Signals Hotter Cybersecurity Enforcement. SECond Opinions Blog (November 6, 2023), found at https://www.hklaw.com/en/insights/publications/2023/11/winds-of-change-secs-solarwinds-lawsuit-signals-hotter-cybersecurity. 

^[7] SolarWinds, Setting the Record Straight on the SEC and SUNBURST. Orange Matter (Nov. 8, 2023), found at https://orangematter.solarwinds.com/2023/11/08/setting-the-record-straight-on-the-sec-and-sunburst/.

^[8] Carolyn Cohn and Noor Zainab Hussain. Cyber insurers face hefty Ukraine war-related claims, despite fine print. Reuters (March 31, 2022), found at https://www.reuters.com/business/cyber-insurers-face-hefty-ukraine-war-related-claims-despite-fine-print-2022-03-31/. 

^[9] Office of the Attorney General of Pennsylvania, AG SHAPIRO SECURES $600 MILLION FROM EQUIFAX IN LARGEST DATA BREACH SETTLEMENT IN HISTORY (July 22, 2019), found at https://www.attorneygeneral.gov/taking-action/ag-shapiro-secures-600-million-from-equifax-in-largest-data-breach-settlement-in-history/#:~:text=The%20Attorneys%20General%20secured%20a,breach%20enforcement%20action%20in%20history. 

^[10] Security Week, Equifax Ordered to Spend $1 Billion on Data Security Under Data Breach Settlement (January 16, 2020), found at https://www.securityweek.com/court-approves-equifax-data-breach-settlement/. 

^[11] In re Caremark International Inc. Derivative Litigation 698 A.2d 959 (Del. Ch. 1996).

^[12] In re McDonald’s Corporation Stockholder Derivative Litigation, Del. Ch. Ca. No. 2021-0324-JTL.

Disclaimer: The views and opinions expressed in this blog are solely those of the authors providing them and do not necessarily reflect the views or positions of the Private Directors Association, its members, affiliates, or employees.