Cybersecurity & Data Privacy

Today’s news headlines are filled with reports of ever-larger data breaches and cybersecurity threats to businesses of all sizes as well as to governments. In 2016, known data breaches impacted LinkedIn, Verizon, Wendy’s, government agencies including the Department of Justice and Internal Revenue Service, the Democratic National Committee, and industries such as higher education, financial, and healthcare. (In fact, hospitals and similar healthcare providers are often victims of the growing menace of ransomware schemes). In 2015, the top eight known data breaches compromised more than 160 million data records, and data breaches cost the world economy trillions each year. That number is only going higher.

Wide-Ranging Risks to Businesses, Big & Small

If smaller companies think they are at lower risk, almost the opposite is true: smaller businesses may be more vulnerable to cyber-attacks and also to the damages caused by a data breach. According to Forbes, a company is more likely to have a breach involving 10,000 or fewer records than a large breach of 100,000 or more records. Each year, one in five small businesses is a victim of cyber-crime; and of those, about 60 percent go out of business within six months of the attack.

For breaches of any size, the resulting risks are both serious and numerous, from the tangible to the intangible: destruction of data, virus infection, long-term malware, business income loss, loss of personally identifiable information (from both employees and customers), loss of proprietary business information (trade secrets and other IP), decreased company reputation, loss of goodwill and customer confidence, cyber extortion, and third-party litigation.

The direct expenses often incurred in cyber-attacks include: forensic expert fees, outsourcing hotline support, notification costs, free credit monitoring concessions, attorney fees to defend lawsuits, and discounts for future products and services. For the direct expenses only, well-known public sources have estimated that the average cost of responding to a cyber-attack is $6.5 million.

Goals of Our Representation: Prevention, Compliance & Preparedness

Using a cross-disciplinary approach, Ryley Carlock & Applewhite’s Cybersecurity Team is ready to help your business manage your cybersecurity risks. Our team has experience in information technology law, employment law, corporate and securities law (e.g. SEC), regulatory law (e.g. FTC), insurance law, and litigation. Our litigation team is enhanced by our Document Control Group, which provides leading eDiscovery and document review capabilities to clients around the country and across the globe.

In working with clients in this area, our representation focuses on prevention, compliance and preparedness.

  • Helping you prevent data security breaches by implementing reasonable internal IT procedures and employee rules (e.g., strong passwords, and cyber training).
  • Ensuring you comply with applicable laws, regulations, agency enforcement guidelines and recommended best practices, including applicable reporting requirements as well as advising you when your business may be subject to international requirements, such as the EU-US Privacy Shield that went into effect August 1, 2016 to replace the EU-US Safe Harbor struck down by the European Court of Justice in October 2015.
  • Advising on adequate insurance coverage for both data privacy breaches and cyber-crimes, including reviewing current and additional insurance policies, for both first-party and third-party coverage.
  • Preparing you in the event a breach occurs, including the development of contingency plans.
  • Rapidly responding, when necessary, to data breach or privacy violations, including preparing legally required notices, defending against legal claims or allegations of regulatory violations or other enforcement actions, and assisting with insurance claims.

How We Can Help: Our Interdisciplinary Solutions

Here is an overview of our interdisciplinary approach to helping you achieve your cybersecurity and data privacy goals. Because each of these areas involves overlapping and intersecting issues, it’s important to pay attention to all of them.

  1. Breach Response Planning and, If Necessary, Execution, Defense and Litigation: Our team will assist you in preparing contingency plans for any breach and executing a response if a breach occurs. This includes preparing required notices, coordinating with law enforcement and investigators, defending against any legal claims or enforcement actions, notifying insurance carriers, and conducting “lesson learned” reviews to improve future responses where appropriate. If and when litigation strikes, our firm’s seasoned litigators can represent you in court or in any administrative proceedings before federal or state agencies, such as the FTC, and with respect to enforcement actions by state attorney generals or other officials.
  2. Responsibilities of Officers and Directors: Our team will advise your company’s officers, managers and directors in connection with their duties related to deliberation and oversight concerning data privacy practices and cyber preparedness plans. In June 2014, SEC Commissioner Aguilar said, “Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility do so at their own peril.” Commission Aguilar has repeated his call to Boards of Directors “to play a far greater role in their companies’ cybersecurity efforts.” Officers, managers and directors could be exposed to liability for decision-making that was not well-informed or for failing to take reasonable actions to prevent or reduce the likelihood of a breach. Officers, managers and directors also have responsibilities related to breach response and managing the cost of a breach.
  3. Disclosure Requirements and Documentation Recommendations: Our team will assist you in preparing required disclosures including those for directors, shareholders, potential buyers, and customers. We also help you create, maintain and update any other required or recommended documentation.
  4. HR and Employee Training and Policy Review, including Privacy Compliance: Our team will review your employee training practices and written policies in the context of cybersecurity and privacy issues. We often help our clients create, revise and/or update their policies. In doing so, we make sure to address “Bring Your Own Device” practices, company-provided mobile devices, remote access to company networks, and how different categories of data (e.g., health and personal financial data) should be identified and controlled according to applicable legal and regulatory requirements.
  5. Vendor, Third-Party, and Insurance Contract Review: Our team will review your agreements with third-party vendors such as cloud service providers and data centers as well as other businesses with access to your business’ data such as reliable outsourced services and data/network backup system providers. We advise regarding warranties, indemnities, and appropriate confidentiality terms. In addition, we counsel you to review your insurance requirements and scope of coverage—all with the goal of helping you manage your risk.
  6. IT Systems and Document Management Legal, Compliance, and Risk Management Review: Our team will review your IT systems from a legal, regulatory and compliance, and risk-management perspective and offer advice and recommendations to ensure that your business is well-prepared on a current and ongoing basis to comply with all applicable requirements as they exist and continue to evolve. We make sure the proactive steps you’ve taken are well-documented so you can clearly demonstrate your compliance in the event of a breach or when otherwise necessary.