Although a frequent topic of discussion on Capitol Hill, no single standard for private-sector cybersecurity programs has yet to emerge. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is often considered foremost among existing guidance, but several other agencies are also expressing views, including the following recent guidance from the Department of Justice (DOJ), the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC). Significantly, both the DOJ and FTC tout the advantages of cooperating with law enforcement after a data breach by noting that such cooperation may lead to “regulatory” benefits.
DOJ Cybersecurity Guidance
The DOJ has issued significant, helpful cybersecurity guidance for companies. The DOJ’s Computer Crimes and Intellectual Property Section (CCIPS) issued Best Practices for Victim Responses and Reporting of Cyber Incidents to “assist organizations in preparing a cyber incident response plan and, more generally, in preparing to respond to a cyber incident.” The DOJ’s guidance reinforces the need for all companies to develop a robust incident response plan and to consult legal counsel for advice in strengthening cybersecurity and responding to data security incidents.
This guidance is voluntary. The DOJ lacks authority to issue binding regulations in this area, and its voice is but one of several federal agencies that have issued guidance addressing cybersecurity. The DOJ guidance is significant in part because it reflects the growing trend of recognizing corporate victims of a data breach as victims of criminal activity.
The guidance itself is consistent with existing approaches to data security response, although it does clearly emphasize the DOJ’s unique focus on limiting the privacy interests of employees in corporate systems so that it can access data more rapidly based on consent, and in corporate victims providing notice of the incident to potentially affected business partners and others. The latter point is notable as current law is not understood to require a general “duty to warn” regarding cybersecurity impacts (beyond reportable personal information data breaches).
The DOJ stated a “critical first step” to ensuring adequate cybersecurity is implementation of cybersecurity plans and procedures. Organizations should:
- Identify their “crown jewels” – valuable trade secrets, intellectual property, customer information or the like;
- Detail key personnel for public communications, information technology access and legal questions;
- Determine critical IT components and information that must be preserved in responding to an incident;
- Assess how to preserve data in a forensically sound manner;
- Ensure appropriate training, data loss prevention measures, data backup measures and intrusion detection capabilities; and
- Develop procedures to notify data owners, customers, partners and law enforcement.
The DOJ also identified actions that organizations should not take. Companies should not use their communications systems to communicate about an incident. Such communications may inform the intruder of a company’s next steps.
The DOJ also suggested, significantly, that counseled companies should not engage in active defense practices known as “hacking back.” Hack-back strategies have been a hot topic among IT professionals looking for an edge against increasingly sophisticated cyber attacks. But such tactics, states the DOJ, “can damage or impair another innocent victim’s system rather than the intruder’s.” Given CCIPS’ work in prosecuting computer crimes, including those under the Computer Fraud and Abuse Act, this is a clear warning.
The DOJ stressed the need for companies to obtain legal counsel that is conversant in technology and knowledgeable about relevant laws governing electronic surveillance, privacy and computer fraud. “Having ready access to advice from lawyers well acquainted with cyber incident response,” notes the DOJ, “can speed an organization’s decision making and help ensure that a victim organization’s incident response activities remain on firm legal footing.” In addition to this advice, the DOJ offered particular recommendations in monitoring company networks and coordinating with law enforcement and other interested parties.
Network monitoring is essential to detection and prevention of cybersecurity incidents. The DOJ stated that such practices are “typically lawful” if prior consent has been obtained from network users. Thus, the DOJ stated, companies should ensure they have implemented mechanisms to receive such consent so that they can appropriately detect and respond to an attack. Such consent is also particularly important to dispel potential expectations of privacy that consumers and employees may otherwise have in networks. (As noted below, employers who provide their own communications networks will generally also have “service provider” arguments to justify monitoring their networks for security and other legitimate purposes.)
One mechanism noted by the DOJ is the use of a banner “that greet[s] users who log onto a network and inform[s] them of how the organization will collect, store and use their communications.” Other mechanisms to obtain valid consent include written acknowledgment of computer user agreements, workplace policies and personnel training. The DOJ stated that such acknowledgments should notify users that use of a company’s network constitutes consent to the interception of communications and that user’s data can be disclosed to others, including law enforcement. The relevant policy also should note that the user has a diminished expectation of privacy.
The DOJ also stated that organizations may use network sniffers to monitor an intruder. Though the capture of communications involving the intruder may implicate the Wiretap Act, the DOJ stated that it is “typically lawful, provided it is done to protect the organization’s rights or property or system users have actually or impliedly consented to such monitoring.” Companies should ensure that such practices are consistent with employment agreements and privacy policies.
The guidance also stresses the need to develop connections with law enforcement. The DOJ suggested that companies affirmatively make contact with the FBI or U.S. Secret Service before an incident occurs to develop a point of contact. Such contact “will also help establish the trusted relationship that cultivates bi-directional information sharing that is beneficial to potential victim organizations and to law enforcement.” The DOJ stated that, if a company discovers that other victims may be affected, “the other potential victims should be promptly notified” and that “notifying victims through law enforcement may be preferable.”
The DOJ stressed the benefits of coordinating law enforcement and stated that law enforcement should be contacted “immediately” after a criminal breach. The DOJ, however, acknowledged the sensitivity of the issue, noting that some companies have been “reticent” to notify law enforcement in the aftermath of an incident “fearing that a criminal investigation may result in disruption of its business or reputational harm.” The DOJ countered that only law enforcement can deploy certain tactics and coordinate with domestic and international law enforcement. “These tools and relationships can greatly increase the odds of successfully apprehending an intruder or attacker and security lost data,” notes the DOJ.
The DOJ further notes that “many data breach reporting laws allow a covered organization to delay notification if law enforcement concludes that such notice would impede an investigation. State laws also may allow a victim company to forgo providing notice altogether if the victim company consults with law enforcement and thereafter determines that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed. . . . It is also noteworthy that companies from regulated industries that cooperate with law enforcement may be viewed more favorably by regulators looking into a data breach.” [emphasis added].
ISAOs and ISACs
One of the tangible ways in which organizations could demonstrate their intention to cooperate would be to join an Information Sharing and Analysis Organization (ISAO) (closely related to the Information Sharing and Analysis Centers (ISAC)). The DOJ recommended that companies establish such relationships with cyber information sharing organizations. “Access to information about new or commonly exploited vulnerabilities,” noted the DOJ, “can assist an organization prioritize its security measures.”
FTC Favors Law Enforcement Cooperation
As noted above, the DOJ stated that “companies from regulated industries that cooperate with law enforcement may be viewed more favorably by regulators looking into a data breach.” Echoing this sentiment, the FTC recently noted in a blog posting that,
“We’ll also consider the steps the company took to help affected consumers, and whether it cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion. In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.” 1
This expression of support for cooperation with law enforcement by the FTC may be particularly significant. Although the FTC has emphasized that it coordinates its enforcement actions with other agencies, some have considered FTC investigations after data breaches, often in combination with multi-state investigations by state attorneys general, to indicate that corporations who suffer a data breach should expect that the first response of regulators will be to investigate the corporate victim. Whether the FTC’s endorsement of cooperation with law enforcement results in fewer investigations of companies that experience data breaches remains to be seen, particularly given that the FTC’s recent statement was in the form of only a blog posting.
SEC Issues Cybersecurity Guidance for Investment Advisers and Financial Firms
The SEC has recently issued a Guidance Update (the “Guidance”) for registered investment advisers and registered investment companies expressing its expectations for cybersecurity.2 The Guidance builds on the SEC’s investigation and report on investment advisers’ and broker-dealers’ cybersecurity preparedness. The Guidance further underscores the need for investment companies, broker-dealers and investment advisers to review their cybersecurity preparedness, update their policies and procedures, examine their potential vulnerabilities and assess compliance with SEC regulations. The SEC makes clear that the failure implement adequate cybersecurity protections could raise serious regulatory compliance issues.
The SEC recently completed a review of 57 registered broker-dealers’ and 47 registered investment advisory firms’ cybersecurity practices.3 The review focused on cybersecurity governance, protecting networks that store sensitive information, managing vendor risks and detecting unauthorized activities. The SEC found that the vast majority of broker-dealers and firms had implemented written information security plans, regularly reviewed such plans, inventoried and catalogued their information security resources, made use of encryption and had suffered a cybersecurity incident. Approximately half participated in information sharing programs, and the SEC noted varying results on designation of a chief information security officer and oversight and policies governing the use of vendors.
The Guidance provides the first advice on what firms should do to provide adequate cybersecurity protections since the SEC reported on the current state of cybersecurity. The SEC’s cybersecurity guidance states a need for funds and advisers to (1) conduct a periodic review; (2) develop a strategy to detect and respond to cybersecurity threats; (3) develop appropriate policies, procedures and trainings; and (4) understand cybersecurity within the broader context of regulatory compliance.
The SEC has demonstrated increasing attention and regulatory scrutiny over cybersecurity practices. We recommend that investment advisers and firms take immediate steps to ensure robust cybersecurity protections and regulatory compliance.
The SEC’s Guidance encourages advisers and firms to periodically review the type of information that such firms and advisers collect, where they store this information and the technologies used to store such information. Firms and investment advisers also should review their security controls, processes and the governance structure to manage cybersecurity risks and report to senior management and boards of directors.
A regular, periodic review should be conducted by key personnel with an eye to shoring up weaknesses and making necessary adjustments to further strengthen and improve companies’ cybersecurity footing. “An effective assessment,” notes the SEC, “would assist in identifying potential cybersecurity threats and vulnerabilities so as to better priorities and mitigate risk.”
Strategy to Detect and Respond
The SEC’s Guidance states that advisers and firms should develop a strategy to prevent, detect and respond to cybersecurity threats. Such a strategy should consider access controls that include user credentials, authentication methods, firewalls, network segregation and tiered access to sensitive systems. Firms and advisers should consider data encryption, especially when data is in transit across public systems. The SEC notes the importance of restricting the use of removable storage media, implementing monitoring technologies for unauthorized access and loss and ensuring adequate data backup strategies. Finally, advisers and firms should develop an incident response plan that is appropriately tested and can be effectively implemented by relevant personnel.
Policies, Procedures and Training
The SEC’s Guidance stresses the importance of documenting appropriate cybersecurity policies and procedures. At a minimum, advisers and firms should develop a written information security plan and an incident response plan. Firms and advisers should ensure that their employees are appropriately trained in handling sensitive information and responding to data security incidents. Finally, the SEC states that firms “may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.”
The SEC’s Guidance highlights the need to consider cybersecurity obligations within the broader context of firms’ regulatory compliance obligations. “In the staff’s view,” states the SEC’s Guidance, “funds and advisers should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks.” Failure to provide adequate cybersecurity protections could raise regulatory compliance issues.
The SEC states that cybersecurity concerns implicate a number of regulatory obligations. These obligations derive from the following sources:
- Written Policies and Procedures: SEC regulations require each registered investment company and registered investment adviser to develop written policies and procedures and conduct annual reviews for their adequacy and effectiveness to prevent violations of security laws.4
- Identity Theft and Adequate Security: The Identify Theft Red Flags Rule requires firms that operate transactional accounts to develop identity theft prevention measures, and Regulation S-P requires regulated financial institutions to implement reasonable security measures, a written information security plan and other measures mandated by the Gramm-Leach-Bliley Act.5
- Fraud Protection: SEC regulations require firms to develop anti-fraud measures focused on their personnel.6 The SEC notes that these measures build on the fiduciary obligation that firms owe to their clients and that an insider cybersecurity event could trigger fraudulent and other activities implicating these obligations.
- Business Continuity: The SEC highlights the need to provide continuing services to clients and assure adequate business continuity in the event of a cybersecurity event.7 The SEC also stresses firms’ ability to process shareholder transactions.8
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
1 Mark Eichorn, “If the FTC comes to call.” FTC Business Blog (May 20, 2015), available at https://www.ftc.gov/news-events/blogs/business-blog/2015/05/if-ftc-comes-call.
2 U.S. Securities and Exchange Commission, Division of Investment Management, Guidance Update: Cybersecurity Guidance (Apr. 2015), available at http://www.sec.gov/investment/im-guidance-2015-02.pdf.
3 SEC, Office of Compliance Inspections and Examinations, Cybersecurity Examination Sweep Summary (Feb. 3, 2015), available at http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf.
4 17 C.F.R. § 270.38a-1; 17 C.F.R. § 275.206(4)-7(a); Compliance Programs of Investment Companies and Investment Advisers, Investment Company Act Release No. 26299 (Dec. 17, 2003).
5 See, e.g., Identity Theft Red Flag Rules, Investment Advisers Act Release No. 3582 (Apr. 10, 2013); Privacy of Consumer Financial Information (Regulation S-P), Investment Advisers Release No. 1883 (June 22, 2000).
6 See, e.g., 17 C.F.R. § 270.17j-1; 17 C.F.R. § 275.204A-1; Personal Investment Activities of Investment Company Personnel, Investment Company Act Release No. 23958 (Aug. 24, 1999); Investment Adviser Code of Ethics, Investment Advisers Act Release No. 2256 (Jul. 2, 2004).
7 Citing Compliance Programs of Investment Companies and Investment Advisers, Investment Company Act Release No. 26299 (Dec. 17, 2003).
8 Citing section 22(e) of the Investment Company Act of 1940, which “generally prohibits an open-end fund from suspending the right of redemption or postponing the date of payment of redemption proceeds for more than seven days after tender of a security for redemption, whereas rule 22c-1 under the Investment Company Act generally requires an open-end fund selling, redeeming or repurchasing a redeemable security, to do so only at a price based on its net asset value next computed after receipt of a purchase order or redemption request.”