While the customers impacted by the recent SolarWinds Corp. cyberattack are rightly being described as victims, they are nonetheless facing significant costs stemming from the incident.
SolarWinds’ customers will need to determine whether any of their data was accessed or exfiltrated. Making that determination requires a digital forensics investigation, typically involving a third-party security vendor.
First, the Forensic Investigation
The forensics bill depends on factors such as the number and types of devices and systems on a network, the geographic distribution of the network, and whether the customer already had a contract with a security vendor to provide such services in the event of a security incident.
If investigators determine that certain categories of personal information of residents of U.S. states or certain foreign countries was accessed or exfiltrated from a SolarWinds customer, the victim will need to provide notices to affected individuals. It is considered a best practice to offer credit repair and monitoring services and call centers to assist affected individuals.
Depending on its contracts, the victim company also may be required to notify its business customers and vendors and to reimburse them for expenses they incur in investigating and mitigating the effects of the breach and providing notifications. It may also be required to indemnify them for third-party lawsuits and regulatory proceedings.
The victim company may also be required to notify regulators or state attorneys general. Such agencies may issue fines if their investigations find that the company’s cybersecurity practices were not adequate or that the company did not notify within a required time frame. Additionally, the victim company may incur substantial costs in defending consumer, business partner, or shareholder derivative lawsuits.
Furthermore, after it has been determined that an adversary has accessed a network, there is a debate about whether any device on the network can be trusted and remain in use. Many IT security practitioners recommend fully rebuilding a network that has been breached by malware.
Take Proactive Steps to Address Potential Liability
Once the security incident has occurred, there are limits to what a company can do to minimize its liability. It can work cooperatively with its business partners to reduce the likelihood that they will sue. But other costs, such as class action suits, regulatory fines, or legal fees are considerably less controllable.
Not surprisingly, the best time to address potential liability for a security incident is before it happens. All companies, regardless of whether they were victims of the SolarWinds breach, should consider taking the following proactive measures:
- Contracts with business partners should have reasonable limitations of liability and the implications of the cost of data breach provisions and indemnities should be carefully scrutinized, not just for each contract as it is negotiated, but in the aggregate for all contracts.
- Companies should have cyber-insurance policies in place and, because the details of cyber-insurance coverage vary, they should also have a good working knowledge of what is and is not covered by the policies.
- Companies should follow reasonable cybersecurity practices, not only to reduce the chances of experiencing a security incident, but to reduce the likelihood of being fined or successfully sued if an incident outside their control occurs.
- Companies should regularly conduct a risk assessment and develop and update a written security plan based on the risk assessment.
In fact, many statutes and regulatory frameworks, such as the New York SHIELD Act, the Massachusetts Standards for the Protection of Personal Information, the rules and guidelines issued under the federal Gramm-Leach-Bliley Act, and New York’s Department of Financial Services Cybersecurity Regulation, require risk assessments, written security plans, and the use of reasonable cybersecurity measures.
Also, the California Consumer Privacy Act gives private litigants a right to sue if their personal information is exfiltrated as a result of a company’s failure to use reasonable security measures.
Assess Future Risk, Take Compliance Steps
What security measures are reasonable is heavily driven by the risk assessment. Recognized standards such as ISO 27001, the National Institutes of Standards and Technology Cybersecurity Framework, or the Center for Internet Security Critical Security Controls can be used to determine what is reasonable. Using an accredited outside vendor to certify compliance can help establish the proper diligence.
Common best practices include network segmentation, appropriate logging, use of intrusion detection systems, multi-factor authentication, use of current encryption standards in connection with data at rest and in transit, strong password requirements, use of password managers, regularly backing up data and testing the restoration of data, patching and vulnerability management, and regularly testing security controls and incident responses. Data retention policies also should not be overlooked , since data that a company has not retained cannot be the subject of a data breach.
Educating employees about risks and best practices is also important. Additionally, companies should foster close multi-stakeholder coordination and communication about security. Representatives from the security organization, legal, IT, procurement, and product or sales groups should be included in the discussions.
Companies have exposure to significant potential liability arising from the SolarWinds security incident and a short set of options for limiting that liability. The best time for a company to limit its liability for security incidents is before they happen.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Andrew Baer is chair of the Technology, Privacy & Data Security group at Cozen O’Connor where he focuses his practice on cutting-edge technology transactions on both the buy-side and sell-side, cloud computing, data privacy, security compliance, software, and transactions in the digital advertising ecosystem.
Christopher Dodson is an attorney at Cozen O’Connor, where he focuses his practice on privacy, technology, and regulatory law. He works extensively with clients on issues rated to compliance with the GDPR, CCPA, and privacy and data security laws.