Editors Note: In that the Administration is on the verge of implementing a comprehensive cyber security regulatory program, SEC registrants who are interested in participating in CRE’s proactive cyber regulatory risk reduction program should contact Jim Tozzi, 202.265.2383
Opinion: Corporate America Is Ignoring the Cybercrime Alarm
Craig A. Newman and Daniel L. Stein|Partners, Richards Kibbe and Orbe LLP
CNBC Guest Blog
From the captain of the Titanic, to the captains of industry in more recent times, history is littered with examples of leaders who court disaster because they fail to confront obvious risks.
As the recent attacks on six U.S. banks demonstrated, there is no more obvious threat to corporate America today than cybercrime And while corporations and their boards are beginning to come to grips with the business and financial repercussions of a cyber attack, they are largely ignoring the mounting legal hazards.
(Read More: Attacks on 6 Banks Frustrate Customers)
Cybercrime is becoming increasingly commonplace and insidious and yet, time and time again, corporate America appears ill-prepared. The recent barrage of bank attacks, which reportedly originated in the Middle East, led to widespread consumer confusion and hand-wringing that went as far as the White House. The attacks demonstrate that even the most sophisticated websites remain highly vulnerable, and that companies continue to struggle mightily with how to deal with the aftermath of cybercrime. Similar scenarios of concern and confusion have played out after other large corporations, including Apple , Sony and LinkedIn , were victimized by hackers, denial of service attacks, and other digital intrusions.
Recognizing the tremendous danger facing corporate America, federal officials are sounding the alarm. Last fall, the U.S. Securities and Exchange Commissionissued guidance for corporations in assessing when cyber security matters should be disclosed as a risk factor disclosure in their public filings. Meanwhile, the Manhattan U.S. Attorney has taken to the airwaves, exhorting corporations to heed the risks of cybercrime – calling it one of the most significant risks confronting corporate America – and urging cooperation with law enforcement when an attack happens.
(Read More: Theft of Trade Secrets Worsening in China)
But what corporate America doesn’t realize is that the legal ramifications of cybercrime go beyond the need to cooperate with law enforcement. Aside from the obvious business and financial risks of an attack, the potential legal liability for companies, their corporate executive and board is staggering.
With cyber attacks on the rise, prosecutors, regulators, and the plaintiffs’ bar are all gearing up to hold corporations responsible for the inevitable losses caused by cybercriminals. And, with more confidential information, including trade secrets and other competitively sensitive material, flowing through the Internet to corporate servers and even to the cloud, the risks for corporate America increase each day. In fact, for every reported cyber attack, experts estimate that there are an additional 100 attacks that are never even detected.
(Read More: Cyberattacks on the Rise: Report)
What some corporate executives and their boards may not fully understand is that a cyber attack will put them in the crosshairs of potentially devastating legal challenges. Even more unsettling is the large number of scenarios in which a corporation is vulnerable to such risks, and the range of individuals and businesses that may be entitled to take legal action.
In the case of isolated small-scale hacking incidents, few prosecutors and plaintiffs attorneys will bother with lengthy litigation against the hackers themselves, who will more than likely remain hidden overseas in relative obscurity. But the same cannot be said for a Fortune 500 company that fails to guard against a data breach and places its own intellectual property or confidential customer information at risk. While the company may view itself as a victim, its customers, investors and business partners may see it as a relatively culpable, and deep-pocketed, legal target.
The company itself could be just one of many litigation bull’s eyes. Should a corporation suffer a material loss in value because of a cyber attack, investors will go after its officers and directors as well. Given the government warnings, corporate officers and directors who fail to take adequate precautions, such as the implementation of a comprehensive digital governance and security plan, will be hard-pressed to show they acted in accordance with best practices and fiduciary obligations.
(Read More: White House Targeted in Cyber Attack)
A serious cyber attack presents regulatory litigation risks as well. In highly regulated industries, such as pharmaceuticals or financial services, authorities will likely show little patience for companies that fail to address the risks posed by cybercrime and ultimately suffer attacks that cause harm to consumers. Given the ongoing public campaign of the Manhattan U.S. Attorney to encourage corporate America to disclose cybercrime and cooperate with the authorities, it does not take much imagination to picture a flurry of subpoenas in the wake of the next big corporate cyber attack.
While there is no silver bullet for eliminating liability risks, corporate leaders should be proactive and consider a range of actions – from forming special board committees to address cybercrime and data security, to requiring periodic reports from the company’s technology officers, to developing actionable contingency plans if a disaster strikes. Cyber security should be treated no different than any other serious business or competitive risk. Business leaders who take decisive action to proactively guard against cybercrime will be in a far better position to not only protect their brand and franchise, but also to deflect the inevitable litigation fallout.
Craig A. Newman and Daniel L. Stein are litigation partners at Richards Kibbe & Orbe LLP, the New York-based law firm. Mr. Stein is a former Federal prosecutor.