Syllabus

Duke University Law School

Law 550 "Legal Issues of Cybersecurity and Data Breach Response"

Fall 2021: 2:00 - 3:50 PM

This two-credit "experiential" course will provide an advanced look into the dynamic and rapidly evolving legal field of cybersecurity and data breach response. The course will focus on the workflow during the aftermath of any sort of data security incident, a rapidly growing legal practice area, where legal professionals have emerged as critical leaders and decision-makers.

Every class will begin with a 15-20 minute discussion of current events. The course will be broken up into two parts.

The first part of the course will cover the foundation of the legal aspects of data breach response, in the form of traditional lectures and discussion. The second part of the course will involve a fictional fact pattern/simulation of a data security incident at a financial firm, which also entangles the theft of credit card data. Each class session will address a specific “legal workstream,” with student teams conducting various tasks and with “real-life” outside data breach response experts playing the roles of each relevant fiduciary and constituency. The tasks will include: intake; board briefing; law enforcement liaison; federal/state regulatory interphase; insurance company updates; and vendor/third party/employee briefings.

Course materials are all available online and free of charge. Students will be graded as follows: 30% of grade (Paper); 50% of grade (Simulation Exercise): and 20% of grade (Participation).

Part One: Preparation

We will discuss a range of the most important and timely cybersecurity/ data breach response legal topics, including discussions of:

• Why legal professionals involved in an incident response must serve as the quarterback of all workflow and how to handle this important responsibility;
• The legal and compliance aftermath of a data breach, including governmental investigations and litigation, as well as the almost endless list of potential civil liabilities (including class actions) after a data security incident;

• In plain English, the kinds of artifacts, remnants and fragments available in the aftermath of a data breach, and how, armed with the information gathered during forensic analysis, legal professionals can manage efforts to detect additional attempts by the attacker to regain access and get closer towards containment of the attack;

• The broad range of state and federal regulatory issues, tactics and strategies encountered during an incident response, especially managing regulatory interphase and law enforcement liaison;

• Two highly-specialized areas of incident response: (1) retail companies; and (2) financial institutions (areas where the privacy issues involved create certain unique legal responsibilities and can trigger distinctive legal liabilities);

• What legal professionals need to know about the various tools and technical solutions used during an incident response, and why lawyers should (and can) participate in selecting those tools and technical solutions;
• The kinds of cyber concerns/responsibilities for boards of directors – mandating additional attention, expertise and oversight;

• Important and thoughtful preemptive measures companies should take to meet their cyber-related legal obligations and to help prepare themselves to respond, including preemptive steps that legal professionals should implement to not only insure adequate preparation for the latest types of data breaches, but also to assure adequate compliance amid increasing regulatory scrutiny;
• Handling the litany of complex cyber-insurance issues arising after a data security incident and current issues in the cyber-insurance market; and

• Protecting the attorney-client privilege as it applies to the work product from digital forensic investigators and other consultants responding to a data breach.

Part Two: Simulation

The ABA Standards for Approval of Law Schools now require that law students take at least six credits in “experiential courses.” ABA Standard 303(a)(3). These standards also define three different kinds of courses that satisfy this requirement: I)“law clinics”, II)“externships”, or “field placements”; and III)“simulations.” This class fits into the category of a “simulation.”

Virtually every aspect of a data security incident response is rife with delicate and complex legal issues. The issues go well beyond the post-event legal consequences, such as regulatory notifications, requests and investigations; law enforcement interactions; vendor disputes and lawsuits; and potential consumer class actions. The expectation plainly is that counsel will have clear visibility into and participate in all aspects of cybersecurity planning, monitoring, reporting, and, of course, response. And, it is fair to say that internal counsel is now on notice – if there was any lingering doubt – that cyber risks fall squarely within their functional mandate.

Above all else, the legal ramifications of any cybersecurity incident or failure can be calamitous or even fatal for any public or private company. Even the most traditional realms of IT dominion such as exfiltration analysis, malware reverse engineering, digital forensics, logging review and most technological remediation measures are rife with legal and compliance issues and a myriad of potential conflicts.

For instance, after a cybersecurity incident, law enforcement, regulators, vendors, partners, insurers, customers and others may:

• Request forensic images of impacted systems;
• Demand copies of indicators of compromise;
• Mandate that their own auditors or examiners visit sites of infiltration and conduct their own audit and investigation;
• Want to participate in remediation planning;
• Seek interviews and interactions with IT personnel;
• Require briefings from a victim company's forensic experts and data security engineers; or
• Ask to attach a recording appliance to a victim company’s network in hope of capturing traces of attacker activity, should an attacker return.

These requests raise a host of legal issues, including how exactly to respond to each request and whether any response would violate the privacy of customers; be at odds with commercial agreements; result in a waiver of the attorney-client or work product privileges; or have any other legal/compliance consequences.

Skills and Competencies Students Will Learn

This class is designed to equip students with a toolset that they can use to oversee and direct investigative data breach response workflow, commanding the investigation and remediation for the C-suite, sharing with senior management the ultimate responsibility for key decisions, while having the responsibility and duty of reporting to the company’s board.

Along these lines, the second part of the course will present a fact pattern involving a data security incident at a financial firm, which also involves possible theft of credit card data, a "business email compromise" (BEC) situation and a ransomware extortion scheme. Each class will address a specific “legal workstream,” with student teams conducting various tasks and with actual outside data breach response experts (in person or more likely, via Skype) playing the roles of each relevant fiduciary and constituency.

The tasks will be as follows:

1. Intake. In this exercise, a team of students will manage the intake call from a CIO at a large financial company who believes there may have been some sort of cyber-attack at his firm. To represent the CIO, the instructor will have an actual lawyer who advises CIOs about cyber-attacks together with an actual digital forensic investigator.
2. Board Briefing. In this exercise, a team of students will brief and advise a board of directors about the data security incident. To represent the board, the instructor will have an actual lawyer who advises boards about cyber-attacks.
3. Law Enforcement Liaison. In this exercise, a team of students will brief and advise a federal law enforcement agent about the data security incident. To represent the federal law enforcement organization, the instructor will have an actual former federal law enforcement agent who investigates cyber-attacks.
4. Federal/State Regulatory Interphase. In this exercise, a team of students will manage the interactions between federal and state regulatory organizations about the data security incident. To represent the federal and state regulatory agencies, the instructor will have a former federal regulator who investigated cyber-attacks.
5. Insurance Company Briefing. In this exercise, a team of students will brief and advise the purported financial firm’s insurance carrier about the data security incident. To represent the insurance carrier, the instructor will have an actual lawyer who advises firms about cyber-insurance.
6. Vendor/Partner/Employee Briefings. In this exercise, a team of students will brief and advise a third-party vendor and/or partner about the data security incident. To represent the third-party vendor/partner, the instructor will have an actual lawyer who advises third parties about the litigation implications of cyber-attacks.

Current Events

Though the emphasis of this course is on the practical (i.e. the realities of a data breach response law practice), the course will also venture into some of the more theoretical conflicts that arise amid the juxtaposition of law, cyber and business. Constantly evolving, the legal issues of cybersecurity and data breach response create multiple and vibrant opportunities for discussion and analysis. Along these lines, each class may begin with a 20-minute discussion of “current events” pertaining to the legal issues of cybersecurity and data breach response. Though the instructor will provide topics for current events discussion, students will be encouraged to present recent current events for discussion as well.

Course Requirements, Workload Expectation and Grading

Prerequisites. This will be a two-credit course with no prerequisites.

Reading Assignments. In advance of each lecture class, there will likely be a reading assignment, the materials for which will be made available before the semester begins on Sakai (or on www.johnreedstark.com). On occasion, via Sakai, www.johnreedstark.com and/or email, students may receive additional materials relevant to the current events discussion.

Workload Expectation. As required by the ABA, for every hour students are in class, the ABA requires that each student must do about two hours of work outside of class, averaged across the semester; this can be in reading for class, preparing for the course exercises and working on papers.

Grading. Grading is comprised of three parts:

• 30% of grade (Paper): One analysis paper (max. 10 pages, Times New Roman, 12-point font, double-spaced) corresponding to any of the class topics. The topic of the paper must be approved by the instructor. In addition to using the materials provided to class, students will need to do a moderate amount of research to write their papers, estimated at 2-5 hours. Completion of the paper is required for credit.
• 50% of grade (Simulation Exercise): Preparation, execution and overall performance on various experiential exercises.
• 20% of grade (Participation): This course tackles a number of complex and cutting-edge legal and policy questions, many of which do not have easy answers. Contribution to class discussions is expected, as is attendance of all classes. Most importantly, student participation results in a more interesting and challenging class experience.

Course Outline

I. Incident Response, Law Enforcement and the New Accountability Paradigm

Data breach response workflow and coordination requires careful navigation because, among other things, the legal, public communications, and compliance ramifications of any failure can be devastating and value destructive for both public and private companies. This discussion will explore that, just like any other independent and thorough investigation, the work relating to a cyber-attack will involve a team of lawyers with different skill-sets and expertise (e.g., regulatory, ediscovery, data breach response, privacy, litigation, law enforcement liaison, and public communications). The discussion will focus especially on the critical coordination role that is played by the legal function as well as regulatory response aspects of data breach response and the national security implications that lurk in the background of just about every corporate decision.

Materials:

Yahoo’s Warning to GCs: Your Job Description Just Expanded (Big-Time), by David Fontaine and John Reed Stark (March 2017)

Ensuring Best Practices in the Investigation of an Incident, by David Fagan, Ashden Fein and David Bender (March, 2016)

The Equifax and SEC Data Breaches: Takeaways, Reminders & Caveats, by John Reed Stark (September 2017)

Is Amazon Liable for the Capital One Hack?  By John Reed Stark (August, 2019)

A Ransomware OFAC Due Diligence Checklist, by John Reed Stark (January, 2021)

OFAC Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (October 2020)

II. Managing Retail Data Breaches.

This discussion will have two parts: First, we will focus on the unique aspects of handling a data breach involving any organization that collects credit card information. When a cyber-attack targets electronically transmitted, collected or stored payment card information, so-called Payment Card Industry Data Security Standards(PCI-DSS) compliance sparks unique investigative and remedial workflow which creates a catalogue of challenging legal issues.

Materials:

The Equifax and SEC Data Breaches: Takeaways, Reminders & Caveats, by John Reed Stark (September 2017)

Here’s what went wrong for Equifax in those first 48 hours, by John Carlin and David Newman (September, 2017)

III. Financial Regulators, Law Enforcement and Data Breaches

This discussion will focus on the unique regulatory and legal framework surrounding cyber-attacks of financial firms, with a particular focus on managing issues pertaining to the U.S. Securities and Exchange Commission, the Financial Industry Regulatory Authority and other federal and state financial law enforcement/regulatory agencies.

Materials:

Think the SEC EDGAR Data Breach Involved Insider Trading? Think Again. By John Reed Stark (D&O Diary, Law 360) (October 2017)

IV. Data Breaches, Cybersecurity and Boards of Directors

This discussion focuses on the requisite strategic framework for boards of directors to effectively analyze and supervise corporate cybersecurity risks. In the aftermath of a corporate cyber-attack, boards and the companies they govern are subjected to immediate public scrutiny and criticism. This new cyber-reality has essentially removed the distinction between board member and IT executive, with cybersecurity emerging as a key corporate risk area.

Materials:

Cyber Awareness to Cyber Expertise: The Evolution of Board Cyber Risk Management, by Phyllis Sumner and Nick Oldham (January, 2016)

What the Capital One Hack Means for Boards of Directors  by John Reed Stark, (August 2019)

V. After the Breach: Digital Forensics and Remediation

This discussion covers the latest methods and practices of cyber-attackers, which is critical for legal and practitioners to understand. For instance, during the aftermath of a data breach, an expert forensic team will typically present its findings to the legal team leading the incident response. The legal team will then determine the nature and substance of any contractual, statutory (federal and state) or other requirements triggered by the attack. Without understanding the nature of the latest attacks and threats, a legal team can stumble (badly) concerning this critical responsibility and cannot effectively carry out one of the most critical aspects of data breach response -- remediation.

Materials:

Ensuring Best Practices in the Investigation of an Incident, by David Fagan, Ashden Fein and David Bender (March, 2016)

Data Breach Forensic Reports: Keeping a Grail Document Confidential, by John Reed Stark (July, 2020)

Some Good News for the Cybersecurity Bar, by John Reed Stark (September, 2019)

Wengui v. Clark Hill Plc, Civil Action No. 2019-3195 (D.D.C. 2020)

VI. Cybersecurity Due Diligence

Cyber-security due diligence is rapidly becoming a critical factor of the decision-making calculus for a corporation contemplating a merger, acquisition, asset purchase, or other business combination; an organization taking on a new vendor, partner, or other alliance; or a private equity firm purchasing a new portfolio company. This discussion will focus on the kinds of legal issues encountered during a lawyer’s conducting of cybersecurity due diligence.

Materials:

Cybersecurity Due Diligence: A New Imperative, by John Reed Stark (June 2017)

VII. Cyber Insurance

Companies have begun taking into account cybersecurity concerns when considering overall enterprise risk management and insurance risk transfer mechanisms, just as they do with other hazards of doing business. Yet there is no standard cyber-insurance policy, and many corporate cyber-insurance policies are bespoke. This discussion focuses on battleground legal issues concerning cyber-insurance, including a discussions of cybersecurity-related class actions.

Materials:

Who gets Coverage? by Scott Godes (BTLaw Cybersecurity Blog, 2017)

After a Ransomware Attack, Does Property Insurance Cover Damaged Software and Hardware?, by Scott Godes (National Law Review, February, 2020)

VIII. Simulation Materials

Legal issues regarding data breach response are in a constant state of flux – with many just recently experiencing their genesis. Along these lines, I may opt to add other materials – or this list could change as the class progresses – because new cases, decisions and data breaches seem to happen every day.