Litigation Committee conference session, Buenos Aires, May 2023: Cybersecurity: how clients and law firms should handle a data breach and the litigation arising from it
Martin Cammarata
Marval O’Farrell Mairal, Buenos Aires
The third session of the conference, under the dynamic moderation of María Gabriela Alvarez de la Fuente (Colgate, Mexico), involved an absorbing discussion on current cybersecurity issues affecting clients and law firms. The speakers were Richard Donoghue (Pillsbury Winthrop Shaw Pittman, United States), Antonio Gesteira (FTI Consulting, Brazil), Adriana Prado (FTI Consulting, Brazil), Sergio Torres (Aon, Colombia), and Carlo Verona (Demarest Advogados, Brazil).
The session addressed the best ways to protect clients and law firms from data hackers, appropriate practices in the event of a data hack, and the difficulties around enforcing clients’ rights if there is a data hack. These issues were addressed with a practical approach. The speakers referred to the most relevant and recent cases they’ve worked on and their key takeaways.
What are the main recommendations for clients and law firms to avoid cyberattacks?
Antonio Gesteira explained that cyberattacks are becoming more and more frequent. In fact, cyberattacks occur on a daily basis and affect a wide variety of private companies, especially e-commerce businesses and open platforms. For those unfamiliar with cybersecurity, he described a data breach as a successful cyberattack. He then concluded that cyberattacks are inevitable, but what can be prevented is the data breach.
Gesteira also stressed the need to consider operational technology alongside intellectual technology to prevent data breaches. He also noted the importance of investing in internal procedures, team awareness, and software, which he ordered in three layers of prevention:
- Internal procedures;
- team training, and
- software protection.
What are the key insights drawn from experience in relevant cases?
Richard Donoghue pointed out that public institutions are equally (if not more) exposed to cybersecurity attacks as companies are. He also stressed that, when it comes to public institutions, the scenario is much more wide-ranging, as it is not always a matter of money, but of power. Moreover, he explained that state actors or state affiliated actors are developing better capabilities, are dangerous, and difficult to predict.
He added that, once the cyberattack has succeeded, it is essential that the target company, public institution, or law firm acts proactively, thinking ahead and implementing remediation plans. Experience has shown that the first six hours after the data breach are the most critical. That is when the most damage is done. He also mentioned the data breach that affected Uber in 2016 and referred to the measures Joseph Sullivan took as an example of what a company can do wrong when dealing with attackers.
Continuing with examples of what not to do, Antonio Gesteira referred to the measures taken by two companies affected by ransomware. First, there was a listed investment bank whose IT manager, following a ransomware attack, decided to shut down 400 computers and try to handle the situation himself by reinstalling everything from scratch. In the end, the bank did not suffer any substantial damage. However, external auditors raised questions after being notified of the incident, especially regarding financial statements. Moreover, the internal investigation of the ransomware was compromised because there was no way to find out what information had been hacked, as it was impossible to trace it. Therefore, the external auditors could not be convinced that the company had not suffered substantial damage. The other example involved a small company that also restarted the system when it was affected by ransomware. However, in this case, the data backup was incomplete, so they had to pay the hacker to recover the data.
What are the basic requirements for companies and law firms to obtain data breach insurance? How is such insurance calculated?
Sergio Torres stressed as an almost non-negotiable requirement that companies or law firms must have multi-factor authentication (MFA) software, patch management software, a business plan, and a recovery plan, all of which must be tested at least once a year.
To calculate such insurance, Sergio Torres stated that each company must provide its loss profile, modelled following a number of specific vectors, which may include, among others:
- Business operations: if the cyberattack is successful, then the company might be unable to continue productive operations.
- Reputational issues: how much could the company lose if the cyberattack affects its reputation?
- Operational issues: the company could be forced to move its employees to other offices while dealing with the incident.
- Fines and penalties given to companies in jurisdictions with strict fines in cases of data breach.
- Third-party liability, if the company loses information that affects third parties.
If you suffer an incident, what should you do? How should an incident-response team be formed? Which experts should you hire in case of an incident?
Antonio Gesteira suggested acting swiftly when faced with a cyberattack, complying with internal procedures, and trusting the response team. Response teams must be prepared before incidents. A damage analysis should be carried out as early as possible to detect if there is a lateral attack and what information or software is compromised. The analysis should also seek to recover backed-up information.
Carlo Verona stated that the company must apply the remediation plan shared with the insurance company, and the insurance company must be informed of all relevant facts and kept in permanent contact. No liability should be publicly admitted. Verona added that any negotiations with hackers should be reported to the insurance company, otherwise coverage could be lost. Richard Donoghue pointed out that it is advisable to keep insurance companies fully informed of incidents, as they are independent parties that want companies to succeed in their recovery plans, since the success of such plans allows them to avoid payment of the insurance sum, or at least to reduce it as much as possible.
From the communicational viewpoint, Adriana Prado stated that a communication strategy should be prepared in advance. In addition, before issuing communications, the company should analyse the potential domino effects, especially in the case of non-mandatory communications.
Regarding the response team, Carlo Verona suggested that it should include the IT director, internal and external lawyers, a data privacy officer, and a forensic scientist. Further, the company should not negotiate expert fees in the middle of the incident, but rather beforehand.
Richard Donoghue suggested including a litigation team to help the company navigate the procedural challenges it might face (as plaintiff or defendant) during the next couple of years.
Adriana Prado added that a communication team should be involved from the outset to avoid dealing with the incident purely from an isolated regulatory perspective. Oftentimes, companies fail to manage incidents because they do not invest in an internal communications team, or do not hire an expert in that field to inform stakeholders of the situation and to deal with hackers. In fact, communications with hackers may increase the reputational risk, as they can disclose conversations to the media. She highlighted the need to control the narrative.
Carlo Verona also stressed that, in terms of communication to stakeholders, it is crucial to ensure that aspects related to consumers are carefully handled. Moreover, the terms used for reporting incidents should be closely monitored, as they may imply an acknowledgment of non-compliance that may result in liability to third parties.
What is the main obstacle from a litigation and a regulatory perspective?
Richard Donoghue highlighted the difficulty in identifying the competent courts or enforcement authorities: it is very difficult to define where the incident took place. Is it where the servers are? Where the headquarters of the company are? Where the hacker is? In the jurisdiction where the company operates? This triggers the next questions: who should we report to? What are the competent courts?
Finally, Richard Donoghue noted that the affected company or its management could face lawsuits filed by shareholders (who may argue that the company is worth less because it does not have adequate security measures) and class action lawsuits involving consumers.