A gridlocked U.S. Congress has remained unable to pass comprehensive legislation on the growing cybersecurity threat, but federal agencies and industry groups are trying to step in and propose ideas for how companies can protect themselves. The latest to articulate best practices for cybersecurity is the U.S. Department of Justice, which has released a document outlining suggestions for victim response and reporting of breaches.
The best practices, issued by the DOJ’s Cybersecurity Unit, provide companies struggling to get ahold of their own data security regimes with advice on how to create a successful program. The DOJ also gives a few tips on what companies absolutely should not do.
Marcus Christian, a partner in Mayer Brown’s litigation and dispute resolution practice and its white-collar defense and compliance group, told CorpCounsel.com that as an assistant U.S. attorney and later an executive assistant U.S. attorney, he witnessed firsthand the department’s growing concern about cybersecurity. And in the past year or so, Christian noted, DOJ has been doing more to provide companies with resources about how to handle threats.
“This by itself isn’t going to create liability,” Christian said of the new best practices document, lest companies view any move by the Justice Department as ominous. “What I think we’re going to see though is as certain best practices crystallize, and when an authoritative organization puts together a list—and the DOJ is one of the most authoritative organizations—that is certainly the kind of thing that people should take notice of” and consider indicative of behavior the agency expects to see.
The DOJ advice includes some recommendations for how to prepare networks in case an attack occurs. It instructs companies, for example, to identify the “crown jewels” in their networks and pre-emptively create an actionable plan to respond to intrusions that include concrete steps to follow and rules about who will “own” different aspects of the response.
Then the DOJ lays out broad steps for dealing with a breach when it happens, from Step 1—making an initial assessment of the nature and scope of the incident—all the way to Step 4—notification of those within the company, law enforcement and potential breach victims.
Brandon Robinson, a partner at Balch & Bingham, said he sees some themes in the guidance. “No. 1 is just to have a plan,” he said, whether the breach is yet to occur or has happened already. “Generally, the other important element of the guidance is maintaining your relationships beforehand,” he added. The DOJ emphasizes how companies should work with law enforcement agencies such as the Federal Bureau of Investigation and the Secret Service to prepare for a potential breach before it happens. Then there are the numerous other relationships that need to be solidified ahead of a breach, such as those involving both in-house and outside counsel, IT, public relations or crisis communications, and often the company’s third-party business partners.
While most of the DOJ document is devoted to what companies should be doing about cybersecurity, a portion is also devoted to what they should definitely not be doing. For example, they should certainly not use a communications system to inform others about a breach if the communications tools are housed within the breached system. This may be an easy mistake to make for a company in a hurry to address the problem and notify the appropriate people, particularly if the company lacks a specific action plan.
The DOJ stressed that companies also should never try to “hack back” against the cyber bad guys. “The concept of hacking back and having a strong offense, while it may make sense from a security perspective, from a political and socioeconomic perspective, it could be pretty dangerous,” noted Larry Ponemon, chairman and founder of the Ponemon Institute, a think tank that advances privacy and data protection. He explained that although hackers may appear to be working alone, they may be supported by nation-states, so by hacking back a company could be attacking much more than just an individual actor.
Jon Clay, senior global marketing manager at security software company Trend Micro Inc., agreed. “There’s a lot of collateral damage that could occur with someone doing a hack-back attack, especially if you don’t have the skills and you don’t have the ability,” he noted. “The other reality is that there are laws against that kind of thing.”
Although the DOJ best practices provide a 30,000-foot view of cybersecurity that is potentially helpful, the document should not be mistaken for a comprehensive cybersecurity plan for organizations. That has to be a bespoke plan crafted by the company, its counsel and other stakeholders. “Often, the creation of these types of programs requires experienced expertise in order to advance these programs internally and to advise on the risk, legal and regulatory issues that arise during the investigation and planning stages of this effort,” David Katz, a partner at Nelson Mullins Riley & Scarborough and head of the firm’s privacy and information security practice group, told CorpCounsel.com. “General counsel are wise to solicit outside help as they begin to digest this guidance and seek to implement it within their own organizations.”
Reprinted with permission from the May 6, 2015 edition of Corporate Counsel © 2015 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.