USA: Are employers liable for breaches resulting from employee actions and what should they do about it?
Now that 'cybersecurity' is a board-level conversation, the question of whether employers are liable for breaches resulting from employee actions is frequently discussed. While the answer is straightforward, what to do about it is much more nuanced. Alex Sharpe, Principal at Sharpe Management Consulting LLC, discusses a framework and the key questions to ask to protect, detect, and recover, resulting in five steps that may make a real difference.
It is hard to imagine a situation where an employer is not potentially liable for a breach resulting from (an) employee(s) action. Liability is a matter of law and is very fact-sensitive. The more relevant question is, 'what are the potential sources of economic damage to the business, and what do we do about them?'
History shows that the underlying questions are:
- Has the organisation done everything practical to prevent the breach? The stronger the 'yes', the lower the economic impact.
- Has the organisation adequately planned for and responded to the breach? The stronger the 'yes', the lower the economic impact.
You can think of the financial impact coming from:
- fines and penalties from regulators and jurisdictions;
- the financial obligation to reimburse a third party who was harmed;
- business loss from inability to operate;
- cost to recover; and
- reputational damage.
Reputational damage is potentially the largest and will continue to grow as assets become more intangible.
The damage from a Nation State is almost always the most damaging, especially in the long term. The nightmare scenario is a Nation State with cooperating insiders. They have the knowledge, means, skills, and resources. They will most likely be after your intellectual property ('IP') for their companies. The critical difference between the Nation State threat to your business is the role of public/private partnerships and the role of law enforcement. Both will be dealt with in future articles. You cannot deal with Nation State actors on your own.
It is a question of when not if
To paraphrase the renowned strategist and philosopher Sun Tzu:
"The art of war teaches us to rely not on the likelihood of a breach, but on our own readiness to deal with it".
Roughly two out of every five (38%) of cyber incidents involve a cooperating insider.1 The consensus is that north of 95% of cyber incidents involve a human doing something they should not.
It is critical to remember that being a cooperating insider is a crime; doing something silly is not.
The World Economic Forum ('WEF') estimates that 60% of the global Gross Domestic Product ('GDP') is digital.2 The global GDP is driven by data and generates more data through value creation. While doing so, the likelihood and impact of data breaches involving employees increase with the growth.
At the same time, business environments are becoming more interconnected, and we are relying more and more on third parties, like the Cloud. While we can transfer responsibility, we remain ultimately accountable. We are obligated to protect not only our data, but also the data of our customers and our business partners. We also take on a duty to protect the data our business partners transfer to us.
When it comes to the Cloud, we are not only turning over the protection of the data to a third party, but we often turn over part of our operations to them as well. Software as a Service ('SaaS') is a perfect example. In the end, while we delegate responsibility, we remain accountable. In essence, an organisation is accountable not only for its staff, but also for the Cloud provider staff.
Sources and size of economic damage
History shows economic damage will be driven by:
- the type and volume of data;
- the volume of data breached;
- the cause;
- the jurisdiction; and
- the quality of response.
The best outcome is if no breach occurs at all. No breach, no damage. The only time you have some control is before it happens or when you detect a breach in progress, providing you the opportunity to intervene. When a breach occurs, everything after that is reaction and damage control.
Let's face it, none of us have all of the budget or staff to do everything we want. Performing a data inventory, preferably a Business Impact Assessment ('BIA'), will help you prioritise your capital allocation (people and money) to get the most bang for your buck. It will also help you assess the damage and focus recovery efforts.
Reporting requirements are often confusing
Understanding the requirements placed on you by the myriad of jurisdictions needs to be understood before a breach. You do not have the time to figure it out during a breach. In practice, you have at most 72 hours to report. In general, ransomware actors will give you more like 48 hours.
Jurisdiction often requires the most homework; 137 countries have data privacy/data breach laws.3 Fifty-four jurisdictions in the US have data breach notifications laws4 (i.e. all 50 States, plus D.C., Guam, Puerto Rico, and the Virgin Islands). Each of them has its own reporting requirements and its own formula for calculating penalties. The thing to watch for is not only where the data resides or the business has a location, but many of these laws apply if one of their constituents is affected. For example, the California Consumer Privacy Act of 2018 ('CCPA') applies if one of its citizens' data was concerned, not necessarily where the data resides.
Regulators are starting to impose reporting requirements as well. Most recently, the Securities and Exchange Commission ('SEC')5 and the EU.6
Five steps that may make a significant difference
Remember the British Army Adage, 'the 7 Ps'
First and foremost, you need to understand your digital assets and their value, know: who is the data owner; where the data resides; where it is processed; and how it is transmitted.
Having an appreciation of your data, be sure to apply controls in each of the three phases: protect; detect; and recover.
Preventive controls to protect the data are the absolute best investment. In practice, you will never be able to eliminate all breaches, but you can minimise the number of breaches and contain the impact. Defenders need to plug all the holes, while attackers only need to find the cracks.
Each preventive control needs to have detective control to let you know a breach may have occurred or is underway. The faster you detect, the lower the impact and the lower the economic impact.
The incident response (recover phase) is where things often go wrong the most, almost always because of poor planning or lack of rehearsal.
Develop an incident response plan. Base it on different scenarios then practice, practice, practice. You should not be responding to significant incidents often. Engage an outside third party who does this for a living to help you develop your plan and grade your rehearsals.
The moment you learn of a breach, fix the control that broke! Sounds silly, but I cannot tell you how often I come across organisations that never closed the barn door. This is most pronounced with ransomware. Never forget, one hacker does not care if another hacker hacked you. They often use the same tools and techniques. If it worked before, it will work again.
Limit the blast radius
You not only want to reduce the likelihood of a breach, but you also want to limit the impact. The most obvious example is ransomware. On average, each infected machine affects about 20 other machines, creating a geometric progression. Within two hops, 400 machines are infected. Within three hops, 8,000 machines are infected. You get the idea. The key is to contain the impact by limiting the blast radius using techniques like network segmentation, firewalls, and encryption.
You also want to limit the damage a single user can do. Most attacks require a user account to be compromised. Once an account is compromised, hackers look to move across the enterprise while attempting to escalate privileges. Common practices, like separation of duties, the concept of least privileges, and yearly reviews, go a long way.
It is very important to have your processes include revisiting privileges as employees change roles. Accounts need to be closed whenever an employee changes status. It is shocking how many compromises occur because accounts of former staff who are no longer with the company still exist.
Quite often, organisations forget about their contracted help. Their accounts should be auto-disabled when the contract ends. At the very least, part of the process needs to include closing accounts as contracts are completed.
Public relations, including internal communications
Regrettably, this is where things can go really, really, wrong. Communications must be internal and external. The most significant long-term impact of an incident comes from the reputational loss and the loss of IP. As business value becomes more and more driven by the intangible, the significance of good crisis communication will only grow.
For external communications, you need a team (or firm) trained in crisis management, and you want them to be part of the planning and the rehearsals.
When staff do not know what is going on or what they are supposed to do, they cannot contribute to the recovery. Likely, they will add to the confusion.
The last thing you want is for your customers, regulators, or board to hear about a breach on the evening news. Be sure you have a communication strategy that installs confidence.
Some jurisdictions, regulators, and insurance companies require law enforcement to be notified. Outside of that, it becomes a business decision. This needs to be decided during peacetime, not during the chaos of an incident. Knowing who to call and how to contact them is absolutely critical.
Not all scenarios are identical. For example, when it comes to ransomware in the US and the EU facilitating payments to anyone on the 'bad guy' list, you are subject to fines and sanctions, placing you between the ultimate rock and hard place. If you pay the ransom, you get sanctioned from doing business. If you do not pay the ransom, you cannot operate. In general, if you engage law enforcement before making the payment, you are treated as a victim, not as a conspirator. The Federal Bureau of Investigations's ('FBI') Cyber Division Chief publicly stated, "The FBI will continue to treat you as a victim even if you pay".
The loss of IP to Nation States is rising and will continue to grow. When it comes to Nation States, you have little recourse on your own.
Like other aspects of incident response, some jurisdictions, regulators, and insurance companies require you to collect and retain forensics. If you think you will pursue the perpetrator, it is absolutely required. You do not know what the future holds in the early stages of an incident. It is prudent to act as you will. You need to vet and retain an eForensics firm during peacetime, not during an incident.
Many organisations prefer to have third parties, like eForensics, ransomware negotiators, crisis management firms, and the like, to be subcontractors to outside counsel to retain privilege. There are two things to consider before engaging these third parties.
First, in my experience, simply contracting these firms through outside counsel does not guarantee privilege. The conditions are subject to the jurisdiction. Be sure to fully explore before going this route.
Second, many insurance policies require you to use their preferred providers. If needed, check your policy, and see if they will agree to allow you to use your vendor of choice.
We began by asking what at first appeared to be a simple question: 'Are employers liable for breaches resulting from employee actions?' In short, it is hard to imagine a situation where an employer could not potentially be held liable. Whether they are or not is a matter of law and very fact-sensitive. The more important message is best summed up by Sun Tzu (if he lived today): "The art of war teaches us to rely not on the likelihood of a breach, but on our own readiness to deal with it". In practice, none of us have all of the resources we would like, and breaches have become all too common. The best investment is in prevention, but prevention alone is not enough. History clearly shows we must also detect and recover. The absolute key to recovery and minimising the economic impact is preparation. Preparation must be done and practiced during peacetime, so you may act during war time (i.e. during a breach).
Alex Sharpe Principal
Sharpe Management Consulting LLC
1. Carnegie Mellon University (CMU) study performed for the United States Secret Service (USSS).
2. See: https://www3.weforum.org/docs/WEF_Responsible_Digital_Transformation.pdf
3. See: https://unctad.org/page/data-protection-and-privacy-legislation-worldwide
4. See: https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
5. See: https://www.federalregister.gov/documents/2022/03/23/2022-05480/cybersecurity-risk-management-strategy-governance-and-incident-disclosure
6. See: https://www.consilium.europa.eu/en/press/press-releases/2022/05/13/renforcer-la-cybersecurite-et-la-resilience-a-l-echelle-de-l-ue-accord-provisoire-du-conseil-et-du-parlement-europeen/?utm_source=dsms-auto&utm_medium=email&utm_campaign=Strengthening+EU-wide+cybersecurity+and+resilience+%25u2013+provisional+agreement+by+the+Council+and+the+European+Parliament