In this guest post, Frank Hülsberg and Burkhard Fassbach take a look at a recent Reuters special report about the use of cyber hacking and other espionage techniques in litigation and consider the D&O liability and insurance implications. Frank Hülsberg is a Chartered Accountant and Tax Advisor in Düsseldorf, Partner Advisory and Member of the Executive Board at Grant Thornton AG Wirtschaftsprüfungsgesellschaft in Germany, and Burkhard Fassbach is a D&O-lawyer in private practice in Germany. I would like to thank Frank and Burkhard for allowing me to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Frank and Burkhard’s article.
As an introduction to the topic we wish to refer to a famous quote from Robert Swan Mueller III, an American lawyer and government official who served as the sixth director of the Federal Bureau of Investigation from 2001 to 2013:
“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
In the light of this quote a recent REUTERS SPECIAL REPORT – How mercenary hackers sway litigation battles, by Raphael Satter and Christopher Bing published June 30, 2022 is a required reading recommendation for Board members, IT Security professionals and litigation lawyers. The Reuters Report can be found here (no paywall).
Here are some highlights from the Reuters reports as an introduction to our assessment about the potential D&O liability risks arising from such hacking activity, in particular cybersecurity as an important part of the Corporate Compliance Management System:
In a SPY PHISHING attack Hackers based in India attempted to obtain the emails of lawyers and litigants in legal cases across the globe – showing how hired spies have become the secret weapon of litigants seeking an edge. It began with a US direct sales entrepreneur, who wanted compromising material against a business rival amid a flurry of lawsuits. One of his employees turned to a Silicon Valley detective who said he knew an Indian hacker who could break into emails. Starting around February 2013, the Indian hacker broke into the opposing party executives’ email accounts and delivered screenshots and passwords for his client in the US.
When the hacking victim learned of the spying, it filed a federal lawsuit against the business rival in Utah alleging extortion, intimidation and hacking. The Principal of the hacking attack initially argued that its competitor had not provided enough evidence to back its claims; it later settled the suit on undisclosed terms. The settlement didn’t end the matter. The Federal Bureau of Investigation learned of the hacking and FBI agents raided the homes of the Silicon Valley detective and the employee of the hacking attacker who commissioned the detective. Both eventually pleaded guilty to computer crimes connected to the intrusions. The convictions torpedoed the employee’s security career and ended the detective’s investigation business.
For the hacker in India it was just the beginning. Over the next decade, he and a small coterie of Indian colleagues built an underground hacking operation that would become a hub for private investigators, who sought an advantage for clients embroiled in lawsuits. Reuters identified 35 legal cases since 2013 in which Indian hackers attempted to obtain documents from one side or another of a courtroom battle by sending them password-stealing emails. The messages were often camouflaged as innocuous communications from clients, colleagues, friends or family. They were aimed at giving the hackers access to targets’ inboxes and, ultimately, private or attorney-client privileged information. At least 75 U.S. and European companies, three dozen advocacy and media groups and numerous Western business executives were the subjects of these hacking attempts, Reuters found.
The Reuters report is based on interviews with victims, researchers, investigators, former U.S. government officials, lawyers and hackers, plus a review of court records from seven countries. It also draws on a unique database of more than 80,000 emails sent by Indian hackers to 13,000 targets over a seven-year period. The database is effectively the hackers’ hit list, and it reveals a down-to-the-second look at who the cyber mercenaries sent phishing emails to between 2013 and 2020. The data comes from two providers of email services the spies used to execute their espionage campaigns. The providers gave the news agency access to the material after it inquired about the hackers’ use of their services; they offered the sensitive data on condition of anonymity.
Reuters then vetted the authenticity of the email data with six sets of experts. Scylla Intel, a boutique cyber investigations firm, analyzed the emails, as did researchers from British defense contractor BAE, U.S. cybersecurity firm Mandiant, and technology companies Linkedin, Microsoft and Google. Each firm independently confirmed the database showed Indian hacking-for-hire activity by comparing it against data they had previously gathered about the hackers’ techniques. Three of the teams, at Mandiant, Google and LinkedIn, provided a closer analysis, finding the spying was linked to three Indian companies.
“We assess with high confidence that this data set represents a good picture of the ongoing operations of Indian hack-for-hire firms,” said Shane Huntley, head of Google’s cyber threat analysis team.
Reuters reached out to every person in the database – sending requests for comment to each email address – and spoke to more than 250 individuals. Most of the respondents said the attempted hacks revealed in the email database occurred either ahead of anticipated lawsuits or as litigation was under way.
The targets’ lawyers were often hit, too. The Indian hackers tried to break into the inboxes of some 1,000 attorneys at 108 different law firms, Reuters found. “It is an open secret that there are some private investigators who use Indian hacker groups to target opposition in litigation battles” said Anthony Upward, managing director of Cognition Intelligence, a UK-based countersurveillance firm.
The legal cases identified by Reuters varied in profile and importance. Some involved obscure personal disputes. Others featured multinational companies with fortunes at stake. From London to Lagos, at least 11 separate groups of victims had their emails leaked publicly or suddenly entered into evidence in the middle of their trials. In several cases, stolen documents shaped the verdict, court records show. The FBI has been investigating the Indian hacking spree since at least early 2018 to determine who hired the Indian hackers crew to go after American targets, according to three people briefed on the matter. The FBI declined to comment. Asked about the hacker-for-hire industry, an official with India’s Ministry of Justice referred Reuters to a cybercrime hotline, which did not respond to a request for comment.
As Reuters contacted victims of the Indian spy campaign, targets involved in at least seven different lawsuits have each launched their own inquiries. One of the most prominent was WeWork co-founder Adam Neumann, who hired New York’s Seiden Law Group after learning from Reuters that he and other company executives’ email accounts were targeted by the Indian hackers starting in August 2017, according to four people familiar with the matter.
The hacking attempts against Neumann unfolded as WeWork prepared to announce a $4.4 billion investment from Japan’s SoftBank, a giant infusion for a startup then burning through capital. By the time Neumann learned of the hacking in 2020, the partnership had collapsed and he was suing SoftBank after being ousted from WeWork. SoftBank executives were quizzed by Neumann’s lawyers about the hacking in depositions just weeks before he received a roughly $500 million settlement from the Japanese investment giant, according to four people familiar with the matter. The executives denied any knowledge of the spying, the sources said.
Reuters was unable to determine who hired the Indian hackers to spy on Neumann or his colleagues. Representatives for Neumann and SoftBank did not return messages. WeWork said the hacking attempts were blocked but did not elaborate. The Seiden Law Group confirmed it had been hired by Neumann to investigate a cybersecurity issue; it declined further comment.
Interesting from a German perspective is the Wirecard case: The hit list seen by Reuters shows targeted short sellers, reporters and financial analysts who had voiced skepticism of Wirecard’s business practices before it went bust. In several instances, these hacks coincided with legal threats made by Wirecard. Former Wirecard boss Markus Braun was arrested in June 2020 following revelations that 1.9 billion euros were missing from the company’s accounts.
D&O Liability Risks for Hacker Attacks and Compliance Duties
Following on from the Wirecard case mentioned in the Reuters Report, it must first be stated for Germany that any intentional involvement of management in commissioning hacker attacks against journalists, short-sellers and financial analysts would be punishable as a criminal offense. Due to the exclusion of intent in the D&O insurance, an active participation of the management in the commission of hacker attacks would also not be covered by the D&O insurance. Irrespective of the Wirecard case, in such cases the management will usually not be involved or will in any case vehemently deny knowledge of the commissioning of hacker attacks. In most cases, employees below the management board level – for example from the corporate security department – will initiate the hacker attacks. The question then arises as to the negligent liability of management for breach of supervisory duty and failure to establish an effective and efficient compliance management system to prevent criminal acts by employees. According to the case law of the 1st Criminal Division of the German Federal Court of Justice (BGH), the following applies: the management of the company is under an obligation to prevent legal violations from the sphere of the company and to install an appropriate and effective compliance management system. (BGH, ruling dated May 9, 2017 – 1 StR 265/16)
However, the management of the attacked companies may also be liable if they did not establish an adequate compliance management system for cyber security that could have prevented the hacker attacks. In the U.S., there have been an increasing number of lawsuits against managers and their D&O insurers in connection with IT security breaches in recent years. The U.S. District Court of Georgia had to rule on a lawsuit against the management of the Home Depot chain of home improvement stores for financial loss following a hacker attack in which credit card data and e-mail addresses of customers in the U.S. and Canada were stolen via malware in checkout systems. Management was able to exculpate itself. There had been regular cybersecurity reports by a management-appointed audit committee, and management had engaged extensively in disclosing IT-related security vulnerabilities. A copy of Northern District of Georgia Judge Thomas Thrash’s November 30, 2016 opinion in the Home Depot derivative lawsuit can be found here. Later on the parties reached a settlement of the case, pursuant to which Home Depot agreed to adopt certain cyber-security related corporate governance reforms. The settlement agreement also provides for Home Depot to pay up to $1.125 million of the plaintiffs’ attorneys’ fees. The corporate governance reforms include documenting the responsibilities of the company’s chief information security officer; maintaining a data security executive committee; and requiring regular reports on the retailer’s information technology and cybersecurity budget. (Here).
In Germany, too, the Executive Board and the Supervisory Board must deal with the changing IT risk landscape. New responsibilities arise, which at the same time go hand in hand with an expansion of potential liability. The basic principles of due diligence under the German stock corporation law also apply in the context of IT security risks.
Personal liability in the area of IT security can occur if risks are not adequately identified and addressed and the company suffers a financial loss as a result. For decisions in the area of IT security, members of the Board of Management must be aware of the company-specific IT security risks. The Board must take appropriate measures to ensure IT security.
IT security must be regularly included on the agenda of the Board of Management and the Supervisory Board. As with the establishment of an appropriate compliance organization, including IT security is subject to the discretion of the Board of Management in accordance with the general principles under the Business Judgment Rule. Information security management systems (ISMS) are to be implemented, a Chief Information Security Officer (CISO) is to be installed, and attacks are to be monitored and consistently defended against by a 24/7 Security Operation Center (SOC). Policies and guidelines must be adopted and continuously adapted and communicated within the company. Training courses must be offered to sensitize employees to the issue of IT security and to ensure compliance with certain standards. Finally, the measures taken must also be regularly reviewed for appropriateness and effectiveness. The “IT basic protection catalogs” of the German Federal Office for Information Security (BSI) provide a point of reference for setting up ISMS; here, certification according to ISO 27001 usually follows. The Board of Management must also pay attention to the issue of IT security in the case of vertical delegation to specialist personnel. Regular coordination with the specialist staff remains necessary in accordance with the ongoing risk situation.
Members of the Board of Management must compensate the Company for damages caused by breaches of duty by the Board of Management in accordance with section 93 (2) sentence 1 of the German Stock Corporation Act (AktG). If the company’s business data is stolen by hackers due to inadequate security precautions, or if a production plant fails due to inadequate equipment or maintenance of the IT infrastructure and the company suffers damage as a result, the Executive Board is liable. The Board of Management may be in breach of duty if, for example, an appropriate ISMS was not established or the IT infrastructure did not meet the requirements. The member of the Board of Management can then only exculpate himself if he exercised the due care of a prudent businessman or if the requirements of the Business Judgment Rule were met when making an entrepreneurial decision.
Fines imposed on the company by supervisory authorities can also in principle be part of the damage eligible for compensation under management board liability. Against the background that, for example, violations of the General Data Protection Regulation (GDPR) can result in very high fines for companies, it cannot be ruled out that companies will take recourse against the management board or the management board’s D&O insurance in the future.
Violations in the area of IT security have not been the subject of legal action against board members in Germany to date. However, due to the digitalization of all corporate processes and increasing regulation, this could change in the future. In foresight, it can be predicted that the quote from former Deputy Attorney General of the United States Paul McNulty will become increasingly true: “If you think compliance is expensive, try non-compliance”.