Airlines increasingly integrate and utilize data from transaction systems, websites and mobile applications, email, flight, and operations, to personalize offers to customers, increase customer loyalty, and improve operations and safety. In short, airlines increasingly use data as a strategic asset for competitive advantage.
Yet the collection of data also presents significant risks. Cybersecurity experts generally agree that it is not a question of if a company will be the victim of a data breach, but rather when such a breach will occur. A data breach can result in state and federal regulatory exposure, consumer class action litigation, shareholder derivative and securities litigation, operations disruptions, reputational damage, significant remediation costs, and loss of value. While a company will never eliminate the risk of a data breach, companies should proactively address cybersecurity to mitigate this risk.
In this context, airline cybersecurity preparedness has been subject to heightened scrutiny. Most recently, on August 16, 2016, United States Senators Edward J. Markey and Richard Blumenthal, members of the Senate Commerce, Science and Transportation Committee, wrote letters to thirteen (13) airlines relating to several cybersecurity issues, including the “resilience” of the airlines’ Information Technology (IT) systems. The Senators encouraged airlines to ensure that their “IT systems have the appropriate safeguards and backups in place to withstand power outages, technological glitches, cyber-attacks, and other hazards that can adversely affect IT systems.” They asked airlines to “explain what protections you have in place to protect your airline’s IT systems from . . . cyberattacks.” They also noted that “[r]ecent reports suggest that some airlines have aging, complex IT systems” and asked each airline to “describe the state of [its] IT system and what specific steps are being taken to modernize it, if needed.”
Senator Markey previously introduced the Cybersecurity Standards for Aircraft to Improve Resilience Act of 2016 (Cyber AIR Act). The Cyber AIR Act would regulate security for data entry points (i.e., the means by which signals to control a system on board an aircraft or a maintenance or ground support system could be sent or received) employed by air carriers1 and aircraft manufacturers. While it is unlikely that this bill will be enacted this year, it further highlights the attention aviation-related cybersecurity is receiving.
The breadth of aviation-related cybersecurity issues is vast, ranging from consumer and company data theft to the potential cyber hijacking of an aircraft. Many of these issues, in particular consumer and company data theft, are not unique to airlines. It is beyond the scope of this Bulletin to address all cybersecurity issues. Instead, this Bulletin, the first of a series addressing cybersecurity, focuses on cybersecurity preparedness, including risk consciousness and risk mitigation strategies that companies should consider employing.
Implementing appropriate risk mitigation strategies is complicated by the lack of clear guidance from federal and state courts in the United States, and the patchwork system of regulatory standards and enforcement. Indeed, there is no uniform national standard governing data security or data breaches. For these reasons, and because no two companies are alike, there is no single solution to cybersecurity issues – companies should craft a company-specific approach. However, there are a number of industry guidelines2 that, collectively, provide guidance for mitigating cybersecurity risks, including:
- Assembling an appropriate cybersecurity team;
- Performing an assessment of your company’s data assets, cybersecurity needs, policies, and defenses, and correcting identified weaknesses;
- Creating a breach response plan;
- Testing your company’s response plan and defenses; and
- Keeping up-to-date on cybersecurity threats and defenses to enhance your company’s preparedness.
The first step in cybersecurity preparedness is to assemble the appropriate team to assess your company’s cybersecurity risk mitigation strategy and defenses. If your company does not have a Chief Information Security Officer (CISO), it should consider appointing one. The CISO should be responsible for, among other things, assembling the company’s cybersecurity assessment and response teams, and should employ a collaborative and multidisciplinary team approach in doing so. The Federal Trade Commission (FTC), which has the authority to bring enforcement actions against “unfair and deceptive trade practices in or affecting commerce,” including the failure to implement basic security protocols to protect consumer information,3 suggests that cybersecurity should “factor into the decision making in every department of your business.”4
Involving company senior management and the Board of Directors in cyber risk mitigation increases the likelihood that the company will be able to demonstrate in litigation and/or the regulatory proceedings following data breaches that it proactively attempted to mitigate these risks. Thus, the team managing company cyber risks should include, among others, the Legal, Risk Management, Information Technology (IT) and Crisis Management Departments, senior executives, the Board of Directors,5 the CISO, and independent third-party IT specialists.
The involvement of outside counsel during a cybersecurity assessment before any breach occurs may increase the likelihood that the company’s preparedness assessment will be protected by the attorney-client privilege and/or work product doctrine if – and when – litigation or regulatory proceedings result from a breach. This is relevant because if, for example, consumer class action litigation is pursued following a breach, plaintiffs’ counsel often seek discovery of pre-breach cybersecurity assessments to determine if cybersecurity weaknesses were identified that contributed to the breach, but were not addressed.
Once a cybersecurity team is in place, the second step is to perform an assessment of the company’s data assets, cybersecurity policies and defenses. This should begin with an analysis of the personal information the company collects, and whether each piece of collected data has a necessary business purpose. Companies also should assess which employees have access to sensitive data, and how to appropriately limit employee access. Companies can classify data types, store different types of data on different servers, and restrict employee access to only the specific data that employees need to perform their jobs. By classifying and segregating data types, a company can prevent wholesale breaches of its data systems, and better protect its most valuable data.
An assessment of a company’s cybersecurity defenses also should include an evaluation of its written cybersecurity risk mitigation policies. Companies should have a clearly defined Written Information Security Policy (WISP) that regulates how data is stored and accessed, the likely risks employees may confront on a day-to-day basis (e.g., phishing scams), how employees should respond to those risks, and the consequences for employee violations of the WISP. The WISP should apply equally to all employees as well as to independent third-party IT specialists performing work for the company.
Companies also should conduct training on the implementation of the WISP to foster a culture of accountability. Employees who deal regularly with personal information, or the company’s commercially sensitive data, may require additional specialized training. The C-suite should set the tone for the treatment of cybersecurity issues, including enforcing company policy.
In-house counsel should consider instructing independent third-party IT specialists to identify weaknesses in company cybersecurity defenses, prepare a report to counsel on those weaknesses, and to implement corrective measures. As a result of working with a variety of companies, independent third-party IT specialists often develop additional expertise, as well as the ability to benchmark your company’s cyber defenses against those of other companies, which can increase the likelihood that a regulator evaluating your risk mitigation practices after a breach will find that your company appropriately addressed these issues.
The full assessment of the company’s cybersecurity systems, risk mitigation policies, training, weaknesses identified, and corrective measures taken should be documented by counsel and brought to the Board’s attention both to improve the likelihood that the assessment will be found to be privileged and protected from discovery, and, if necessary, to later demonstrate that the company proactively addressed cybersecurity risks.
The third step is to establish a breach team and response plan. The plan should detail employee response roles, responsibilities, decision-making authority, and coordination to ensure that the company is better prepared to act quickly and decisively in the event of a breach. Companies may wish to consider having a third-party vendor in place to assist with consumer notification and communication following a breach. Once the breach response plan is in place, the fourth step is to test cybersecurity defenses and your company’s response plan (including tabletop exercises) with third-party IT specialists in coordination with counsel who, respectively, can again perform and document the test, and recommend improvements.
Finally, the company CISO should keep abreast of emerging cybersecurity threats, changes to the legal and regulatory landscape, and changes to best practices. As part of doing so, the CISO will need a budget sufficient to continually reevaluate and retest its cyber defenses and implement changes as needed. Cybersecurity preparedness should be an iterative and ongoing process.
There are many ways that companies can improve their cybersecurity preparedness. This Bulletin provides a sampling of best practices that companies should consider as legislative and regulatory bodies take an increasing interest in cybersecurity, and specifically airlines’ cybersecurity defenses. Risk consciousness coupled with multidisciplinary collaboration to mitigate that risk will allow companies to better prepare for and recover from a breach, as well as help to reduce the associated fallout from a breach.
1 Within the context of the Cyber AIR Act, an air carrier is defined pursuant to 49 U.S.C. 40102(a)(2), which provides that “air carrier” means “a citizen of the United States undertaking by any means, directly or indirectly, to provide air transportation.”
2 See, e.g., Federal Trade Commission, Start with Security, A Guide for Business, Lessons Learned from FTC Cases (2015), https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf; Securities and Exchange Commission, Office of Compliance and Examinations, Cybersecurity Examination Initiative (2015) https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf; National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity (2014), http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf; California Department of Justice, California Data Breach Report (2016), https://oag.ca.gov/breachreport2016.
3 See FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).
4 See Federal Trade Commission, Start with Security (2015), at p. 2, https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf.
5 At least one court has held that under the business judgment rule, Director involvement in cybersecurity issues can shield the company from shareholder derivative suits arising from cybersecurity breaches. See Palkon Ex. Rel Wyndham Worldwide Corp., No. 2:14-CV-01234 (SRC) (D. N.J. Oct. 20, 2014).