Cyberattack: Quarterbacking the Company’s Response to the Most Sophisticated Threats

November 18, 2015

Litigation Webinar Series: INSIGHTSOur take on litigation and trial developments across the U.S.

Gus Coldebella

Principal, Boston

Tom Frongillo

Principal, Boston

Overview

2

• INSIGHTS Series

• Key Developments & Trends

• Housekeeping

• CLE Contact: Jane Lundberg

• lundberg@fr.com

• Questions

• Materials: fishlitigationblog.com/webinars

• #fishwebinar

Patent Damages: The

Success and Failure of a

Theory

Wednesday, December 2

1:00 p.m. EST

Cybersecurity Issues Companies Should Focus on Now

3

I. The Growing Threat

Who is Attacking? What Are They Looking For?

II. Preparing for the Inevitable

Board Organization, Company Oversight, A Record of Diligence

III. The Legal and Regulatory Environment

Litigation and Regulation are Here, and Increasing

IV. Responding to an Attack

Surviving a “Bet the Company” Situation—and

Taking the Fight to the Adversary

4

The Threat Who Is Attacking? What Are They Looking For?

The Dynamic and Growing Threat

5

Who are the attackers?

o Nation-States and their proxies

o Organized crime

o Individual hackers

o “Hacktivists”

o Insiders (can be any of above)

Why do they do it?

o To gain intelligence

o To access or control critical infrastructure

o To disrupt operations

o To steal intellectual property or other business-sensitive information

o To make a point

o To vandalize

What Are They Looking For?

6

That’s easy: EVERYTHING OF VALUE

Intellectual property (especially trade secrets)

o Software code

o Proprietary processes, designs and formulas

High-level executive communications

o How much are we willing to pay for that company? What’s our

litigation/marketing/competitive strategy?

Financial information and results

Military or national security information

Access to third party information, systems, data

And, of course, personally identifiable information (PII) and protected health

information (PHI)

Pro tip: Don’t focus exclusively on PII/PHI, because the bad guys don’t

7

Preparing for the Inevitable: Board Organization, Company Oversight, A Record of Diligence

Preparing for the Inevitable

8

Set “tone at the top”

Understand regulatory and statutory framework at play

Understand and assess the threat and risks

o What data might the attackers be interested in? How is it safeguarded?

o What systems are in place to let the company know that that data has been

exfiltrated or tampered with?

o And if the data is stolen or altered, who will be affected, and how can the

company recover?

Ensure board-level attention

o Agenda item with regular reports from cognizant officers

o Steady-state security assessments

Pre-crisis planning

o Develop a preparedness plan, and exercise it. It’s not “set it and forget it.”

Preparing for the Inevitable

9

Fiduciary Duty of Oversight under Caremark

Liability can be imputed to individual board members where there is:

o Failure to implement reporting system; or

o After implementing reporting system, conscious failure to monitor or

oversee.

Failure to act in the face of known duty to act constitutes breach of

duty of loyalty, not duty of care.

Companies cannot insulate directors from personal liability for duty

of loyalty claims; thus, failure to address cybersecurity can lead to

personal liability.

This is not hypothetical: there are pending Caremark claims against

Target and Wyndham board members in shareholder derivative actions.

10

The Legal and Regulatory Environment: Litigation and Regulation are Here, and Increasing

The Legal and Regulatory Environment

11

Substantive Regimes

E.O. 13636, “Improving Critical Infrastructure Security”

o Calls for “Voluntary Cybersecurity Standards” for “Critical Infrastructure”

o Read the NIST Cybersecurity Framework

Federal Trade Commission Guidelines and Enforcement Actions (more later)

o Lax cybersecurity = “unfair” trade practice

o Jurisdiction over all consumer-facing businesses

Securities and Exchange Commission – 2 sources of authority

o Cybersecurity requirements for broker-dealers and investment advisors

Many other industry-specific rules, regulations, and frameworks

o DoD (defense contractors and subcontractors)

o FFIEC (banks)

o HHS (health records)

The Legal and Regulatory Environment

12

Disclosure-based regimes

SEC’s CF Disclosure Guidance: Topic No. 2 (Oct. 2011) (more in a moment)

State breach notification laws

Market regulatory regimes

“Trickle-down regulation” and market forces

Insurance

Standard of care

…And don’t forget about “private law.”

The Legal and Regulatory Environment

13

Private Law: Arrangements between Companies, Customers

and Contractors

• Indemnification Provisions

• Who pays for what?

• Limitations on Liability

• How much?

• Breach Notification Provisions

• What triggers a notification obligation?

• What is the timeframe?

The Federal Trade Commission

14

August 2015: 3d Circuit affirmed FTC’s cybersecurity enforcement

authority over consumer-facing companies

o Poor cybersecurity practices = “Unfair” business practice under Section 45(a) of

FTC Act

o No actual consumer harm required

BUT JUST YESTERDAY an FTC ALJ ruled consumer

harm must be “probable” not just “possible.”

FTC Enforcement Focus:

o Inadequate cybersecurity measures

o False statements of cybersecurity measures

in privacy policy

Read FTC’s “Start With Security” Guide

The Securities and Exchange Commission

15

SEC Staff Guidance

CF Disclosure Guidance: Topic No. 2

Registrants are expected to:

o evaluate cyber risks

o take into account all relevant information, including:

• Prior cyber incidents, their severity and frequency

• Probability of cyber risks occurring

• Qualitative and quantitative magnitude of risks, including potential costs and other consequences

No generic disclosures

Since Guidance, SEC staff has demonstrated willingness to:

o push for disclosure of all incidents—material or not—for context

o independently monitor breaches and test against disclosures (or lack thereof)

o probe into pre-disclosure processes

o ask about third-party risk

16

Responding to an Attack: Surviving a “Bet the Company” Situation

Responding to an Attack

17

Breach should be treated as an internal investigation, run by outside counsel

o Not our first rodeo—but it may be yours

o Gain benefit of attorney-client privilege and work product protection

o We know the players

Engage outside experts

o Law firm

o Forensic cyber investigator

o Crisis PR firm

Ask and answer the important questions FAST

Disclosure

o Do we have to? Do we want to?

Assess law enforcement involvement

Assess litigation and regulatory enforcement risk

Disclosure for Public Companies

18

In the Heat of the Battle: Should We File an 8-K?

Cybersecurity incidents are not mandatory disclosure items (Item 8.01)

Companies need to consider:

o What is known

o Materiality and Trading

o Concurrent disclosures

• Mandatory (e.g., state data breach disclosure laws)

• Voluntary (e.g., PR, vendors/suppliers)

o Regulation FD

o Likely litigation, investigatory, or security consequences of disclosure

o Timing of disclosure

Fish & Richardson’s 8-K Disclosure Decision Tree

19

Fish & Richardson’s 8-K Pros & Cons Matrix

20

Pros Cons

Responding to an Attack: Taking the Fight To The Bad Guys

21

What are your options after an attack?

Sue for Misappropriation of Trade Secrets

Bring an International Trade Commission Section 337 Action

Sue for Violation of the Computer Fraud and Abuse Act

Call the Feds

Misappropriation of Trade Secrets

22

State law cause of action

48 states have adopted some form of the Uniform Trade Secret Act (except MA and

NY)

Trade secret characteristics:

Not generally known by or readily ascertainable to competitors

Confers competitive advantage to owner

Subject to reasonable efforts to maintain secrecy

Misappropriation of Trade Secrets

23

Available Remedies:

o Injunctive relief

o Monetary damages

Lost profits OR unjust enrichment

Multiple damages for willful or malicious misappropriation

o Attorney’s fees

Defend Trade Secrets Act of 2015 (proposed legislation) would give rise

to a federal civil cause of action under the Economic Espionage Act of

1996

o Unique remedy under DTSA: ex parte seizure orders to recover trade secret

International Trade Commission Section 337 Action

24

Section 337(a)(1)(A) prohibits “[u]nfair methods of competition and unfair acts in the

importation of articles” into the United States

o Includes misappropriation of trade secrets. See Certain Crawler Crane and Components Thereof

(Apr. 2015) (10-year exclusion order)

o 13 out of 17 trade secret cases (out of > 900 ITC cases) were filed since 2010

100% success rate to date in favor of complainant (settlement, consent order, or

ITC decision)

Requires showing of:

o Importation

o Existence of a protectable trade secret

o Wrongfully taking by unfair means

Successful action results in exclusion order = no importation of items to U.S.

Computer Fraud and Abuse Act

25

18 U.S.C. 1030(g) provides a federal private right of action against someone

who accessed a computer without authorization, obtained information, and

caused harm

2-year statute of limitations

No need to show:

o Information taken was a trade secret

o Actual use or misappropriation of information: only need to show access

Available remedies:

o Compensatory damages (only economic, no punitives)

o Injunctive or other equitable relief

Call the Feds

26

Federal prosecutors may bring charges under the CFAA and/or the EEA

o Trade secret theft under the EEA punishable by up to 10 years’ imprisonment

and significant fines

o Maximum punishment under CFAA is 20 years, plus fines

o May 2014: FBI indicted 5 Chinese military hackers for cyber espionage against

U.S. corporations on behalf of Chinese competitors, including state-owned

enterprises

State prosecutors (e.g., CA and MA) may also bring criminal charges for

trade secret theft

Fish’s Cybersecurity Team

27

www.fr.com/services/litigation/cybersecurity

Gus Coldebella

Principal,

Boston

Tom Frongillo

Principal,

Boston

Ed Lavergne

Principal,

Washington DC

Donna Balaguer

Principal,

Washington DC

Franceska Schroeder

Principal,

Washington DC

Caroline Simons

Associate,

Boston

Albert Wong

Technology Specialist,

New York

SHAMELESS PLUG DEPARTMENT

28

Navigating the Digital Age: The Definitive Guide for Directors and Officers

Available for download at:

http://www.fr.com/cybersecurity-guide/

29

Questions?

Mark your calendar!

Wednesday, December 2

Patent Damages: The Success and Failure of A Theory

fishlitigationblog.com/webinars

INSIGHTS Litigation Webinar Series

Thank you!

31

Please send your NY CLE forms or questions about the webinar to marketing at lundberg@fr.com.

A replay of the webinar will be available for viewing at http://fishlitigationblog.com.

Gus Coldebella

Principal

Boston

617-521-7033

coldebella@fr.com

Tom Frongillo

Principal

Boston

617-521-7050

frongillo@fr.com

32

© Copyright 2015 Fish & Richardson P.C. These materials may be considered advertising for legal services under the laws and rules of

professional conduct of the jurisdictions in which we practice. The material contained in this presentation has been gathered by the lawyers at

Fish & Richardson P.C. for informational purposes only, is not intended to be legal advice and does not establish an attorney-client relationship.

Legal advice of any nature should be sought from legal counsel. Unsolicited e-mails and information sent to Fish & Richardson P.C. will not be

considered confidential and do not create an attorney-client relationship with Fish & Richardson P.C. or any of our attorneys. Furthermore,

these communications and materials may be disclosed to others and may not receive a response. If you are not already a client of Fish &

Richardson P.C., do not include any confidential information in this message. For more information about Fish & Richardson P.C. and our

practices, please visit www.fr.com.

#1 Patent Litigation Firm (Corporate Counsel, 2004–2015)