Lawyers take the lead when clients suffer a data breach

April 10, 2019Duke Law News

Magazine feature graphic, Spring 2019

At Duke Law, we believe lawyers should be leaders in the ethical development of technology and in guiding clients through the legal fallout when it goes awry. In this section, read how members of the Duke Law community are leading in an ever-evolving and interconnected world.

As a student, Elizabeth Johnson ’03 didn’t envision a legal career focused on technology. At Duke she paired her JD with a master’s in environmental management and joined the environmental practice of large law firm after graduation. But at her first associate review, the partner suggested she pick up some extra hours working with the firm’s emerging privacy group. Her first meaty assignment was to fly to Brussels to pitch in for the EU-based team on cases involving European data protection issues, a topic she knew nothing about.

“I read a book about it on the way there,” Johnson says. “U.S. privacy law was developed but very much emerging in 2005. Europe had a comprehensive Data Protection Directive and it had been in place for many years. Here in the United States, we had HIPAA governing data protection law for health care, we had the Gramm-Leach-Bliley Act for financial services, we had a few data breach notification laws at the state level. There were very few people who could make a full-time practice of that. It existed, but it was pretty apparent that it was going to grow very quickly.”

And grow it did. Today, Johnson heads the seven-member Privacy and Data Security practice at Wyrick Robbins in Raleigh that counts both large, global corporations and small- and medium-sized businesses as clients. The team has worked to clean up legal fallout from more than 500 data breaches. “Back when I started, I was trying to sell a service, legal advice on privacy and cybersecurity, that the majority of clients hadn’t figured out they might like to buy — in fact, they didn’t even know what I was talking about a lot of the time,” she says. “It’s a lot easier to do that now.”

For her clients and for organizations in every sector of the economy, cybersecurity and information protectionare now front-burner issues. The recent wave of massive data breaches — from Yahoo and Equifax to Marriott and Facebook — has only turned up the heat, as has the emergence of technologies such as biometrics and artificial intelligence that are causing the amount of personal information collected by business and government to explode. Lawyers who understand the risks of handling all this data and how to mitigate them have become highly sought after, and at least a baseline knowledge is increasingly a requirement across practice areas.

“There’s no way that any practicing lawyer will not run into this issue in some way, shape, or form during the course of their first few years in practice,” says John Reed Stark ’89, a cybersecurity and data breach response expert who is teaching a course on the topic in the spring semester. “Client data breaches are inevitable. Stopping them is like trying to stop one of my children from catching a cold at school.”

An “unworkable patchwork” of laws and regulations

For Johnson, moving from budding environmental lawyer to cybersecurity specialist was not the massive leap it might seem. Both practices are rooted in administrative law and both are governed through regulations at the state and federal levels. But they differ in the pace at which new rules are introduced, and as data breaches have proliferated lawmakers have been scrambling to keep up.

“A big part of our practice is identifying the laws that apply to the client and then helping them understand what they’re allowed to do and not allowed to do under those laws,” Johnson says. “The change is that there is just a ton more law reacting to rapidly evolving technology. It’s not unusual to find dozens of new laws that pertain to privacy or data security enacted within a year.”

Last year, for example, Alabama and South Dakota became the last two states to pass laws requiring that businesses and governments notify consumers or residents when personal information has been shared, according to the National Conference of State Legislatures. Another 31 states plus Puerto Rico and Washington, D.C., were considering measures that would amend existing security-breach laws. And California passed a sweeping new consumer privacy law, the California Consumer Privacy Act, that, among other things, will create a private right of action when personal information is affected by a data breach and the business did not have appropriate safeguards in place. It also provides significant individual rights for California consumers, like the right to opt out when a business intends to sell personal information. Several states have already introduced legislation that mirrors that law.

“In every situation I’ve ever been in, it’s the lawyer who is the quarterback of the entire incident response.”
— John Reed Stark ’89

Outside the U.S., the European Union’s stringent new privacy standard known as the General Data Protection Regulation, or GDPR, greatly expanded the obligation of organizations that handle personal information to safeguard it when it was implemented in May. More than 100 countries around the world have a national data protection law, and there are calls for the passage of one at the federal level in the U.S.

“The lack of a U.S. federal law requires individual states to legislate and thereby creates an unworkable patchwork,” said David Hoffman ’93, associate general counsel and global privacy officer at Intel Corp., in testimony for the Senate Judiciary Committee on March 12. “This confusing approach is bad both for individuals and companies.”

Understanding the technology — and the risks

Hoffman, a senior lecturing fellow who co-teaches Information Privacy and Government Surveillance Law with Charles S. Murphy Professor of Law and Public Policy Studies Christopher Schroeder, emphasizes the need for lawyers to have a basic understanding of technology to serve their clients, whether as in-house attorneys or outside counsel.

“They need to understand how data is being used, how data is being stored, and the basics of the hardware and software that is being used to protect that data,” he says. “What we’re seeing is the evolution of longstanding legal principles to take care of new uses of technology at a scale and with global interactivity that we haven’t seen before.”

The scale can be scary: Within minutes of a new device connecting to the internet, its defenses are already being probed by potential attackers, Hoffman says, and the devices operated by large organizations like Intel can receive millions of such probes every day. In the past, their goal might have been to try to shut down computers through denial-of-service attacks, but today these probes are increasingly attempting to gain access and steal data. Many are coming from vast networks of “bots” deployed by criminal syndicates or even nation-states and are capable of grabbing the personally identifiable information of millions of individuals at once. Nearly 3.4 billion data records were compromised in the first half of 2018 alone, estimates security software maker Gemalto.

“The harm [caused by a data breach] manifests itself much later, and then it manifests itself in a way that you may not even be able to connect in a causal way.”
— Sarah Bloom Raskin

The impact of such a breach may not be immediately obvious to the organization whose network has been compromised nor to the individual whose data may have been exposed, says Sarah Bloom Raskin, former deputy U.S. treasury secretary who is now a Rubenstein Fellow at Duke University. Raskin is leading an interdisciplinary Bass Connections team of Duke students from the Law School, the Pratt School of Engineering, and Trinity College of Arts & Sciences, that in the fall semester investigated the harm caused by data breaches, which can range from the theft of an individual’s identity to a decline in trust in the financial system.

“The harm manifests itself much later, and then it manifests itself in a way that you may not even be able to connect in a causal way,” she says. “Certainly courts and judges have had a hard time saying and ruling that the harm that comes eventually from the misappropriated data was a result of an initial breach.”

Indeed, courts have split on when and under what conditions a plaintiff can sue a company that has suffered a data breach. However, in January U.S. District Judge Thomas W. Thrash, Jr. of the Northern District of Georgia allowed a class action suit to go forward against Equifax alleging that the company’s 2017 data breach affecting nearly half of all Americans was the result of negligence and fraud with regard to its cybersecurity measures. “That is actually promising from a standing perspective,” Raskin says.

Leading the response

Another phenomenon Raskin’s students identified as the number of massive data breaches has mounted: “breach fatigue,” which can lead to an inertia in which consumers neglect to take necessary measures to safeguard their data. “People just don’t know what to do,” she says. “You hear that your information has been stolen and you don’t know what action to take.” The Bass Connections team hopes to relieve that pressure with a set of materials it is designing to encourage “cyber-hygiene.” A pamphlet, “Cybersecurity for America’s Families: A 10-Step Data Security Guide for the People You Love,” will be distributed through consumer protection agencies, technology groups, and other organizations. The team is also creating a website with embedded videos of people talking about the effect that breaches of their personal data have had on them and their lives.

Knowing how to react can be a challenge for the organization that has suffered a data breach, too, and lawyers are increasingly looked to for direction, says Stark, who before starting his consulting firm founded the Securities and Exchange Commission’s Office of Internet Enforcement and ran the Washington office of Stroz Friedberg, an international digital risk management firm.

The demands go far beyond what a privacy lawyer historically would be asked to do. While the initial, immediate breach response may be managed by a chief information officer or other technology leader, Stark says lawyers will inevitably take charge from there. They then typically create and lead multidisciplinary teams that manage everything from the forensic investigation and remediation to notifying law enforcement and handling regulatory inquiries.

“In every situation that I’ve ever been in, it’s the lawyer who is the quarterback of the entire incident response,” he says. “These matters have become mega-engagements for law firms. Most companies have rarely, if ever, experienced the massive fallout from a cyber-attack, and eventually realize that they are in dire need of expert legal assistance.”

Stark’s Duke Law course includes a weeks-long simulation involving a hypothetical incident at a financial institution that puts students in the position of managing every step of the company’s response. The role-playing starts with a call from the company’s chief information officer and progresses to briefings with the board of directors, law enforcement, federal and state regulators, and insurance companies — all played by actual data breach experts, including retired FBI agents, former Justice Department officials, and current officials from the SEC and the Financial Industry Regulatory Authority.

“You need to be tightly coupled with the folks who are deploying the technology internally, but you also need to be thinking about where the law is headed and determining whether to play a role in influencing it.”
— David Hoffman ’93

Knowing the methods that cyber-attackers use and the damage they can cause is fundamental to these interactions, Stark says. He stresses the need for lawyers to be able to question the information they are receiving from technologists — how certain is the CIO that the source of the attack was in China, for example — and then thoughtfully “modulate” the message for the other stakeholders in the process. They need to be probative and careful while still acting collaboratively, even when facing major civil or criminal liabilities. But he also encourages them to consider it an honor to lead a client through such an intense and complex process when the stakes are so high.

“When you’re in a foxhole with your clients, it’s a tremendous opportunity to become a trusted advisor,” he says. “You’re in a bet-the-company situation that mandates 24/7 attention. The way you speak with your client, the speed and manner in which you respond to questions, and how you conduct yourself under such pressure become just as important as how knowledgeable you are.”

Prevention and policy

Of course, the work should begin long before a breach. Data security specialists increasingly spend their time helping clients prepare for threats and comply with regulations designed to mitigate harm. Organizations are also reviewing their insurance policies to understand how they would treat a massive attack. And cybersecurity is now a vital aspect of due-diligence procedures, particularly after Marriott’s breach was revealed to have targeted its Starwood subsidiary before it had acquired it.

“I don’t mind having to put the time into staying on top of the issues so that we can be where the clients need us to be when they pop up and propose something pretty interesting,” says Wyrick Robbins’ Johnson. “It just keeps getting more and more complex, more technologically advanced, more that you have to think about. The types of data that regulators are defining as personal also continuously expands. Authenticating payment with your hand print, using fitness apps to track your physical activity and eating habits, shipping your DNA off for genetic testing by mail, ‘fingerprinting’ a device to track it online as a method to combat fraud, mining giant repositories of personal data for predictive health care, controlling home appliances with voice activation — there are businesses behind all these operations that face real legal challenges and risk. These opportunities and their legal implications didn’t exist when I started, and they just keep evolving. I remember the first time a client called about their interest in having a Facebook page. It feels like that was the Stone Age.”

Indeed, as the public outcry about data breaches gets louder, civil law will only get more complex. The new California privacy statute, Johnson points out, covers inferences drawn from personal information and offers individuals the right to ask for that information to be deleted. That could keep a retailer or ad tech from creating an accurate predictive algorithm that uses order history to suggest what a consumer should buy next. The ability of criminal law to address incursions into private information is in some respects more constrained, though. Shane Stansbury, a former federal prosecutor who is now the Robinson Everett Distinguished Fellow in the Center for Law, Ethics and National Security, notes that just investigating potentially criminal breaches can be a challenge, even where statutes are available to prosecutors.

“In some ways the information is easier to obtain because there’s more of it, in some ways it’s harder to obtain because there are more actors involved, there are more intermediaries involved,” says Stansbury, who taught an introductory cyber law and policy class in the fall. “You’re dealing with, for example, private sector victim companies that might be holding consumer data and they are the gatekeepers for releasing the information to the government. Government may have tools at its disposal to obtain that kind of information, but everything depends on the willingness of corporations to come forward and acknowledge that they’ve been breached.”

Intel’s Hoffman says organizations may one day be able to use artificial intelligence to share information about attacks as they are happening and stop them from spreading. But there is still substantial work to be done to create the legal environment in which that can happen, both in the U.S. and internationally. He advises attorneys to engage with public policy on cybersecurity and privacy issues because of how rapidly and significantly it is changing, and points out that his own team consists of an equal number of lawyers, technologists, and public policy specialists.

“You need to be tightly coupled with the folks who are deploying the technology internally, but you also need to be thinking about where the law’s headed and determining whether you want to play a role in influencing it,” he says. “For anybody who’s playing at a high level here, I think making sure that they’re integrating what’s going on in the public policy environment into their practice is really critical.”