Taking Control of Cybersecurity: A Practical Guide for Officers and Directors

Foley and Lardner LLP

Major cybersecurity attacks of increased sophistication — and calculated to maximize the reputational and financial damage caused to the corporate targets — are now commonplace. These attacks have catapulted cybersecurity to a top priority for senior executives and board members.

To help these decision makers get their arms around cybersecurity issues, Foley Partners Chanley T. Howell, Michael R. Overly, and James R. Kalyvas have published a comprehensive white paper entitled: Taking Control of Cybersecurity — A Practical Guide for Officers and Directors.

The white paper describes very practical steps that officers and directors should ensure are in place or will be in place in their organizations to prevent or respond to data security attacks, and to mitigate the resulting legal and reputational risks from a cyber-attack. The authors provide a blueprint for managing information security and complying with the evolving standard of care. Checklists for each key element of cybersecurity compliance and a successful risk management program are included.

Excerpt From Taking Control of Cybersecurity: A Practical Guide for Officers and Directors

Sony, Target, Westinghouse, Home Depot, U.S. Steel, Neiman Marcus, and the National Security Agency (NSA). The security breaches suffered by these and many other organizations, including most recently the consolidated attacks on banks around the world, combined with an 80 percent increase in attacks in just the last 12 months, have catapulted cybersecurity to the top of the list of priorities and responsibilities for senior executives and board members.

The devastating effects that a security breach can have on an enterprise, coupled with the bright global spotlight on the issue, have forever removed responsibility for data security from the sole province of the IT department and CIO. While most in leadership positions today recognize the elevated importance of data security risks in their organization, few understand what action should be taken to address these risks. This white paper explains and demystifies cybersecurity for senior management and directors by identifying the steps enterprises must take to address, mitigate, and respond to the risks associated with data security.

Officers and Directors are Under a Legal Obligation to Involve Themselves in Information Security

The corporate laws of every state impose fiduciary obligations on all officers and directors. Courts will not second-guess decisions by officers and directors made in good faith with reasonable care and inquiry. To fulfill that obligation, officers and directors must assume an active role in establishing correct governance, management, and culture for addressing security in their organizations.

Download This White Paper


Consent Isn’t the Only Consideration: NY Comic Con Attendees Disagree that Hijacking Twitter Accounts Makes the Event “100x cooler! For realz.”


The comic book industry is no stranger to displays of heroic anger and berserker rage, but over the weekend New York Comic Con (NYCC) was on the receiving end of considerable fan fury after it began ghostwriting effusive tweets about NYCC and posting on the Twitter pages of NYCC attendees in a way that made it appear as though the attendee was the author of the tweet.

During the event registration process, NYCC attendees were given the option of linking RFID badges to their Twitter account through the event’s mobile application interface.  During the application registration process, attendees were asked to authorize NYCC to access their Twitter accounts.  At this point, attendees arguably consented to having NYCC impersonate the attendee when posting about NYCC on the attendee’s Twitter feed.

The NYCC website page explaining the ID badge technology and the site’s registration page did not mention that NYCC would be posting to attendee Twitter pages on the attendee’s behalf.  Rather, the registration process is explained as a method for giving the attendee access to enhanced social media content, while helping NYCC protect against fraudulent credentials.  The activation terms provided that NYCC could use the information collected through the badge “for internal purposes” and to contact the user about future events.  After a user registered his or her badge and elected to link a Twitter account, the user was presented with an opt-in notice (a screenshot of which can be seenhere), specifying that following authorization, the application would be able to, among other things, “post Tweets for you”.  This type of warning is not uncommon.  For example, any website that allows users to click to share news articles or stories on their Twitter pages requires this type of access.

In spite of the opt-in warning, the wide-spread surprise among attendees suggests that the opt-in language did not draw a clear distinction between posting tweets for a user and posting tweets as a user.  Moreover, the failure to mention this practice when explaining the registration process could have led attendees to conclude that even if they were agreeing to provide this type of access, NYCC would not be taking the unusual step of pretending to be the attendee when it published tweets on the user’s page.

NYCC’s initial response was a brief tweet telling attendees not to “fret” over the ghostwritten posts and informing attendees that the “opt-in feature” had been disabled.  However, after anger continued to spread, NYCC issued a longer statement apologizing for any “perceived overstep.”

This type of disconnect between online service providers and users is becoming increasingly common as advances in technology permit mobile device and social media data to be accessed and used in new ways.  Earlier this year, for example, Jay-Z and Samsung stepped into a public relations debacle when the “JAY Z Magna Carta” mobile application required that the user, in exchange for receiving a free music download, authorize the application to have extensive access to phone data and social media accounts. The response from NYCC attendees also underscores the lesson learned by Googleearlier this month, that consent provided by users who do not fully understand what they are consenting to may not be consent at all.

As your online business finds new and innovative ways to deliver products and services to your users, it is important to take a step back and consider whether additional communications in different formats, such as just-in-time notifications, are necessary to ensure that the only surprise your customers have is how great your products and services are.   Or, to put it another way, “with great power comes great responsibility.”

Article By:


Cyber Security Summit – October 22-23, 2013

The National Law Review is pleased to bring you information about the upcoming Cyber Security Summit.

cyber security



Cyber Security Summit – October 22-23, 2013

The National Law Review is pleased to bring you information about the upcoming Cyber Security Summit.

cyber security



Doing Business In Latin America: Does Your Local Supplier Have Best Practices In Place So That Your Company Can Avoid Liability Under The Foreign Corrupt Practices Act (FCPA)?

Sheppard Mullin 2012

Imagine yourself the CEO of a successful multinational company. In the past few years, you have overseen ACME’s expansion into Latin America – a market whose demographic profile holds the promise of mouthwatering profits for your company, particularly with the upcoming holiday season. As they say, la vida es buena!

In planning for the Latin America expansion, you knew about the rules and prohibitions of the Foreign Corrupt Practices Act (“FCPA”) and implemented measures to ensure your employees do not run afoul of the law. However, you may not have known that the company can incur FCPA liability for payments made by third parties, such as such as suppliers, logistics providers, and sales agents, with whom your company works. In fact, a company can be held liable if it knows or should know that a third-party intends to make a corrupt payment on behalf of or for the benefit of the company. Because a company can be responsible for conduct of which it should have known, a conscious disregard or deliberate ignorance of the facts will not establish a defense.

To protect your company from third party liability, it is essential to perform due diligence on potential business partners. This is not to say that you cannot consider the recommendations of local employees in selecting business partners. Relying on those recommendations alone, however, could expose the company to FCPA liability if that company does not conduct itself with the same level of integrity that you do. The amount of diligence necessary varies from one potential business partner to the next and can include an anti-corruption questionnaire, document review, reference interviews, or local media review, among other things.

That’s all well and good, but what about companies with whom you are already doing business and whom you now realize you may not have adequately investigated? Asking to review those companies’ FCPA compliance policies is a good first step. If you determine that a policy is inadequate, you may ask the company to provide FCPA training to its employees. You should also carefully monitor the company’s contract performance to ensure compliance. In particular, you should consider evidence of unusual payment patterns, extraordinary “commissions,” or a lack of transparency. The key question is: how is the company spending your money?

When in doubt, experienced legal counsel can assist you in navigating these and other FCPA issues. For example, Sheppard Mullin offers Spanish language training on the provisions of the FCPA and advice for successfully implementing internal safeguards and controls to protect against FCPA liability.

With a solid FCPA plan in place, your thoughts wander back to the upcoming holiday season and your company’s projected profits for the new Latin America division and you smile to yourself. La vida es buena.


In Largest Known Data Breach Conspiracy, Five Suspects Indicted in New Jersey


On July 25, 2013, the United States Attorney for the District of New Jersey announced indictments against five men alleging their participation in a global hacking and data breach scheme in which more than 160 million American and foreign credit card numbers were stolen from corporate victims, including retailers, financial institutions, payment processing firms, an airline, and NASDAQ.  The scheme is the largest of its kind ever prosecuted in the United States.

The Second Superseding Indictment alleges the defendants (four Russian nationals and one Ukrainian national) and other uncharged co-conspirators targeted corporate victims’ networks using “SQL [Structured Query Language] Injection Attacks,” meaning the hackers identified vulnerabilities in their victims’ databases and exploited those weaknesses to penetrate the networks.  Once the defendants had access to the networks, they used malware to create “back doors” to allow them continued access, and used their access to install “sniffers,” programs designed to identify, gather and steal data.

Once the defendants obtained the credit card information, they allegedly sold it to resellers all over the world, who in turn sold the information through online forums or directly to individuals and organizations.  The ultimate purchasers encoded the stolen information on blank cards and used those cards to make purchases or withdraw cash from ATMs.

The defendants allegedly used a number of methods to evade detection.  They used web-hosting services provided by one of the defendants, who unlike traditional internet service providers, did not keep records of users’ activities or share information with law enforcement.  The defendants also communicated through private and encrypted communication channels and tried to meet in person.  They also changed the settings on the victims’ networks in order to disable security mechanisms and used malware to circumvent security software.

Four of the defendants are charged with unauthorized access to computers (18 U.S.C. §§ 1030(a)(2)(C) and (c)(2)(B)(i)) and wire fraud (18 U.S.C. § 1343).  All of the defendants are charged with conspiracy to commit these crimes.

Two of the defendants have been arrested, with one in federal custody and the other awaiting an extradition hearing.  The other three defendants, two of whom have been charged in connection with hacking schemes, remain at large.

This conspiracy is noteworthy for its massive scale, and for the patience the hackers demonstrated in siphoning data from the networks.  The U.S. Attorney “conservatively” estimates more than 160 million credit card numbers were compromised in the attacks, and alleges that the hackers had access to many victims’ computer networks for more than a year.  Many prominent retailers were targets, including convenience store giant 7-Eleven, Inc.; multi-national French retailer Carrefour, S.A.; American department store chain JCPenney, Inc.; New England supermarket chain Hannaford Brothers Co.; and apparel retailer Wet Seal, Inc.  Payment processors were also heavily targeted, including one of the world’s largest credit card processing companies, Heartland Payment Systems, Inc., as well as European payment processor Commidea Ltd.; Euronet, Global Payment Systems and Ingenicard US, Inc. The hackers also targeted financial institutions such as Dexia Bank of Belgium, “Bank A” of the United Arab Emirates; the NASDAQ electronic securities exchange; and JetBlue Airways.  Damages are difficult to estimate with precision, but they total several hundred million dollars at least.  Just three of the corporate victims suffered losses totaling more than $300 million.

Article By:


Survey Says: Fortune 500 Disclosing Cyber Risks

Mintz Logo

Ever since our 2013 prediction, an ever increasing number of public companies are adding disclosure related to cybersecurity and data breach risks to their public filings.  We previously analyzed how the nation’s largest banks have begun disclosing their cybersecurity risks.   Now, it appears that the rest of the Fortune 500 companies are catching on and including some level of disclosure of their cyber risks in response to the 2011 SEC Guidance.

The recently published Willis Fortune 500 Cyber Disclosure Report, 2013 (the “Report”), analyzes cybersecurity disclosure by Fortune 500 public companies.  The Report found that as of April 2013, 85% of Fortune 500 companies are following the SEC guidance and are providing some level of disclosure regarding cyber exposures.  Interestingly though, only 36% of Fortune 500 companies disclosed that such risk was “material”, “serious” or used a similar term, and only 2% of the companies used a stronger term, such as “critical”.

Following the SEC’s recommendation in its guidance, 95% of the disclosing companies mentionedspecific cyber risks that they face.  The top three cyber risks identified by those companies that disclosed cyber risks were:

1)      Loss or theft of confidential information (65%).

2)      Loss of reputation (50%).

3)      Direct loss from malicious acts (hackers, viruses, etc.) (48%).

Surprisingly, 15% of Fortune 500 companies indicated that they did not have the resources to protect themselves against critical attacks and only 52% refer to technical solutions that they have in place to defend against cyber risks.

The Report notes that despite the large number of Fortune 500 companies that acknowledge cyber risks in their disclosure, only 6% mentioned that they purchase insurance to cover cyber risks.  This number runs contrary to a survey published by the Chubb Group of Insurance Companies in which Chubb indicates that about 36% of public companies purchase cyber risk insurance.  For whatever reason, it appears that many of the Fortune 500 companies are simply not disclosing that they purchase cyber risk insurance as a means of protecting against cyber risk.

Almost two years after its issuance, the Report findings indicate that the 2011 SEC Guidance is in full swing and making its way into reality.  As more large companies disclose cyber risks in their public filings, this will continue to trickle down to the smaller companies that rely on those filings for precedent and guidance.  The Report provides a clear snapshot of where things stand in cyber risk disclosure by Fortune 500 public companies.  The scope of the Report is expected to expand to include Fortune 1000 companies, and it will be interesting to see how this data changes, if at all, when comprised of a larger pool of public companies.

Stay tuned!

Article By: