Counsel's Capacity To Control Cybersecurity Costs

As the average cost of a data breach in the United States approaches $7 million,1 companies must prepare to mitigate such an incident or close their doors. Appropriate legal and technical preparation can help to reduce the adverse consequences of an attack. Currently, based on the nature of a company's business and the information it collects, a myriad of laws and regulations may apply. Failure to take appropriate steps to adequately come into compliance subjects a business to enforcement actions by agencies, lawsuits from affected consumers and fines under various state regulations.

Compliance with the number and complexity of federal and state cybersecurity laws and regulations is no simple task. An essential part of a cybersecurity program is a written information security plan (WISP),2 which sets forth the company's methodologies in identifying, protecting, detecting and responding to incidents and creates a network of relationships with experts to contact in the event of a suspected breach. WISPs, which have been used by various government agencies over the past several years in developing security procedures, are now being used by many companies.

A WISP not only allows a company to identify and address potential compliance issues, but also incorporates legal principles to mitigate damages in the event of an incident. A WISP also provides guidance and procedures to each department on how it should handle information. A WISP provides a structure to manage a company's compliance and respond to incidents.

Authority to Regulate

It is not clear what authority various administrative agencies have to regulate cybersecurity under existing laws. We do know, however, that where an agency has statutory authority to regulate, courts usually will accept the agency's reasonable interpretation of the extent of that authority.

For example, under section 5(a) of the Federal Trade Commission Act (FTCA), the Federal Trade Commission (FTC) may sue any business subject to its jurisdiction for engaging in "acts or practices in or affecting commerce" that are "unfair" or "deceptive." 15 U.S.C. §45(a)(1) (2006). In FTC v. Wyndham Worldwide Corp., 10 F.Supp.3d 602 (D.N.J. 2014), the FTC alleged that a private company that manages hotels and time shares violated the FTCA by failing to take appropriate security measures to protect the sensitive personal data it collected and maintained of consumers.

The FTC is not the only federal agency to assert the jurisdiction to regulate cybersecurity practices. The SEC, Office of Comptroller of the Currency (OCC) and Federal Communications Commission have all implemented regulations requiring companies to adopt policies and procedures that address administrative, technical, and physical safeguards. Several agencies have gone even farther, implementing industry specific regulations.

The SEC announced that companies should disclose in their registration statements (pursuant to the Securities Act of 1933) and in their periodic reports (pursuant to the Securities Exchange Act of 1934) cyber risks and incidents which may affect the value of a security.3 The OCC requires the implementation of a comprehensive written information security program for any national banks and federal savings associations. For these and other regulations, the agency responsible for enforcement has provided little guidance as to what would constitute legally compliant security standards.

As the law develops, WISPs may become an industry best practice. Some states have already implemented statutes that require companies to...