Every day brings more Wall Street Journal coverage of new
computer break-ins or an update on earlier break-ins that are worse than
previously thought. This rash of heavily publicized hacker attacks on
corporate systems has corporate managers questioning how safe their
systems are, what they can do to prepare in advance for an attack, how
they should respond, and what their liability exposure in the event of
an attack. Additional issues include: what can be done to protect
consumers, customers, and trade secrets; reduce losses; minimize
potential damages; protect shareholder value; and otherwise control the
problem as much as possible. Some due diligence steps that should
be taken include the following:
- Set up an intracorporate Emergency Response Team now, in advance of any attack. Do not limit its members to IT staff. Effective incident response
requires a broad range of corporate talent. Include the corporate risk manager, corporate privacy officer, compliance director, CFO, HR
department, the company's physical security director, an in-house spokesperson and in-house counsel. Document each person's duties. The CEO and the
corporate board should be advised and sign off on the make up of the Response Team and their authority.
- The Response Team should meet monthly to go over contingence plans and review the current intrusion trends. These meetings should also contain a
report from the IT staff about what type of probing the network is receiving from the Internet. Unusual IP addresses that are repeatedly probing
the system should be noted. In the event of an intrusion, the Team can quickly form an organized response that minimizes losses and confusion
and makes decision about contacting law enforcement agencies, determines whether outside forensic assistance is necessary and determines
immediately if customers need to be alerted to any data compromises.
- Only one person speaks to the press. The company spokesperson clears all comments through the Response Team and upper management.
- The Response Team should reach out and identify local law enforcement agents such as the FBI, the U.S. Secret Service or local police cyber teams
before any break-in. Join private sector reach out programs sponsored nationally by these agencies such as the FBI InfraGard program, and U.S.
Secret Service Computer Crime Task Force. A Response Team member should attend their quarterly meetings of these groups to get updated
information about current cyber attacks and to gather business cards from agents that specialize in countering cyber attacks. Once you return to
the company, circulate the meeting results and the agent contact information to other members of the Team.
- Consider the rapidly expanding corporate liability for protecting personal information. Twelve states require corporations to provide security for
personal information. Three states impose a specific duty to protect credit card information. Additionally, six states require the encryption of
personal information held by companies. As a result, inside the company, identify, isolate and/or encrypt the critical assets of your
company. This includes stored trade secrets, emails regarding advanced project research, patent research, customer lists, employee healthcare
information, stored credit card information and any personal information you save on your customers and employees.
- Insure that outside corporate vendors have security that meets or exceeds your security standards. .
- At one level, computer security is a check off the box exercise. Determine a
recognized computer security program that applies to your
industry and corporate activities. Apart from the Payment Card Industry Data Security Standards used to protect credit card information, most
security standards such as HIPAA and NIST will provide you with flexible standard that can be used across the company and achieve "reasonable
security under the circumstances." After the boxes are checked, steps need to be taken to insure that internal security standards are actually
- Discuss with outside legal counsel, as part of their cybersecurity audit, the advisability of having them hire an outside forensic company to
"tiger team" your system for potential holes. They should conduct penetration tests, scan your systems for vulnerabilities and map out your network
structure.. Their report to legal counsel should be evaluated and used as actions items by the corporate Response Team.
- Obtain, or at least evaluate obtaining, intrusion insurance. The costs are coming down for insurance products offered by some of the largest and
- Have the Response Team prepare potential media responses that account for various scenarios: lost trade secrets, lost consumer information, denial
of service attacks, etc. Spontaneous comments are no good and "no comment" will often lead to reporters contacting employees for informal
comments. It’s better to have a corporate response that is thought out and appropriate if questions are asked.
- Recognize that in almost all states, lost consumer information with have to be quickly notified about the breach. As soon as an event happens, the
Response Team needs to start tracking the names of consumers who have been put at risk.
- If your company webpage has advertising, make sure you know who is placing the advertising on a continuing basis. Malvertising is a growing threat
to your consumers going to your webpage and trusting you on securing the site.
Perfect information protection is not possible and the evolving nature of hostile technology is reflected by the daily news. But, keep in mind,
corporate protection from liability is established by a showing of due diligence both before and after a computer intrusion.
McGuireWoods Global Data Security Team
Counseling regarding data protection, including global data breach and
privacy issues, is one of the services of McGuireWoods'
Technology & Outsourcing practice,
which provides legal services for business transactions driven by
technology. Foremost among our diverse services are IT procurement,
outsourcings, e-commerce transactions, data security, and dispute
prevention and resolution. Our clients include Fortune 100 corporations,
governmental entities, nonprofit organizations, and emerging business
enterprises spanning the industry spectrum.