The threat of litigation is enough to keep any business leader up at night, and the increasing prevalence of data protection, privacy, and cybersecurity legislation and regulation is piling on the pressure for CISOs.According to Norton Rose Fulbright\u2019s latest Annual Litigation Trends Survey of more than 250 general counsel and in-house litigation practitioners, cybersecurity and data protection will be among the top drivers of new legal disputes for the next several years. Two-thirds of survey respondents said they felt more exposed to these types of disputes in 2021, up from less than half in 2020, while more sophisticated attacks, less oversight of employees\/contractors in remote environments, and concerns about the amount of client data were all cited as mitigating factors.Clearly, the risks of litigation are very real for CISOs and their organizations, but what are the greatest areas of concern and what can they do about it?Data breaches draw lawsuitsIn the last 18 months to two years, the chances of an organization facing litigation following a data breach have increased significantly, particularly when a company is perceived to have not handled a breach well, says lawyer and Cordery partner Jonathan Armstrong, who specializes in technology and compliance legal matters. \u201cWith a big data breach now, litigation is a probability, not a possibility,\u201d he adds.While propensity for legal action varies by geography, the continuing scale of cyberattacks has resulted in more explicit assertions from government, industry, and regulatory bodies on what constitutes poor security, opening the door to more legal action, Alex Jinivizian, vice president strategy and corporate development at eSentire, tells CSO. \u201cSome of the most high-profile data breaches\u2014Equifax, Marriott, Target, the U.S. Office of Personnel Management\u2014resulted in significant lawsuits against those companies related to losses of confidential employee or customer data caused by poor standards around security hygiene,\u201d he says.The implications can be considerable for businesses, Armstrong warns. \u201cDamages sought in different cases are high at the moment. As just one example, TikTok is facing an action in the Netherlands for \u20ac1.5bn, and there are similarly high value claims in other countries, too, including the UK and Germany. Data related litigation has been a feature of U.S. corporate life for many years as well.\u201dCISOs under fireThe risk of litigation is not limited to corporations. CISOs themselves face being subject to legal action for breach of duty where insufficient steps were taken to prevent a breach, or the aftermath of the breach was handled badly, says Simon Fawell, partner at Signature Litigation LLP.Jinivizian agrees: \u201cThe role of the CISO has never been more critical for mid\/large enterprises, and potentially more in the crosshairs and held accountable for security incidents and data breaches, as illustrated by the ongoing class action against SolarWinds\u2019 CISO and other executives following the devastating supply chain attack in 2020,\u201d he states.This is also evidenced by the charges against Uber\u2019s CSO for allegedly trying to cover up a ransomware payment relating to the 2016 attack that compromised data of millions of users and drivers, Armstrong adds.If a CISO acts as a company director, then they could face shareholder actions for breach of duty following data and privacy breaches based on damage to company value, says Fawell. \u201cShareholder actions against directors have been on the rise in the UK and, where a data breach has led to a drop in value for shareholders, claims against directors are increasingly being considered. This mirrors the trend in other jurisdictions such as the U.S. where CISOs have already been the subject of high-profile claims for breach of duty.\u201dLoss of trade secrets and reputational damageThe potential fallout from data breach or privacy litigation includes significant fines, civil and criminal penalties, reputational damage, and adversely affected stock price. All can impact organizations and CISOs individually and in combination. Where important information is lost, the damage can be extremely high, adds Alasdair Marshall, associate at Signature Litigation LLP. \u201cFor example, were an intermediary or agent to have a breach incident and lose trade secrets or information that is potentially very damaging to another company\u2019s reputation, that could lead to major litigation. In recent years, the Panama Papers and Credit Suisse incidents have highlighted a growing number of individuals seeking to obtain sensitive information and publish it to the market.\u201dWhat\u2019s more, defending litigation can be both costly and time-consuming, Marshall says. \u201cWhile the English system allows for the winning party to recover legal costs from the loser, it is rare that the amount spent on legal fees and ancillary costs are clawed back in full. Litigation also requires significant CISO and board level attention which would be more productively focused on growing and protecting the business for the future.\u201dLitigation can have direct implications on cyber insurance matters, too, impacting things like coverage exceptions, renewals, and new business. The companies and CISOs that bounce back the fastest are those that put their customers first by being transparent, doing whatever it takes to help impacted customers minimize the impact, and sharing the steps they plan to take to ensure it doesn\u2019t happen again, says Russ Kirby, CISO at ForgeRock.Regulations and requirementsGeographical factors are particularly important in relation to litigation risks CISOs and their organizations face, experts agree. For example, the threat of mass class actions for large scale breaches has diminished somewhat in the UK following the Supreme Court decision in Lloyd vs Google which halted an \u201copt-out\u201d class action under the existing procedural frameworks and highlighted the difficulties in bringing mass data claims under the English rules, says Fawell. \u201cWhilst the decision hasn\u2019t completely blocked the possibility for class actions in data privacy cases and there remain a number of claims running through the English courts that are framed differently and could yet have success, it is a fairly major set-back for claimants,\u201d he adds.That said, the pressure for individuals impacted by data breaches to be compensated is growing and it would not be surprising to see some form of opt-out class action regime being introduced for data privacy cases in the relatively near future, Fawell says. \u201cAn opt-out regime has already been introduced in the UK for competition claims and data privacy would be the next logical area for a similar approach.\u201d Although the threat of mass class actions has diminished in the UK for the time being, the threat of individual litigation remains very apparent, particularly where high value corporate data is potentially compromised, he continues. \u201cThe GDPR (and related UK legislation) has led to a much greater awareness of data privacy issues and increased focus on contractual clauses in commercial deals.\u201dAs for the U.S., things can get just as or even more convoluted, says former CISO Jack O\u2019Meara, who leads litigation support services at consultancy Guidehouse. \u201cFor example, a CISO working at a U.S. Defense Industrial Base Contractor needs to comply with Defense Federal Acquisition Regulations (DFARS) 252.204-7012 safeguarding covered defense information and cyber incident reporting, while a CISO working for a financial institution in New York needs to comply with New York State Department of Financial Services 23 NYCRR 500 cybersecurity requirements for financial services companies.\u201dMeanwhile, a judge recently approved a $17.6 million class settlement brought on by plaintiffs of Kemper Insurance, who alleged violations of California\u2019s Consumer Privacy Act, while the Securities and Exchange Commission (SEC) has proposed new mandatory cybersecurity disclosure rules for publicly traded firms, along with written cyber policies and procedures, enhanced reporting, and records management for private equity and investment firms.Ultimately, U.S. CISOs need to have knowledge of specific cybersecurity requirements contained within the contracts their companies hold, O\u2019Meara adds. \u201cThere are too many regulations and requirements to mention in this article, but a CISO needs to be knowledgeable of the ones applicable to their industry and geographic regions.\u201dMitigating the risks of litigationTo mitigate and reduce the risks of litigation, CISOs must first examine whether their security program is \u201cdefensible\u201d under harsh scrutiny and able to change and adapt to new threats, Kirby says. \u201cFor example, if it can\u2019t stand up to questions about whether your protocols follow local laws and industry standards, you need to act fast to address those gaps.\u201dFawell cites five questions that are useful in gauging the effectiveness of a breach response plan from a litigative perspective:Who are the key service providers to call?What are the internal lines of communication? Who makes the call on instructing lawyers and other key advisors? Is it the CISO or does it require other approvals?If the system is down, how do key personnel handling the breach communicate securely?What type of breach is most likely to impact the company and who are the counterparties most likely to be affected?What do the data privacy clauses in contracts with counterparties require? Are there notification requirements in those contracts?\u201cPlanning can range from, at a minimum, ensuring the answers to the questions above and others have been considered and the answers are known to the key individuals who will be handling a breach, to having a full simulated breach to stress test processes,\u201d Fawell adds.O\u2019Meara says CISO should be able to provide documented policies and procedures including artifacts of compliance, screenshots of security configuration settings, firewall logs, access audit logs, user computer system and application access request forms, and employee security training records, when requested.Armstrong recommends that CISOs engage with lawyers who are used to handling these types of risks and litigation before an incident occurs. \u201cWhen you do have an incident, it is important not to try and deal with it as a lone cowboy,\u201d he says.In the same vein, O\u2019Meara suggests U.S. firms partner with in-house counsel\u00a0to understand litigation risks and the associated impacts and ramifications.It is also essential that CISOs are familiar with the terms of a company\u2019s cyber insurance policies\u2014chiefly what is\/is not covered and the notification requirements in the event of a breach, Fawell says. \u201cInsurers should generally be one of the first ports of call. Not only is it important to ensure that the cover bites, insurers are often also a good source of information and advice on how to handle certain aspects of a breach.\u201dFurthermore, security leaders must be careful about what information is (and is not) recorded in the immediate aftermath of a breach, Fawell continues. \u201cIt is important to keep a clear audit trail of the decisions taken and why. However, while dealing with an immediately challenging situation, it is not unusual for ill-judged comments (often from high level personnel) to be recorded in writing, which can be unhelpful in later legal proceedings. It is particularly important that everyone understands which communications are likely to have the protection of legal privilege in relevant jurisdictions and which will not.\u201dArmstrong has seen this play out. \u201cPrivilege is critical. Commonly, litigants are making very early requests to see internal memos, communications, and forensic reports. If you don\u2019t set up privilege properly, you are likely to have to disclose all materials.\u201dIt is sensible, where possible, to have an in-person meeting among key personnel to establish clear lines of communication and ensure that the audit trail accurately and clearly details the response process, Fawell advises.