Mitigating Data Breach Liability: In Search of a Best Practice

The painful reality is that data breaches are daily occurrences. If a company is lucky enough not to have had a data breach to date, it is likely that  luck will not last. The latest blockbuster is Target Corp., where hackers gained access to between 70 and 110 million customer credit and debit card numbers and other personal information. While data security has greatly improved since the 2005 TJX Companies’ massive breach involving 90 million customer records, the vigilance of hackers has kept pace with technological advancements put in place by corporate America to thwart attacks.

Indeed, cybercrime is on the rise. According to a Corporate Board Member/FTI Consulting survey, in 2012, data security was the most often cited legal issue of concern for both general counsel (referenced by 55 percent of those surveyed) and directors (referenced by 48 percent).^[1] Further, the Department of Homeland Security reported 198 attacks on critical U.S. infrastructures (e.g., utilities) in 2012; there were just nine such attacks in 2009. And the Government Accountability Office reported that cybersecurity incidents against U.S. agencies increased nearly 1,000 percent to 48,562 in 2012 from 5,503 in 2006.

While cyber attacks have become creative, the end game is still (1) “denial of service” — attempts to deny access to the Internet and cyber information by overwhelming servers so that the target company loses access to Internet-based activities, (2) “theft” of confidential and proprietary information from individuals or companies or (3) “tactical sabotage” designed to gain access to computer systems to inflict damage to such systems. Cybercrime is a global problem with attacks being routinely mounted by entities in China, the Middle East, Russia, Venezuela and North Korea.

Data Security Compliance Programs

Unlike the compliance program standards delineated in the Federal Sentencing Guidelines, which provide a template for measuring the effectiveness of general compliance programs, no such best practice has yet evolved to test the sufficiency of a data security compliance program. To move in the direction of a uniform standard for data security compliance programs, companies should seriously consider adopting the cybersecurity framework developed by the National Institute of Standards and Technology (NIST) for protecting critical infrastructure against security threats.^[2] A preliminary draft of the framework was released this past October, with the final version expected to be released next month.

A key objective of the NIST framework is to encourage organizations to consider cybersecurity risk as a priority similar to financial, operational and compliance risks analyzed under the enterprise risk management framework established by The Committee of Sponsoring Organizations of the Treadway Commission (COSO).^[3] Like the COSO framework, the NIST framework provides a consistent approach to identifying, assessing and managing cybersecurity risk.

The NIST framework provides a process for evaluating and prioritizing cybersecurity risks. After cybersecurity risks have been identified, those risks must be prioritized based upon the likelihood that such risks will occur and the impact likely to result from occurrence. With this information, a company can determine an acceptable level of risk to its systems. Risk tolerance indicators can be used to allocate resources to develop internal controls to manage cybersecurity risks. Cyber risk that can potentially compromise personal customer information is a risk generally not tolerated.

Elements of the NIST Framework

The NIST framework is a risk-based approach composed of three elements: (1) core, (2) profile and (3) implementation tiers.

The framework core articulates a process for managing cybersecurity risks. That risk management process embodies five functions:

1. Identification – facilitate an institutional understanding of  the relationship  between business context, resources and cybersecurity risks to enable a focused risk management strategy.
2. Protection – develop and implement appropriate safeguards to ensure delivery of critical services and other resources to support critical functions.
3. Detection – develop and implement appropriate activities to identify and mount a timely response to the occurrence of a cybersecurity event.
4. Response – develop and implement appropriate activities to take action regarding a detected cybersecurity event in order to contain the impact of the event.
5. Recovery – develop and implement appropriate activities to restore the capabilities or critical services that were impaired through a cybersecurity event.

In addition, the core identifies underlying key categories (outcomes such as detection processes) and subcategories (high-level outcomes such as response to notifications from a detection system) for each function and matches them with informative references such as existing standards, guidelines and practices.

The framework profile is a tool that facilitates the development of an action plan that reduces cybersecurity risks in alignment with company goals, risk management priorities, legal and regulatory requirements and industry best practices. A current profile indicates the cybersecurity outcomes that are currently being achieved. A target profile indicates the outcomes needed to achieve the desired cybersecurity risk management goals. Comparing the current with the target  profile can measure gaps in risk management objectives and identify opportunities for improving cybersecurity.

Finally, the framework implementation tiers describe how a company manages its cybersecurity risk. The tiers – partial, risk-informed, risk-informed and repeatable, and adaptive – describe an increasing degree of rigor in cybersecurity risk management practices and the extent to which risk management is integrated into a company’s overall risk management program. Proper tier selection depends on a host of considerations, including a company’s current risk management practices, threat environment, legal and regulatory requirements, business objectives and organizational constraints. Organizations should determine the desired tier, ensuring that the selected level meets the organizational goals, reduces cybersecurity risks and is feasible and cost effective to implement.

Effective Data Security Compliance Programs

If the NIST framework is accepted by corporate America as a best practice for managing cybersecurity risks, it will likely gain stature and acceptance among regulators and the courts. The result could be the mitigation of liability that could result from a data breach if the NIST framework is adopted. In its most recent Regulatory and Examination Priorities Letter, Financial Industry Regulatory Authority (FINRA) listed cybersecurity among its enforcement priorities for 2014.^[4] FINRA has put the financial services industry on notice that in its examinations and targeted investigations, it will focus on the integrity of firms’ policies, procedures and controls to protect sensitive customer data.

As with the compliance standards articulated by the Federal Sentencing Guidelines, companies can use the NIST framework to audit and test their risk management practices by identifying, assessing and ameliorating cybersecurity risks well in advance of likely harmful cyber events.