Trust. And benefits. Those are two key issues impacting effective cybersecurity collaboration: whether companies and their legal advisors trust the government enough to reach out for help in the event of a breach; and whether they perceive sufficient benefits from doing so. One major stumbling block in that assessment is the dichotomous role of government toward corporate data breach victims on the cybersecurity stage: that as protector, and as enforcer. A number of executives remain wary about reaching out to the government for help in a cybersecurity breach (when not legally compelled to do so), recognizing that the same government with whom they will share data will investigate and potentially bring an enforcement action against the company for deficiencies in how they prepared for or responded to the incident. The government took a small but meaningful step toward addressing that concern last week.
On Wednesday, May 20th, in her remarks at the Cybersecurity Law Institute in Washington, Assistant Attorney General Leslie Caldwell referenced a new message from the Federal Trade Commission (FTC) encouraging cooperation. In that morning’s post on the FTC site, entitled “If the FTC Comes to Call,” seeking to help companies understand what to expect in a breach investigation, FTC Assistant Director Mark Eichorn stated:
We’ll also consider the steps the company took to help affected consumers, and whether it cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion. In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.
The Department of Justice has been reaching out for years to assist victims of data breaches. Indeed, many times it is the government who informs a company that it has been breached, and (to varying degrees) assists the company in determining the cause and extent of harm. But there is another side to the government’s role in cybersecurity: the FTC and other regulators have investigated and brought actions against a number of corporate breach victims for failing to adequately prevent, detect, disclose and respond to incidents. Describing this conduct, one executive remarked to me: “it is as if the government is crawling back over the battlefield to shoot the wounded.” But regulators and proponents of these enforcement actions have emphasized the need to protect consumers, taking the position that regulatory enforcement actions against corporate breach victims will encourage improved cybersecurity hygiene, more accurate disclosures, and a more robust response to a breach. (For a further discussion of the scope of civil regulatory and liability risk, see also Judith H. Germano, Zachary K. Goldman, “After the Breach: Cybersecurity Liability Risk,” NYU Law School, June 2014).
When a company suffers a breach, it needs to assess whether to call the government — in an extreme case, such as Sony, the faster the company can make that call the better. But in less dramatic instances, whether and when to call the government, versus engaging in self-help internally or with private legal and technical advisors, can become more nuanced. Companies with previously established government relationships in this area often are more inclined to reach out for help, and this effectively can be done through informal channels as a first step. The benefits of contacting the government include gaining a broader perspective of similar incidents, accessing expertise beyond the company’s internal and external resources, and the ability of proactive government efforts to investigate, apprehend and prosecute the wrongdoers. (For more on my views on effective public-private collaboration, see this white paper: Judith H. Germano, “Cybersecurity Partnerships: A New Era of Public-Private Collaboration, Center on Law and Security,” NYU Law School, Oct. 2014).
Yet companies are concerned about how the information they share will be used, and whether it will be placed into the hands of regulators (and private civil litigants) who investigate the company post-breach. To obtain effective government assistance, companies should be forthright regarding what vulnerabilities existed. But disclosing those vulnerabilities increases exposure to, and can create a roadmap for, regulators and civil litigants. Depending on the scope and nature of the breach, the type of harm suffered and the company’s ability to address the situation without government assistance, a company needs to assess whether to engage the government. Despite the benefits of collaboration, the company’s decision to cooperate — and potentially waive attorney-client privileges that otherwise might exist — would be easier if there existed greater assurances that the information shared with the government would not readily be available for use against the company in civil and regulatory investigations and actions. But that level of protection does not currently exist.
Although clarity is needed, in terms of the scope, nature and extent of protection available to companies who share information with the government, there are competing interests that hinder that result. Many companies and their advisors would find greater comfort in protections that address concerns of attorney-client privilege, and shield from regulators and civil litigants the information disclosed to law enforcement regarding the causes and responses to a breach. But others argue that would go too far in protecting companies from accountability for cyber incidents. At this point, the risk remains that regulators and private civil litigants might be able to obtain and use information a company shares with the government against the company in a subsequent investigation and litigation, and companies need to recognize that risk when assessing whether and how to cooperate with the government. But the reality is that a company, even if not working with the government, still should gather and assess that same information to understand and respond to a breach, whether internally or with the government directly involved. And the information still may be available to regulators and civil litigants (even if not as neatly packaged, and perhaps with greater potential of attorney-client privilege protections).
But when the liability question turns to whether the company did all it could in responding to the incident, that is where the new FTC statement comes into play, for better and for worse. Now that the FTC has publicly declared cooperating with law enforcement as “an important step to reduce the harm from the breach,” companies should expect to be held accountable for whether (or not) they have taken that step.
Companies now have an added benefit to put on the balance sheet in favor of cooperating: It may not keep them away, but cooperating with law enforcement may help improve the company’s standing when regulators and civil litigants come calling after a breach.