John Cleary is a shareholder at Polsinelli, an Am Law 100 firm with more than 1,000 attorneys in 22 offices nationwide. His practice focuses on serving the litigation, technology transaction and data privacy needs of U.S. companies, with an emphasis on data security incidents and other cyber-related losses and controversies. John previously served as an Assistant U.S. Attorney in Washington, D.C., representing U.S. government agencies and officials across a range of constitutional and other federal sector issues.
Richard Torrenzano: John, thank you for joining us.
What are the biggest issues companies have faced as it relates to cyber and privacy breaches in the last 12 to 18 months?
John Cleary: The biggest change is the emergence of web tracking issues with Meta Pixel installed on company websites and apps that have created a whole new series of exposures and challenges for data management and mismanagement.
This has moved the conversation away from data breach into the realm of internal company operations, compliance and management of website data, vendors, specialists and consultants to support the website.
Data breach and attacks are still there by wrongdoers and lost laptops and so forth, but the newest development is web tracking, alleged web surveillance, and the like.
RT: Can you provide background around online tracking technologies? How long have companies been using it, and the big question – why are lawsuits coming up now?
JC: It goes back to the start of AdTech, when companies were using people’s choices of movies to recommend a next movie to a viewer or using the data and profiling individual consumers to improve marketing, websites and performance.
While that technology has been in place for numerous years, a significant development happened in spring of 2022.
There was an article in The Outlook about a study of how hospital websites managed visitor information of people inquiring about medical conditions, trying to make appointments or trying to log in as patients.
In certain circumstances the journalists who wrote the article were able to track a linkage to Facebook profiles and Facebook, and the give and take with Facebook sometimes on the backend of websites.
That received a good deal of media coverage.
It was a milestone in compliance and awareness of some of these issues and its potential ramifications, which triggered some regulatory security, changes of practices, and a lot of activity to study those websites and make immediate changes where the analysis showed that there was room for improvement or they ran afoul of privacy laws.
That has also led to many class action lawsuits for sharing data from website visitors with Facebook without disclosing that to the website visitor.
RT: Is there a poster child for this issue?
JC: The centerpiece litigation in this area is the ongoing class action lawsuit against Meta in Federal Court in California that takes on the core issue of use of Facebook and the use of the Meta pixel to potentially export data.
RT: Digital tracking hasn’t gone away even though lawsuits and class actions are ongoing. How do companies protect themselves … and what should companies do to mitigate the chances that they too will be involved in this litigation?
JC: Well, first get fully educated on the issue. They must know what’s going on with their website and their vendors and app developers and understand the snapshot of current practices and then do a standard audit of these types of information.
Are we sharing too much? Are we providing proper disclosures to customers on how and what we do with data? Are we giving consumers more control over privacy settings?
Unfortunately, companies need to get experts involved in this, particularly on the website forensics and how it works and how it’s designed and with the communications and the legal components.
RT: If you think about cyber in general and cyber litigation, do you think corporations really understand the issues and understand the legal ramifications?
JC: There’s room for improvement. Some improve the hard way … they’ve been taken to school by another lawsuit. But the cases typically don’t go to trial.
Still, they can be a very painful experience for the unprepared company to see what the plaintiffs have to work with … the kinds of things that in hindsight were 20/20.
They learn they need patch updates weekly or more. That’s fine if you’re a solo legal office with two offices and three or four computers but what if you’re a company with 1,500 endpoints with computers checked out on airplanes and in other countries.
Many of these lawsuits originate from simple lapses and carelessness not a super sophisticated Star Trek style laser-guided sophisticated attack.
It can be as simple as losing a laptop, losing a credential, not having a firewall, not having patched updates, not knowing who the vendors are that are on the site or having a disgruntled employee and the like.
Many companies are a prisoner of their last battle so they’re very good at what the last incident was but they’re not ready for the next one.
So of course, after a ransomware attack you prepare for those events but what about a loss of a device, rouge employee or outright extortion? What about just pure reputational attack? They can be pretty unprepared.
There’s room to improve. It’s interdisciplinary and often anchored by effective tabletop exercises to get people out of their comfort zone to ponder through a hypothetical exercise.
It requires leadership and confidence and preparation. I can’t say any company is perfectly prepared for a lawsuit, but those measures help build a brand, build confidence.
Incidents happen to good companies. The judgment comes when it takes you two months to get back on your feet when it should have taken two days or three days.
RT: As you said it’s interdisciplinary but who at the company needs to take the lead?
JC: The buck obviously stops, like many issues in a company, with the CEO.
It doesn’t mean the CEO has to be a computer science major or has to have years of experience in law enforcement but someone with the CEO’s ear needs to have the resources and backing to fund a budget for preventive measures and flight path for better cybersecurity and training.
No company will be perfect, but they need to look at it as a journey and it requires constant investment.
CEOs need to hire people they have confidence in and they have to listen to those people. There are always other priorities that are important, but they must have a clear understanding that they are defending something very important – the company’s brand and reputation.
RT: Do you think this has become a board issue? Where does the board get involved?
JC: It’s different for every company. Some boards have a board sub-committee devoted to cybersecurity and data security issues.
They don’t have visibility straight through into that niche and what is typical best practices, but I know it’s a great concern to directors and officers due to the potential for loss.
It’s a more serious responsibility to be a director or officer these days than it was 20 years ago given these problems and risks.
RT: Looking ahead, what should corporations and the C-suites be focusing on to prepare for the future?
JC: It’s about resources and looking forward and backward at the same time. It’s about keeping atop of new threats, new problems, new challenges in the industry sector or the totality of industry and looking backward of staying up with regulations, be minimally compliant with all the government mandates but forward-looking would be much more … rigorous about due diligence, the counterparties, and who you are contracting with.
They need a lot of additional scrutiny in mergers and acquisitions – of potentially buying a problem or buying a compromised company or company with weaknesses.
They need to hire an expert to make priorities and judgments and adjust the strategy on a rolling basis for the most important threats and given the resource constraints, to staff and manage the most important threats as they become more significant on the radar.
The most important thing is to emerge with improved cybersecurity and a litigation narrative, a regulatory narrative that will withstand scrutiny.
They need to show this issue was taken seriously and steps were taken, and measures implemented and qualified people were deployed to shore up defenses. If the inevitable happens at least there’s a narrative, reasonable efforts were taken.
RT: Is there anything I didn’t ask that you think is important for CEOs and their teams to know and to prepare for?
JC: I do think sometimes it’s good that the general counsel takes a little bit of a back seat to some of this and have a true cyber specialist make executive decisions with legal input.
There’s a temptation to put the general counsel in charge of cybersecurity just because everyone thinks everything is privileged and that could be a little short-sighted.
Not everything is privileged and often the general counsel, although trained in the law, may not have the experience necessary to make business decisions about threats.
There should be accountably in one person. But it shouldn’t be the general counsel and not a committee because when you have three or four people in charge of something this important, there’s just a natural temptation to diminish overall responsibility because there’s no one person.
RT: Thanks John. This information is very helpful.
JC: Thank you.