Search PillsburyLaw.com
  • All
  • Lawyers
  • Capabilities
  • Insights

Alert

When Attorneys General Attack: Cybersecurity Investigations and Related Insurance Coverage Issues

By Joseph D. Jean, Brian E. Finch, Carolina A. Fornos, Sheila McCafferty Harvey

Alert

By Joseph D. Jean, Brian E. Finch, Carolina A. Fornos, Sheila McCafferty Harvey

05.04.16

Are criminal cyberattacks increasing in sophistication and frequency? Yes.

Is every company, in every industry, that collects or stores sensitive customer, employee, or business data vulnerable to cyberattacks? Yes.

Has there been an increase in cyberattacks that interrupt a company’s ability to conduct business? Yes.

Can a victim of a cyberattack, or even a potential victim, also become the target of a government investigation and face fines and other penalties? Yes.

Can these investigations extend to whether a company’s cybersecurity programs are “reasonable,” even with respect to software or products they sell? Yes.

Is there insurance coverage? Maybe.

Introduction

Government agencies, including law enforcement officials, have made their intentions loud and clear: they will undertake proactive and reactive measures against private businesses to “ensure” better cybersecurity. This holds true even in cases where the company is the victim of a cyberattack. It sometimes seems that, as far as government officials are concerned, if a company suffers a cyberattack or is vulnerable to one it is because the company, not the criminal, has done something wrong.

While companies in all industries may be subject to such investigations, government officials are increasingly targeting publicly traded companies that are subject to certain cyber disclosure requirements. Other targets include companies whose operations are potentially vulnerable to a cyberattack, whose resulting disruption could pose personal and property risks to the public or sow financial chaos in the economy. Examples of potential targets include brokerage firms that store customers’ personal financial information and health care providers and employers that store massive amounts of private medical and other data. Critical infrastructure owners and operators are also thought to be vulnerable to the type of attack that brought down Ukraine’s power grid earlier this year, also putting them in the crosshairs of regulators.1 As cyber-crime becomes even more sophisticated and prevalent, investigation and enforcement priorities will only broaden.

This Client Alert discusses some of the types of investigations undertaken by government and industry regulators, what you can do to manage and minimize exposure to such investigations, and related insurance coverage issues.

State AG and Federal Investigations

Given the variety of consumer protection, financial fraud, privacy, and other concerns that are implicated by cyber-crime, it is not surprising that state attorneys general, federal prosecutors and a wide array of other agencies and regulators investigate cybersecurity-related issues as preventative (but also seemingly punitive) measures.

State attorneys general and federal prosecutors have demonstrated an interest in aggressively investigating network security issues. For example, in 2014, California’s Attorney General launched an investigation focused on whether Kaiser Foundation Health Plan took too long to notify thousands of current and former employees that their personal information had been compromised in a data breach.2 The findings of California’s AG led it to bring suit against Kaiser.

Similarly, Connecticut’s Attorney General sought information pertaining to hackers’ breach of point-of-sale keypad card terminals at Barnes & Noble stores. The Connecticut AG requested detailed information on how the breach occurred, what steps the company took to protect affected customers, and whether and how the company had implemented enhanced security procedures on a going-forward basis.3

Attorneys general may coordinate with various others regulators that conduct their own investigations, including the U.S. Securities and Exchange Commission (SEC), the U.S. Commodity Futures Trading Commission (CFTC), the Federal Trade Commission (FTC) and the Financial Industry Regulatory Authority (FINRA). The SEC, CFTC, and FINRA (the latter of which is not a government agency, but an industry membership-run regulator) have indicated that they are focused on protecting investors’ personal information, monitoring the public disclosure of cyber-risk, and preventing the theft of non-public information that can be used for illegal market manipulation and insider trading. The FTC has indicated that it views the protection of private consumer financial and personal data as part of its mission to stop unfair, deceptive, and fraudulent trade practices. These regulators have investigated, and on occasion brought suit against, corporate victims of cyber-crime.

Investigations such as those described above are expected to become all the more common as cyber-risk continues to increase, which is also an inevitable consequence of the “internet of things” (i.e., the interconnectivity of “smart” household and other devices).

Download: When Attorneys General Attack: Cybersecurity Investigations and Related Insurance Coverage Issues

  1. David E. Sanger, Utilities Cautioned About Potential for a Cyberattack after Ukraine’s, N.Y. TIMES, Feb. 29, 2016, http://www.nytimes.com/2016/03/01/us/politics/utilities-cautioned-about-potential-for-a-cyberattack-after-ukraines.html.
  2. http://www.law360.com/articles/505160/calif-ag-sues-kaiser-over-slow-data-breach-response
Tags
Insurance Recovery & Advisory, Cyber Insurance, Litigation, Corporate Investigations & White Collar Defense
These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.