Digital transformation, the process of leveraging technology, people and processes to innovate, requires an “all-in, ongoing commitment to improvement.” But the main drivers of digital transformation – data and profits – don’t always mesh seamlessly.
As shown by recent class actions filed against Blackbaud and Morgan Stanley, and a settlement with the New York Attorney General by Dunkin’ Brands, digital transformation has numerous cybersecurity issues that present legal obligations and potential liability.
In May, Blackbaud, Inc., a company that provides cloud software services to thousands of non-profits including hospitals, suffered a ransomware attack. In July, it began informing its users of the attack, many of whom used Blackbaud to process personal and sensitive information.
On August 12, the first of many lawsuits was filed against Blackbaud. Among the allegations in the lawsuit, Blackbaud is accused of failing to properly monitor its computer network and systems, failing to implement policies to secure communications, and failing to train employees.
The five years prior to the attack are telling. In that timeframe, Blackbaud underwent a digital transformation that involved acquiring numerous other software platforms including a predictive modeling platform, and a software provider focused solely on corporate giving.
Since the ransomware attack, Blackbaud has published cybersecurity improvements that support adherence to industry standards for incident management, employee training, systems and network testing, risk assessments, application security, encryption, and end-user authentication.
On August 27, 2020, a class action lawsuit was filed against Morgan Stanley for cybersecurity incidents in 2016 and 2019 that the bank informed customers about in July 2020. The lawsuit claims Morgan Stanley failed to secure personal information, among other things.
For digital transformation purposes, the incidents are instructive. In 2016, Morgan Stanley closed two data centers as it moved “to improve – and improve faster – the issue of software development outside the realm of the IT floor.”
As part of its closing of the data centers, Morgan Stanley contracted with a vendor to remove personal information of customers from the devices it was decommissioning. Later, however, it was discovered that certain devices with unencrypted personal information had not been wiped.
In 2019, Morgan Stanley learned that after it had “disconnected and replaced a computer server in a local branch office,” it was unable to locate the server and that “a software flaw could have resulted in small amounts of previously deleted data remaining” unencrypted.
In the class action, the plaintiff alleges that Morgan Stanley could have prevented the above incidents had it properly encrypted the equipment and files containing personal information. Indeed, had it followed industry standards for decommissioning devices it might have.
In 2015, the National Institute of Standards and Technology (NIST) published Guidelines for Media Sanitation. The guidelines are designed “to assist organizations and system owners in making practical sanitization decisions based on the categorization of their information.”
As with all of NIST’s cybersecurity and data privacy guidance, the guidelines are thorough, thoughtful, and technical. They include 64 pages describing three main sanitization types – clear, purge, and destroy – that would have helped Morgan Stanley (and its vendors).
On September 15, 2020, the NYAG and Dunkin’ settled a lawsuit relating to cyberattacks that exposed the card account information of tens of thousands of customers in 2015. The lawsuit alleged Dunkin lacked appropriate safeguards and violated data breach notification requirements.
Dunkin agreed to pay $650,000, notify customers about their accounts that had been compromised in 2015, and, in some cases, provide refunds. The settlement papers include eight appendices that are sample letters to be sent to the customers.
Specific to the compromises that occurred to its customers’ accounts, Dunkin agreed to implement reasonable measures to protect “against brute force and credential stuffing attacks” where hackers obtain account access by guessing passwords, as part of a cybersecurity program.
Dunkin’s digital transformation mostly began in 2017 when it took a deeper dive into the science of its data and digital strategies. In the months leading up to the settlement, it announced the creation of a chief digital officer role and upped its digital promotions, sales, and revenues.
What These Lawsuits Show
As if the “all-in, ongoing commitment to improvement” digital transformation requires isn’t challenging enough, without a comprehensive written information security program that is derived from industry standards, digital transformation becomes digital disruption.
Of the many technical requirements the FTC mandated organizations implement as cybersecurity “industry standards” last year – by far its biggest year for cybersecurity enforcement – it was often the last requirement that is most pertinent to digital transformation:
Evaluate and adjust the [Written] Information Security Program in light of any changes to [your] operations or business arrangements, … or any other circumstances that [you] know or have reason to know may have an impact on the effectiveness of the [Written] Information Security Program. At a minimum, each [Covered Business] must evaluate the [Written] Information Security Program at least once every twelve months and modify the [Written] Information Security Program based on the results.
There is much to learn from the pitfalls encountered by others. For example, just as NIST has released guidance on media sanitation, it has guidance on cloud computing that would have benefitted Blackbaud, and on incident reporting that would have benefitted Morgan Stanley.
Organizations should seek to understand their legal obligations in connection with appropriate cybersecurity for digital transformation so that they don’t experience digital disruption. If you have questions about these legal obligations please reach out to Romaine Marshall, Jon Washburn, or Jose Abarca.
 For guidance on ransomware see https://www.stoel.com/legal-insights/blog-articles/utah-considers-a-cybersecurity-safe-harbor-as-ransomware-runs-riot, and https://www.stoelprivacyblog.com/2020/03/articles/cyber-attack/soon-all-ransomware-attacks-may-be-data-breaches/
 Equifax Order at 19 (dated July 23, 2019) https://www.ftc.gov/system/files/documents/cases/172_3203_equifax_order_signed_7-23-19.pdf (emphasis added).