Advising Clients on Cybersecurity | Practical Law

Advising Clients on Cybersecurity | Practical Law

A discussion of some of the key issues that counsel must be prepared to address in advising their clients on cyber attacks and cybersecurity. This Legal Update includes links to relevant resources concerning this topic.

Advising Clients on Cybersecurity

Practical Law Legal Update 3-532-2602 (Approx. 4 pages)

Advising Clients on Cybersecurity

by PLC Intellectual Property & Technology
Published on 18 Jun 2013USA (National/Federal)
A discussion of some of the key issues that counsel must be prepared to address in advising their clients on cyber attacks and cybersecurity. This Legal Update includes links to relevant resources concerning this topic.

New Technologies Bring New Responsibilities

In recent years, new and increased uses of technologies such as mobile devices, social media and cloud computing have increased the risk posed by cyber criminals. As a result, in addition to other compliance matters (for example, SEC, Sarbanes-Oxley and Dodd-Frank Act compliance), companies' Chief Compliance Officers (CCOs) are now also typically responsible for:
  • Deterring cyber attacks.
  • Containing any attacks and minimizing any financial or reputational harm.
Counsel can play a crucial role as CCO, or in assisting the CCO and other responsible parties, to prevent and remedy cybersecurity breaches and comply with controlling data privacy and security law requirements. This includes assistance in:
  • Developing a cyber incident response plan.
  • Planning and implementing cyber attack recovery, mitigation and remediation.
  • Considering and preparing post-attack public disclosures and announcements and handling public relations.
  • Reporting cyber crimes.
  • Cooperating in law enforcement investigations.
  • Pursuing civil and criminal remedies.
  • Obtaining appropriate cyber liability insurance coverage.
Some companies delegate responsibility for computer systems security to their chief information officer (CIO). The CIO is usually responsible for protecting access to a company's information technology (IT) system and the privacy and security of information on that system. Some companies also have a chief privacy officer.
Whatever the company's organizational structure, the CCO must coordinate with the CIO and other company departments to prevent cyber attacks. The CCO must also work closely with the CIO to understand the steps being taken to deter these attacks. To some extent, the CCO also operates as a chief security officer and must therefore:
  • Set up policies and procedures for employees to follow.
  • Monitor the occurrence of possible cyber attacks.

Common Cyber Attack Scenarios

Cyber attacks often fall into one or more common scenarios. Effective cyber incident response plans prepare for these common scenarios in advance and provide preliminary investigatory questions for each scenario. Obtaining fast and accurate answers to these questions helps shape and expedite the investigation.
Some common cyber attack scenarios and initial areas of their investigation include:
  • Inside Jobs. An employee or contractor working at a company may exploit his position to hack the company's computers or otherwise compromise its IT systems. In this case, companies should immediately ask:
    • Who is the subject of the investigation?
    • What is his position and tenure with the company?
    • How tech savvy is the subject?
    • What is his ability to harm the company?
    • What kinds of digital devices does the subject typically use (for example, PC, laptop or mobile phone)?
    • What kinds of data and data systems does the subject have access to?
    • Are audit trails available that show what systems the subject commonly accesses?
    • What are the company's policies regarding digital devices and remote access to its systems?
    • What are the policies regarding permissible behavior on the company's network?
  • Social Engineering. Social engineering is a hacking technique that uses low-tech or non-technical approaches to persuade people to compromise security procedures and disclose sensitive information. An example of this is impersonating company IT personnel and calling unsuspecting employees to get them to reveal confidential information, such as computer access codes or anti-virus software used by the company. When social engineering is suspected, companies should immediately ask:
    • What information was potentially disclosed or breached?
    • What system at the company was targeted?
    • How was the attack discovered?
    • Was the company notified by the victim or another affected party?
    • Is there a reporting process in place for social engineering attacks?
    • Are complete phone logs available?
    • What company or system weakness allowed the attack to succeed?
  • Exploitation Malware. Viruses and malware that exploit vulnerabilities in a company's computer systems are prevalent. For example, hackers may introduce them to computer systems by tricking employees into opening infected e-mails. Some malware is designed to steal confidential information such as social security numbers, credit card numbers and bank account log in numbers.
    The cyber incident response plan must contain procedures to defend against malware and following a cyber attack, ensure that an investigation is done to ascertain whether any information has been stolen. However, IT departments commonly clean the computer system after a cyber attack without checking whether confidential information has been stolen.
  • Extortion and Blackmail. A company may receive threats from individuals claiming to have hacked its website or computer systems offering to return stolen confidential information in exchange for money or property. These extortionists frequently target small businesses because of their perceived inability to fight back.
    In this case, the company must conduct an immediate threat assessment to determine whether its computer systems have been attacked and, if so, how it was accomplished. Companies can:
    • Determine whether the extortionist has done what he claims by isolating areas that may be affected to determine if they have been compromised.
    • Determine the feasibility of restoring critical systems where a denial of service attack affects critical infrastructure. This includes assessing whether restoring service will negatively affect collecting evidence in the investigation.
    • Document all aspects of the investigation and secure and preserve all evidence, including logs of critical system events.
Counsel should be prepared to address each of these cyber attack scenarios and the preventative and responsive measures that the company or client must take to comply with legal and regulatory data privacy and security requirements.
For a deeper review of these strategic considerations and more, see Practical Law Intellectual Property & Technology’s Practice Note, Cyber Attacks: Prevention and Proactive Responses by Vince Farhat, Bridget McCarthy and Richard Raysman, Holland & Knight LLP, from which this Legal Update has been excerpted.
For more information and practice tips on cyber attacks and other critical cybersecurity issues, see: