You’ve Been Served: Managing Personal Liability for Cyberattacks on Railroads

AAR image

A process server hands you a stack of legal papers. It means trouble.

The reason? Two of your trains derailed near populated areas. They carried toxic waste and volatile chemicals; there were fires and an explosion resulting in huge property damage and tragic loss of life and injury. The NTSB and government experts have conclusively determined the accidents were caused by a malicious cyber hacker who took control of the locomotives and communication systems.

Unlike prior lawsuits that targeted just the company, you now find yourself personally named as a defendant. The lawsuits have been brought by classes of injured victims and investors, the Securities and Exchange Commission, the Federal Trade Commission, and possibly others. You are under investigation by the Department of Justice, the Environmental Protection Agency, and state Attorneys General. You are required to preserve and produce all notes, messages, documents and communications—oral and written—regarding cyber vulnerabilities and deficiencies in your operations and the steps you have taken to identify and correct them. Certain other senior decisionmakers within the company, such as the CEO, CISO and certain board members, are also named in the lawsuits. You assume, incorrectly, that you are all in the same legal boat, but the facts regarding each person’s knowledge and actions will ultimately determine their, and your, liability.

You know your CEO has externally told individuals that your railroad has operational cyberattack vulnerabilities “under control.” But internally? Are you prepared? Legally? For litigation? Have you put in place an expeditious operational identification and mitigation plan, with a sizeable budget and ongoing oversight, with adequate manpower and organizational authority? Have litigation preparedness steps been taken? You may think that your company’s compliance with TSA’s Security Directives is enough, but the TSA mandates will not determine whether the plan you actually implemented and the decisions you and others in the company made were reasonable or negligent, or worse.

Sound farfetched? Improbable? Alarmist?

Over the past several years, there has been a sea change in what is required to responsibly manage cybersecurity risks from both operational and legal perspectives. For critical infrastructure such as rail, the oversight of operational cybersecurity must now be treated as a core business function, where informed cost-benefit decisions should be made at the highest levels of an organization and not simply delegated. What has changed to precipitate at least one major railroad to move expeditiously on these fronts?

1. Legally: Societal, political, regulatory and management norms have evolved to now hold individuals, not just corporations, as responsible for cyber accidents and financial damages. Court cases involving civil and even criminal liability have been successfully aimed at IT individuals and the C suite. This includes liability arising out of both the actions taken to protect against cybersecurity risks, and what company representatives said about those risks in public.
2. The government, politics, local attorney generals and prosecutors have emerged as energized interested parties, with mixed agendas that are averse to corporations and individual executives. The related statements by prosecutors and regulators in these cases show an increasing focus on individual liability. Where the company and bad actors previously insulated executives and board members from liability, those with oversight responsibilities are moving toward the front of the line.
3. White-hat hackers have repeatedly demonstrated proof of concept for operational vulnerabilities. For example, a railroad voluntarily subjected itself to a friendly but expert third-party hack of its operations infrastructure. The findings are contrary to the railroad industry’s public posturing:

• Control of locomotives software was successfully hacked.
• The PTC system was disabled and compromised.
• The locomotive control panel displayed misleading and confusing data.
• Inter locomotive communications on a consist were broken; independent, uncoordinated activity and control of non-lead locomotives was established.
• Wayside signaling was disabled and/or manipulated.
• Alarmingly, the automatic and manual override signals to stop and start a locomotive in an emergency were blocked or masked.

These are just a few examples of a broader array of known operational technologies at risk:

• Risk management teams have analyzed the exposure of train accidents in the billions of dollars, a significantly higher multiple of damages than that which has characterized data leaks. Liability attached to operational cyberattacks in which detailed mitigation plans are not in place and functioning (or are simply inadequate) have increased these multiples because they include penalties, punitive awards and interest on top of staggering damage amounts. It doesn’t help the railroads’ case that only $8 million of the $123 million spent on total cyber security was directed to operational technology security.
• There is a growing recognition that the probability of a cyberattack on a railroad is not as remote as once believed. Threat intelligence has demonstrated persistent attempts by hackers and nation states to find and exploit vulnerabilities in critical infrastructure. Cyberattacks with physical consequences are growing exponentially, evidenced by multiple third-party reports. Railroads have also discovered that operational vulnerabilities are 1) widespread and deep in the core of day-to-day operations and 2) the number of personnel in information and communication technology is spread among so many silos of risk specialties (largely data), that getting control of this issue is daunting. Fortunately and surprisingly, operating personnel are quick to identify many of the vulnerabilities, but the companies often lack the right culture and cybersecurity framework within which to take appropriate action.
• Legal preparation for litigation involving operational technology is virtually nonexistent. This is a distinctly different question from whether the railroad has taken steps to comply with TSA mandates and implemented a cybersecurity plan. Damages will either soar or be contained by plaintiffs finding the details (some documented and some not) of what corporate personnel have actually done and left undone. If it’s not in writing, for example, it is not done.

Each day that passes without appropriate action will make the claims against you and your company even harder to defend. Over the past decade, there have been increasingly urgent calls from several sources for critical infrastructure, such as rail, to implement comprehensive cybersecurity risk frameworks overseen by the highest levels of an organization. In response to the Cybersecurity Enhancement Act of 2014, for example, the National Institute of Standards and Technology recommended voluntary compliance by critical infrastructure owners and operators with its framework that focuses on “using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of an organization’s risk management processes.”

Since 2015, the Department of Homeland Security has recommended the implementation of its transportation-specific framework that includes the combination of external components, such as threat intelligence made available by the government, and internal components, such as cultural parameters that inform how cybersecurity risk management decisions are made. For those companies that have failed to adopt robust frameworks until only recently or have failed to audit and ensure that those frameworks at least complied with long-standing recommendations and threat indicators, it will be very difficult to defend against claims of negligence.

There is already evidence of failures to implement adequate cybersecurity frameworks. In one recent case, railroad tech personnel with knowledge of vulnerability to the PTC system had not informed other senior corporate individuals whose responsibility for operations and safety were therefore compromised, putting the organization at risk for cyber intrusions. This IT individual was not doing anyone a favor. The senior operating executive who wasn’t told had every reason to be angry. Nor was the legal department told, with its responsibility for a wide range of documents with representations of cyber preparedness and risk, now including the state of readiness of operating rolling stock and communications. Such documents include D&O insurance with adequacy of defense costs, bank reps and warranties, property and human injury liability, SEC filings (without 8k amendments which highlight changes in status).

What has further changed on this point? The failure of the individual with knowledge or well-rooted suspicion of vulnerability puts the entire organization at legal risk if the threat is not documented and passed onward, upward, and crossways. The failure to track down realistic suspicions of inadequacy may give rise to liability for senior executives, whose expertise, experience and responsibilities require that they be proactive. This happened with the co-founder and CEO of a tech company who the Federal Trade Commission held personally responsible for a cybersecurity breach when he was on notice of vulnerabilities but failed to implement reasonable security measures that could have prevented the hack.

The focus is not just on what has been done regarding cybersecurity, but also what you say about it. A recent and relevant enforcement action by the Securities and Exchange Commission should be a wake-up call. The SEC charged Blackbaud Inc. with violations of the securities acts based on an omission in a 10-Q regarding the nature of data that was exfiltrated in a hack. At the time the 10-Q was issued, the internal IT team had discovered that more data was stolen than originally believed, but they had not yet communicated this information to the senior management at the time of the 10-Q. The company self-corrected and issued an 8-K that accurately conveyed the relevant information, but it was too late. According to the SEC, Blackbaud failed to disclose accurate and timely information. Blackbaud paid a penalty and settled the case.

The risks facing individuals also extends to their past incentive pay, bonuses and salary, depending on the nature of the individual’s wrongdoing. Apart from the contractual or statutory ability of the government or the company to claw back pay, there is an increased focus in the market on holding individual executives accountable to better incentivize them to meet their legal obligations. As Warren Buffet recently stated this year in reference to banks, if an executive gets the company in trouble, “both the CEO and the directors should suffer. You’ve got to have the penalties hit the people that cause the problems, and if they took risks that they shouldn’t have, it needs to fall on them if you’re going to change how people are going to behave in the future.”

Full, fair and more wide-open disclosure of operational cyber risks is now the evolving norm, altering language that corporations used to use about “belief,” “all possible steps,” “secure,” “best technology available,” “robust,” and “adequate controls and defenses are in place.” New language being considered among companies is about “possibility,” “risks still exist,” “areas of vulnerability are shifting and evolving.” With the Solarwinds breach, for example, class action claims against the CISO were allowed to proceed where the CISO had claimed the company’s security focused on “heavy-duty hygiene,” among other statements. The court allowed the claims to proceed because the “cybersecurity measures at the company were not as they were portrayed.” And in June 2023, the SEC made a preliminary determination to file a civil enforcement action against current and former company officers.

What to Do

The U.S. Navy and U.S. Army audited their top 70 weapon systems and discovered that two-thirds of weapon systems—M1 Abrams tanks, Stryker armored personnel carriers, self-propelled howitzers, Navy ships missile launchers, fighter planes and satellite communications—had been built with software and hardware that was not only vulnerable to new cyberattacks, but whose software might have already been compromised. (Many, including the 60-ton M1 Abrams tank, operate with the same operating platform and the serial data busses as a 200-ton locomotive.)

What did the Navy do? The Secretary of the Navy pulled together a group of civilians and senior Navy officers to come up with a solution. The solution was a multidisciplinary team to cut across all lines of authority, silos and organizational boxes that defined authority and command of its 70 weapon systems. The team’s objective was to search for malware and put in place the necessary hardware and software to protect these mission-critical weapon systems from future attack.

What we are proposing is the same. A hybrid operating and legal team that identifies the main operating vulnerabilities, based on inside and outside sources of information, and helps the company assess and prioritize risks based on seriousness of impact and the time and ease to fix them. The purpose is to assist the C suite in authorizing and prioritizing dollars, organize people and plans and set priorities. It is also designed to brief the board of directors and the committee chairs or individual board members charged with assessing the railroad’s risk and readiness. This approach is consistent with recommended frameworks by U.S. and international bodies that provide detailed protocols for recording, correcting and reporting engineering and cyber deficiencies.

Legal is important. Railroads will benefit immeasurably from a detailed litigation assessment integrating and identifying legal risks from cyberattacks and attacks on a railroad’s highly complex, technical, engineering, mechanical and communication-based operating system. The assessment would integrate with ongoing cybersecurity preparedness steps and coordinate responses across data and operational functions. It would also assess insurance strategies (such as disclosures and D&O, property, excess liability and cyber insurance policies), bank reps and warranties, shareholder disclosures in SEC filings, file review and retention policies at the operating level and CEO/Officer and board/committee levels. Importantly, counsel can help preserve privilege and create an environment in which candid disclosures of risks and solutions can be discussed before they are reduced to the cybersecurity plan or other documented interventions.

Path Forward: Why Invest in Preparedness?

There are multiple competing concerns facing railroads including: an economic downturn, increased corporate and operating expenses, inflation, wage pressure and limitations on pricing increases. However, investment in assessment and litigation preparation is a critical part of a cyber defense budget:

• Outside litigation preparation or lack of preparation will be judged after the fact by multiple parties.
• Fees can be expensed and/or capitalized by allocation to operations, cyber upgrade of rolling stock, track, signaling, PTC and NOC’s.
• Early investment can yield important benefits and provides an important response to legal challenges.

The time to test the evidence is not when producing it in discovery, at which point the record is set and nothing can be done to change how it will be perceived. The time to test it is now, before anything has happened and while protected by privilege.

To accomplish all these objectives, to protect privilege, take advantage of a learning curve and relieve organization issues as to sheer manpower and silos, we recommend a team consisting of: (1) litigators who have taken the time to understand railroad operations and cyber vulnerabilities and who can coordinate and draw upon their firm’s cyber experience, rail operating governance experience and knowledge of cyber vulnerability and defense for rail operations; and (2) third-party railroad individuals with deep operating knowledge who also have legal C suite/board, financial, fiduciary and strategic experience with hands-on experience and knowledge of cybersecurity interface with operations, engineering and communications, extensive industry relationships and knowledge of industry group and supply chain linkage. Together, this team’s objective is to put a plan in place that can be defended, and to update and litigate-proof the trove of documents on the operating and legal documentation side to ensure that a railroad is truly state-of-the-art in its defenses against the far-ranging cyber suits that will result from operation hacks.

Pick a number for damages from a cyberattack on operations, assign a probability of such attacks occurring and see if the result doesn’t justify a $2-$2.5 million legal/litigation/operating review, and upwards of $25 million of capex per year for 3 years to strengthen the operational vulnerabilities.

Remember, if something happens and the improbable occurs, the first question to management and the board will be, “Why weren’t you prepared? The signs were all around you!” You will be judged with 20/20 hindsight, with huge amounts of money on the line, and possibly your hard-earned equity and career.

Gil Lamphere is the former Chairman of the Illinois Central Railway, and former board member of CN, CSX, Florida East Coast Railway and Patriot Rail (Chairman).

Craig Wenner is a partner at Boies Schiller Flexner LLP. The firm is a globally recognized trial and arbitration law firm that specializes in litigation of large, complex cases including cybersecurity.