After the Breach: Cybersecurity Liability Risk

Cybersecurity’s evolving regulatory and liability landscape compounds the challenges that companies face from cyber attacks, and further complicates the ability of corporate executives and their advisors to understand and effectively manage cyber risk. Companies must prepare for and respond to a potential cyber attacks direct damage, including financial and data loss, system and service interruptions, reputational harm and compromised security. Cyber attacks also expose companies to diverse and uncertain regulatory and civil liabilities. Although these risks generally become apparent post-breach, they must be contemplated and managed proactively, before a breach occurs.

The decision-making of companies that are facing systematic and strategic cyber threats is, therefore, fraught with legal uncertainty about the implications of how they prepare for and respond to the threat. With piecemeal statutes and regulations, and emerging technologies, companies must navigate myriad potential sources of civil and criminal liability related to cyber incidents whose doctrinal contours are unsettled. Concerns include, for example, how to: Institute and monitor security protections; implement cyber incident response policies and procedures; disclose threat, vulnerability and incident information; and determine when, whether and how best to inform, and potentially cooperate with, government. In addition to the inherent difficulties in determining how to address these concerns, companies also must evaluate how each of those decisions may impact litigation risk.

These concerns are particularly acute because many of the most serious cyber vulnerabilities reside in privately- owned networks and systems, those systems often contain some of the most valuable information available about the nature of the threat, and, ultimately, steps to prevent and mitigate harms must be implemented largely by the private sector. Unless we understand better the factors shaping the private sector’s response to cyber harms, including the ways in which litigation risks shape strategic decisions about cybersecurity, it will be di cult to comprehensively address the threat. And while governments traditionally have been charged with protecting the national interest, that role, in a digital era, is increasingly also played by private companies. To the extent that an unsettled liability landscape shapes private sector decisions about investing in cybersecurity protections, disclosing cyber incidents to the public, and cooperating with government, the problem is no longer exclusively one of legal rights and remedies, but also one of strategic cyber preparedness.

Managing this shifting landscape requires executives, including at the board and senior leadership level, not only to con rm that adequate technological defenses are in place, but also to think strategically regarding how to create and implement corporate governance, and communication and response structures, to manage cyber risk. This means ensuring that the organization effectively can identify and address emerging regulatory and liability issues on both a proactive and responsive basis. Moreover, because systems can be compromised at any level, it also involves communicating (through training and protocols) the significance and means of properly managing cybersecurity risk […] Read more »