The Department of Justice (DOJ) released new guidance on cyber preparedness and incident response last week, becoming the latest federal agency to do so in recent months. Newly sworn-in Attorney General, Loretta Lynch, has indicated that the investigation and prosecution of cyber crimes will be one of the top priorities of her administration. Although the Guidance sets forth only voluntary standards, companies wishing to minimize potential liability in enforcement actions and/or civil litigation should take notice.
In releasing its "Best Practices for Victim Response and Reporting of Cyber Incidents," the DOJ's Cybersecurity Unit called upon law enforcement and private industry to share in the effort to improve systems that protect consumer information. The Guidance sets forth detailed steps to improve cybersecurity and breach response at all stages within the breach lifecycle, ranging from preparation and deterrence to incident notification, response, and ultimately remediation.
The DOJ standards are being viewed by many industry observers as the new benchmark against which corporate cyber-incident preparedness and response efforts may be measured. Although the proposed standards may not apply to all organizations in all instances, companies of all sizes would be ill-advised to ignore them. Failing to analyze the best practices and proactively implement applicable standards may leave companies open to accusations from regulators, class action plaintiffs, and even shareholders for failing to satisfy this new standard of care as set forth by the DOJ.
Implementing the standards, however, may prove more difficult and costly than some would expect. Many small-to-mid sized companies may lack the financial resources necessary to hire outside experts and invest in new technology that is not core to their business objectives. And while large companies likely have the financial wherewithal, their systems are large, sophisticated, and disparate, which can make consistent application of the standards more challenging. Still, failing to abide by the DOJ's step-by-step approach could leave companies that experience a breach open to new theories of liability and new claims of negligence.
The key for most organizations will be to focus on preparedness and breach prevention. Companies should not only harden their systems, but engage internal and external experts early, before a breach occurs. As some commentators have noted, there seems to be "sort of a gold-rush mentality" when it comes to Privacy and Data Security. It is important for companies to not only make a plan, but to be sure to ask their outside lawyers, accountants, and consultants to demonstrate their substantive knowledge and experience handling data preparedness and breach response efforts.
Managing Cybersecurity in Your Organization
Issues of Privacy and Data Security, and how to manage cybersecurity effectively for your organization, can be confusing. Tailoring a cybersecurity and incident response plan to fit your organization's size, business climate, regulatory environment, and perhaps most importantly, budget is key.
Preparing a Cybersecurity Plan
- Identify your organization's most prized assets. Determine which of your data, assets and services warrants the most protection and how to protect each class of assets differently.
- Create a clear, concise and actionable response plan. Identify the lead response people throughout your organization's key departments, such as legal, public communications, information technology and security, who will drive the response plan and work with those leads to craft a response plan that is unique to your organization's structure and needs.
- Prioritize mission-critical processes. Work within your organization and with outside technical specialists to identify what data, networks or services are mission-critical to your organization's continued business and prioritize those items within the response plan to ensure operational continuity during a time of crisis.
- Establish important relationships. During any cyber-incident, time is of the essence, therefore it is important to establish relationships with and identify contacts within law enforcement and governmental organizations as well as other computer incident reporting organizations before any incident. Establish these contacts and drafting a set procedure with each outside organization that will maximize them as a resource to you in the event of a cyber-incident.
Support During Crisis
- Keeping records and logs. Things can get very hectic during a cyber-incident, it is very important to keep detailed records of whatever steps are taken and costs are incurred to mitigate damage. Determine what information will be important when recovering damages from responsible parties and for any criminal investigation that results.
- Communication with state and federal law enforcement. Identify the appropriate law enforcement agencies, such as the Department of Homeland Security and the National Cybersecurity & Communications Integration Center, who need to be contacted in the event of a cyber-incident and work with those agencies to maximize their resources and knowhow for you.
- Technical and Operational Specialists. For smaller organizations that do not have robust information or technical security resources, find a partner to assist in the onboarding and management of third-party professional incident response experts that you need.
- Notification of affected parties. As of January 2015, at least 47 states have laws that require companies to notify customers when their data has been compromised by an intrusion. Determine your obligations under each of these laws as well as additional implications if you are in a regulated industry.
- On-site review. It is important to ascertain from those that were "in the mix" during a cyber-incident what worked and what didn't. Conduct post-incident reviews of your organization's employees and stake-holders, third-party contractors and governmental agencies to assess the strengths and weaknesses of your organization's performance.
- Recommendation for the future. Cyber-incidents can be very disorienting. Get your business back on track fast by minimizing lingering operational and reputational risks and providing guidance on how to mitigate the revealed weaknesses in your organization's security so that such an incident doesn't happen again.
For More Information
If you or your organization has questions or concerns about the DOJ's new cyber guidance or the creation and/or implementation of a cybersecurity plan, contact the author or a Polsinelli Privacy and Data Security team member.