2017 Cybersecurity Developments
October 2017 - Cybersecurity Awareness Month
2017 has already seen an inordinate number of cybersecurity fiascos. We have seen viral, state-sponsored ransomware, global law firm breaches, and new developments in Spokeo. And that’s just the beginning. In the following article, we recap 2017’s biggest cyber-incidents and cases to date. We highlight how chaotic things have gotten – and offer some practical tips clients can use to mitigate risk.
Equifax Breach Highlights D&Os & Future of Cyber-Related Derivate Litigation
On September 7, 2017, one of the three largest credit agencies in the U.S., Equifax, fell victim to a data breach that may have affected 143 million consumers. As a result of the sensitivity of data stolen—including Social Security numbers, driver’s license numbers, full names, addresses, dates of birth, credit card numbers, and other personal information – this breach is already being touted as one of the worst breaches in history. Equifax discovered the breach on July 29th, 2017, which was the result of hackers accessing the company’s system from mid-May to July by exploiting a weak point in its website software. Upon discovery of the breach, Equifax engaged an outside forensics firm for assistance.
Just days after discovering the breach, on August 1st and 2nd, Equifax’s CFO John Gamble, along with two other high-level executives, collectively sold about $1.8 million in Equifax shares – according to Equifax’s SEC filings. These trades were not reported as part of scheduled trading plans, leaving Equifax vulnerable to an SEC investigation into whether the executives illegally traded on inside information, as well as a derivative suit seeking to force the executives to cough up any profits they made on the sales.
On September 11, 2017, a class action lawsuit was filed on behalf of shareholders against certain executive officers and directors in the Northern District of Georgia. The complaint alleges that the Equifax executives issued materially false or misleading statements or failed to disclose that “(1) the Company failed to maintain adequate measures to protect its data system; (2) the Company failed to maintain adequate monitoring systems to detect security breaches; (3) the Company failed to maintain proper security systems, controls and monitoring systems in place; and (4) as a result of the foregoing the Company’s financial statements were materially false and misleading at all relevant times.” The complaint specifically describes the trading in company shares by company executives.
Until now, investors have had a dismal track record at bringing shareholder class actions and derivative suits in the wake of data breaches. Only a few public companies have been hit with data security-related D&O lawsuits alleging their boards of directors made poor security decisions or failed to prevent attacks. These prior suits against Wyndham Worldwide, Target, Wendy’s and Home Depot, have either been dismissed, failing to overcome the initial procedural and pleading hurdles, or settled.
A confluence of factors in the Equifax breach may, however, overcome these procedural hurdles – namely its sharp stock drop, suspiciously timed trading, and the large sell-off of chunks of company shares by Equifax’s executives.
Organizations “WannaCry” Over Ransom Ware
On May 12, 2017, a strain of ransomware called WannaCry spread around the world, toppling hundreds of thousands of targets globally – including public utilities and fortune 500 companies. In the UK, the ransomware temporarily crippled the National Health Service hospitals and facilities, hobbling emergency rooms, halting vital medical procedures, and creating overall chaos.
WannaCry is a ransomware worm that targets Windows computers systems. Once infected, the worm encrypts files and offers its victims a “ransom note” that states if they pay a Bitcoin sum, the infection will go away. WannaCry appears to have exploited a flaw in Microsoft’s Windows software, known as EternalBlue, that was discovered by the NSA and then leaked by hackers, to spread rapidly across networks locking away files. Microsoft had released the MS17-010 patch for the bug in March, but many institutions had not applied it and were, therefore, vulnerable to a WannaCry infection.
In June 27, 2017, just a month after WannaCry, a second wave of ransomware infections that leveraged the same Windows exploitation hit targets worldwide – including global giant DLA Piper. Known by Petya, NotPetya, and other names, this second wave of ransomware infected networks in multiple countries including U.S. pharmaceutical company Merck, Danish shipping company Maersk, and Russian oil giant Rosnoft. Ironically, DLA Piper had issued a paper in May 2017 that detailed the perils of WannaCry.
Hackers in the DLA Piper attack were reportedly seeking just $300. While the ultimate fallout remains uncertain, DLA Piper shut down its system for several days and was rumored in the aftermath of the attack to be considering suing the NSA.
Concrete Injury Analysis Required Under Spokeo Likely to Get Clarity
Last May, the Supreme Court issued a ruling in a 6-2 decision in Spokeo (Spokeo I) that a plaintiff must allege a tangible or intangible concrete injury, and may not rely solely on a statutory violation to maintain Article III standing. Since then, lower courts have been pushed to apply that reasoning in a wide range of privacy related class action lawsuits with mixed outcomes.
There is currently a clear circuit split on Article III standing concerning what constitutes legal harm post-Spokeo. To date, the Second, Fourth, and Eighth Circuits have issued decisions finding that the risk of payment card fraud and identity theft in the wake of a data breach is insufficient to establish standing under Spokeo. On the hand, the D.C., Sixth, and Seventh have gone the opposite way.
As recently as in August 2017, two circuit courts faced with appeals addressed whether a plaintiff has Article III standing to pursue, on a class basis, a claim alleging a statutory violation of the Fair Credit Reporting Act (FCRA). Both the Seventh Circuit in Groshek v. Time Warner Cable, Inc., and the Ninth Circuit, in its long-awaited remand decision in Robins v. Spokeo, Inc. (Spokeo II), applied similar analyses while reaching different outcomes. The Seventh Circuit found the plaintiff lacked standing to pursue an FCRA claim based on the plaintiff’s failure to allege anything more than a statutory violation that was devoid of any concrete harm or appreciable risk of harm. The Ninth Circuit, however, held the plaintiff had standing to pursue an FCRA statutory violation claim, finding that the FCRA provisions at issue were established by Congress to protect a concrete interest, and the provisions allegedly violated would likely harm the plaintiff’s concrete interests.
In reaching their decisions, both courts reaffirmed the principle that a plaintiff must allege more than a bare statutory violation to satisfy Article III standing. The decisions highlight two important standards: (1) a mere technical statutory violation alone is not sufficient to confer standing and (2) a concrete injury analysis requires some examination of the specific allegations in a complaint to determine if the statutory violation alleged raises a real risk of harm to interests sought to be protected by the statute.
The high court is anticipated to weigh in on what has become an amorphous concept open to different interpretations. Clarity from the Supreme Court specifically related to the data breach context and what exactly constitutes a tangible or intangible concrete harm as required by Spokeo, may be forthcoming as a number of data breach cases are ripe for certification.
One possible contender is the D.C. Circuit’s ruling in Attias v. CareFirst, where the court held that the alleged heightened risk of identity theft and medical fraud as a result of a data breach at the insurer was enough to establish standing under Spokeo. On September 6, the D.C. Circuit granted an unopposed bid to stay its decision in this case while CareFirst appeals to the Supreme Court. Another front-runner is the Ninth Circuit case M-I LLC v. Syed.  In June, M-1 appealed to the high court following the Ninth Circuit’s ruling that the plaintiff had alleged a sufficiently concrete injury under the FCRA. The suit claims that the company improperly placed a liability waiver on its job application disclosure form.
From a risk management point of view, there are plenty of lessons organizations can learn from the year’s cyber incidents thus far:
- No one is immune from a cyber-attack. No matter who you are – an individual, public company, government authority, health care provider, utility, or law firm – if someone wants in, they’ll get in. It is impossible to entirely contain your cyber-risk or prevent attack.
- Cyber insurance alone is not enough. While DLA reportedly maintained cyber coverage to mitigate some of its costs, these insurance policies alone are not enough without proper employee training. Many contain exclusions relating to employee training and password policies. Proper employee training is essential.
- D&O scrutiny will increase. D&Os that sell stock during the throes of a breach – especially before public disclosure – will have a heavy burden to overcome with regulators, investors, and the public, even where the timing is claimed to be purely coincidental.
- Focus on timing of cyberattacks. The timing of cyber intrusion disclosure will continue to be scrutinized. State and federal regulators consistently agree that a delay in reporting a breach beyond 30 days typically raises a red flag with them. Not without exception, however, this appears to be a threshold that has significance to those who lead the helm when it comes to investigations and litigation.
 Hampden Kuhns v. Equifax, et. al., Case 1:17-mi-99999-UNA (N.D. Ga. 2017).
 136 S. Ct. 1540 (2016).
 15 U.S.C § 1681 et seq.
 Index No. 16-3355, 2017 U.S. App. LEXIS 13953 (7th Cir. Aug. 1, 2017).
 Index No. 11-56843, 2017 U.S. App. LEXIS 15211 (9thCir. Aug. 16, 2017).
 See Id. fn. 4.
 See Id. fn. 5.
 2016 U.S. Dist. LEXIS 105480 (D.D.C. Sept. 6, 2016).
 Case No. 16-1524 (U.S. 2017).