On Friday, May 29, 2020, Davis Polk’s own Rob Cohen led a panel on cybersecurity law and enforcement issues for the Practising Law Institute’s (“PLI”) tenth annual program on enforcement. The panel included individuals from the FBI, U.S. Attorney’s Office for the Southern District of New York, New York Attorney General, SEC, FTC, and New York Department of Financial Services.

Three key cybersecurity enforcement themes emerged from the panel, discussed in more detail below.

  • COVID-19 has not stopped investigations but regulators have been flexible.
  • Compliance with evolving federal and state disclosure requirements is paramount.
  • With cybersecurity risks increasing, reasonable cybersecurity controls and cooperation with regulators can reduce enforcement risk.

For related regulatory insights, check out our post on the recent 2020 Incident Response Forum available here.

COVID-19: Investigations Continue, with Flexibility

Panelists universally reported that their agencies are continuing to conduct cybersecurity investigations despite COVID-19 forcing some changes to their practices.

Rich Jacobs, assistant special agent-in-charge of the Cyber Branch in the FBI’s New York office, stated that the Bureau is now relying more on field offices and legal attachés to conduct investigatory work and has begun conducting more low-risk interviews by phone. But he noted that the Bureau still conducts high-risk interviews in person. Timothy Howard, Co-Chief of the Complex Frauds and Cybercrime Unit at the United States Attorney’s Office for the Southern District of New York, noted that, like the FBI, his office determines the interview form (phone, video, live) based on the level of risk posted by the interviewee and how confrontational the agency has to be.

Panelists acknowledged that they are sensitive to the challenges of these new interview formats. For example, Kristina Littman, Chief of the Division of Enforcement’s Cyber Unit at the SEC, said that her agency will work with businesses that need time to prepare for video testimony and depositions, understanding that some businesses need to implement new systems to meet these requests.

Disclosure Compliance Remains Paramount to Regulators

Panelists also discussed the continuing importance of satisfying regulatory disclosure requirements and not unreasonably delaying disclosure.

Clark Russell, Deputy Bureau Chief of the Bureau of Internet and Technology at the New York State Attorney General’s Office, noted that data breach notification laws have expanded over the last decade, including New York’s SHIELD Act, the notice provisions of which went into effect in fall 2019. Mr. Russell explained that New York specifically expanded the definition of a “breach” (as compared to other states) to include cases of “access” or “acquisition” of personal information, noting that it can often be difficult to prove unauthorized acquisition. Mr. Clark expressed hope that consumers would get notice under the SHIELD Act even if there is some ambiguity about the actions of a threat actor.

For further discussion of the New York SHIELD Act, check out our previous post here.

Similarly, Justin Herring, New York Department of Financial Services, Executive Deputy Superintendent, Cybersecurity Division, noted that businesses often think they should wait to conclude their own investigations before reporting to DFS. Mr. Herring said that businesses do not have to wait until they have certainty regarding a breach; rather, as long as there is evidence and an investigation is ongoing, businesses should report breaches to DFS.

For more on the DFS reporting requirements, check out our previous post here.

Federal regulator panelists also emphasized the importance of cybersecurity disclosures. Ms. Littman explained that SEC regulations require issuers to disclose material risks and material cyber incidents in public filings. She said that materiality will need to be assessed on a case-by-case basis. In addition, Ms. Littman explained that certain regulated entities, such as stock and option exchanges subject to Regulation SCI, must disclose cybersecurity incidents, and the SEC has filed several cases against regulated entities for failure to file Suspicious Activity Reports (SARs), although those cases have not involved cyber-related SARs. Separately, FinCEN has directed financial institutions filing SARs to disclose relevant cybercrime details, including malware file names or other indicators of compromise. Ms. Littman said that the SEC’s Office of Compliance Inspections and Examinations reiterated the importance of SARs disclosures in its January 2020 Cybersecurity and Resiliency Observations.

Cathlin Tully, staff attorney in the FTC’s Division of Privacy and Identity Protection in the Bureau of Consumer Protection, also explained that while the FTC does not enforce any universal data breach notification requirement, it often incorporates these requirements into its consent orders with businesses that violate the FTC Act by engaging in unfair and deceptive business practices, including deceptive representations to consumers about its data security or privacy practices. Ms. Tully added that the FTC has added specificity to its orders concerning data security.

Controls and Cooperation: Reducing Enforcement Risk Against Increasing Threats

The panel noted that businesses have been increasingly targeted by cyber threats, particularly since the onset of the COVID-19 pandemic. Mr. Jacobs noted an increase in COVID-related fraud and ransomware attacks including against healthcare, manufacturing, and retail sectors. Mr. Jacobs also pointed out a rise in malicious email activity, including attachments with malicious code and business email compromises targeting web-based mail and telecommunications service.

For further discussion of business email compromise attacks, check out our previous post here.

The panelists agreed that businesses are victims of data breaches but emphasized their obligations to protect sensitive information under state and federal laws. While they agreed that not every data breach should, or does, result in an enforcement action, they noted several steps businesses can take to reduce the risk of enforcement.

For example, Messrs. Howard and Jacobs encouraged businesses to contact law enforcement agencies in response to an attack. Mr. Howard noted that law enforcement may be able to identify the attacker and work with the domestic and international agencies to designate and disrupt bad actors and raise the cost of cybercrime. Moreover, Mr. Howard cautioned businesses against taking their own actions against attackers, as such actions may run afoul of the Computer Fraud and Abuse Act or international law and may also create “noise” that interferes with law enforcement investigations.

It is worth noting that data breach notification requirements, including New York General Business Law § 899-aa(2), encourage law enforcement contact by permitting notification delay consistent with the needs of law enforcement. In addition, DOJ’s Cybersecurity Unit recently issued guidance in February 2020 on gathering online cyber threat intel.

For further discussion of timely information sharing with the FBI, check out our previous post here.

The panelists also emphasized the need for businesses to implement reasonable cybersecurity controls to reduce enforcement risk. Mr. Herring, who joined DFS in 2019 after being a supervisor at the U.S. Attorney’s Office for the District of New Jersey, said that under 23 NYCRR 500, DFS has required regulated entities (since August 2017) to build a “risk-based” program tailored to the needs of businesses’ systems and industry beginning with a risk assessment. Mr. Herring emphasized the importance of ensuring basic cyber hygiene, including administrative access management, patch management, and multi-factor authentication. He noted that the lack of multi-factor authentication is the most common control failure that he sees in notifications to DFS and is a current enforcement priority.

Similarly, Ms. Tully explained that, while the FTC does not bring enforcement actions solely on the basis of a data breach, the agency will investigate consumer harm caused by a lack of reasonable security safeguards. Where it discovers a lack of reasonable safeguards, the FTC may mandate risk assessments and safeguard development through a consent order.

The FTC’s consent order requirements frequently mirror the risk-based requirements in the DFS regulations and other state laws, such as Massachusetts’s 201 CMR 17.00.

Echoing Mr. Herring and Ms. Tully’s focus on reasonableness, Ms. Littman acknowledged that during a breach investigation, things are moving very quickly and people may be under a lot of stress. Businesses should be aware that SEC regulations do not require perfect cybersecurity controls, just good-faith reasonable decisions. For example, Ms. Littman noted the SEC’s 21(a) report on business email compromise, which reinforced the importance of effective internal accounting controls. Likewise, Mr. Russell said that the NYAG wants to learn what happened in a breach and how consumers will be protected; an NYAG investigation does not mean the office will file a lawsuit.

Parting Thoughts: Areas of Focus

The panel concluded with one cybersecurity compliance recommendation from each speaker.

  • Howard suggested businesses focus on multi-factor authentication.
  • Jacobs recommended businesses train employees on email use.
  • Littman raised the issue of ensuring cybersecurity controls are being implemented properly across organizations, including at independent contractors and branch offices.
  • Herring highlighted the importance of tone from the top of businesses in order to promote buy-in throughout the company.
  • Tully pointed to the Open Web Application Security Project’s top ten list of threats.
  • Russell advised businesses to conduct regular simulated phishing campaigns to educate their employees on the dangers of phishing emails.

Panelists

The full slate of government panelists are listed below, and you can find their bios here.

  • Justin Herring (NYDFS, Executive Deputy Superintendent, Cybersecurity Division)
  • Timothy Howard (USAO for SDNY, Co-Chief, Complex Frauds and Cybercrime Unit)
  • Rich Jacobs (FBI New York Office, Assistant Special Agent-in-Charge, Cyber Branch)
  • Kristina Littman (SEC, Chief, Cyber Unit, Division of Enforcement)
  • Clark Russell (New York State Attorney General’s Office, Deputy Bureau Chief, Bureau of Internet and Technology)
  • Cathlin Tully (FTC, Staff Attorney, Division of Privacy and Identity Protection in the Bureau of Consumer Protection)

The author gratefully acknowledges the assistance of law clerk Catherine Martinez in preparing this entry.