Overstate Your Cybersecurity at Your Peril – Lessons from the Equifax Data Breach

Looking back with the perspective of two years, the Equifax data breach still has many lessons to teach us. Unfortunately, some of the most important lessons are masked by the extremes of the errors that characterized the original breach, which include insider trading by top executives after the breach was discovered but before it was disclosed. That, combined with the length of time the company withheld news of the breach, and the irony that its entire business model is built on security, may lure some observers into believing that the incident is unique, and they could never screw things up as magnificently.

That would, however, be a mistake.

As litigation over the breach continues, there are some takeaways that might not be as obvious, but which are important to all companies. As courts and regulatory agencies struggle with how to respond to such breaches, punish companies that disregard regulations and look to compensate victims, it becomes increasingly clear that securities compliance is more important than ever. For public companies, data breaches are doubly dangerous.

First, a key lesson from Equifax is that words matter.

Earlier this year, a federal judge upheld most of the plaintiffs’ claims in a securities class action against Equifax (note, these are claims brought by shareholders, not those whose data was breached, though of course those subsets likely overlap), in part because statements on the company’s website, in SEC filings and during investor conferences stated it employed “strong data security.” Plaintiffs allege that the statements misled investors regarding “the strength of Equifax’s cybersecurity systems, its compliance with data protection laws, and the integrity of its internal controls.”

All companies, and especially those in the security business or whose business model is based on gathering, storing and processing information, can be tempted to tout one’s defenses as “the best,” “state of the art,” “industry-leading,” etc. More to the point, a marketing department is bound to use that kind of language. That language, however, is the basis for shareholder lawsuits, FTC enforcement actions and other problems. Here are three steps to take to ensure your cybersecurity statements aren’t what compound your misery after a breach:

1. Don’t Let the Marketing Department Have the Final SayMost companies are very diligent in having attorneys review official investor statements, and of course sign off on SEC filings. But is every public-facing communication vetted? Increasingly, it should be. Even seemingly well-meaning statements, such as “we take your security very seriously” in a robo-response email can become problematic when missteps are uncovered.
2. Audits Need to Include All Statements and Copy, Not Just PracticesIf this hasn’t been a corporate practice, make it one now. A cybersecurity audit should review all statements, of any kind, regarding security. This needs to go to the granular level, such as the copy on trade show banners and tchotchke giveaways, which almost certainly have not been previously vetted, and where it may be tempting to “have more fun” with the message. Puffery and humor will cost you considerably.
3. Educate the Board About What This Really Means for ThemEquifax may be a “first of its kind” litigation, but it is unlikely to be the last. Use this opportunity to educate your corporate board that this threat is real, and courts and regulators are not likely to forgive overly optimistic statements. You may not be able to avoid a breach, but you can avoid some of the aftershocks that complicate matters. This is the perfect example of how strong cybersecurity is often not about firewalls, but about common sense, day-to-day practices. Take the time to evaluate the current landscape and respond accordingly.

It’s hard to stay ahead of hackers. Security is often a patch-game of catch-up. But you can stay a step ahead of your colleagues. For public companies, statements of any kind that relate to cybersecurity merit the same scrutiny as your spam filter or firewall. Private companies with even remote hopes of going public should also employ these practices. Engrain them now, or pay later.

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.