Share this e-Alert:

Polsinelli - Privacy and Data Security Polsinelli - Privacy and Data Security


May 2015


DOJ Issues New Cyber-Incident Preparedness and Response Guidance







For more information about this alert, please contact:


Daniel L. Farris

Practice Area Vice Chair



Email | Bio


Kathryn T. Allen



Email | Bio


Additional Privacy and Data Security Leaders:


Gregory M. Kratofil, Jr.

Practice Area Chair


Email | Bio



To view a full list of Polsinelli's Privacy and Data Security Professionals, click here.


For current Intelligence, or to learn more about Polsinelli's Privacy and Data Security practice, click here.



View Polsinelli documents on JD Supra  


LinkedIn Twitter Facebook Inside Law Podcast Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook. Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook. Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook. Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook. Connect with us on LinkedIn.

The Department of Justice (DOJ) released new guidance on cyber preparedness and incident response last week, becoming the latest federal agency to do so in recent months. Newly sworn-in Attorney General, Loretta Lynch, has indicated that the investigation and prosecution of cyber crimes will be one of the top priorities of her administration. Although the Guidance sets forth only voluntary standards, companies wishing to minimize potential liability in enforcement actions and/or civil litigation should take notice.

In releasing its "Best Practices for Victim Response and Reporting of Cyber Incidents," the DOJ's Cybersecurity Unit called upon law enforcement and private industry to share in the effort to improve systems that protect consumer information. The Guidance sets forth detailed steps to improve cybersecurity and breach response at all stages within the breach lifecycle, ranging from preparation and deterrence to incident notification, response, and ultimately remediation.

The DOJ standards are being viewed by many industry observers as the new benchmark against which corporate cyber-incident preparedness and response efforts may be measured. Although the proposed standards may not apply to all organizations in all instances, companies of all sizes would be ill-advised to ignore them. Failing to analyze the best practices and proactively implement applicable standards may leave companies open to accusations from regulators, class action plaintiffs, and even shareholders for failing to satisfy this new standard of care as set forth by the DOJ.

Implementing the standards, however, may prove more difficult and costly than some would expect. Many small-to-mid sized companies may lack the financial resources necessary to hire outside experts and invest in new technology that is not core to their business objectives. And while large companies likely have the financial wherewithal, their systems are large, sophisticated, and disparate, which can make consistent application of the standards more challenging. Still, failing to abide by the DOJ's step-by-step approach could leave companies that experience a breach open to new theories of liability and new claims of negligence.

The key for most organizations will be to focus on preparedness and breach prevention. Companies should not only harden their systems, but engage internal and external experts early, before a breach occurs. As some commentators have noted, there seems to be "sort of a gold-rush mentality" when it comes to Privacy and Data Security. It is important for companies to not only make a plan, but to be sure to ask their outside lawyers, accountants, and consultants to demonstrate their substantive knowledge and experience handling data preparedness and breach response efforts.

Managing Cybersecurity in Your Organization

Issues of Privacy and Data Security, and how to manage cybersecurity effectively for your organization, can be confusing. Tailoring a cybersecurity and incident response plan to fit your organization's size, business climate, regulatory environment, and perhaps most importantly, budget is key.

Preparing a Cybersecurity Plan

Calculated Preparation

  • Identify your organization's most prized assets. Determine which of your data, assets and services warrants the most protection and how to protect each class of assets differently.
  • Create a clear, concise and actionable response plan. Identify the lead response people throughout your organization's key departments, such as legal, public communications, information technology and security, who will drive the response plan and work with those leads to craft a response plan that is unique to your organization's structure and needs.
  • Prioritize mission-critical processes. Work within your organization and with outside technical specialists to identify what data, networks or services are mission-critical to your organization's continued business and prioritize those items within the response plan to ensure operational continuity during a time of crisis.
  • Establish important relationships. During any cyber-incident, time is of the essence, therefore it is important to establish relationships with and identify contacts within law enforcement and governmental organizations as well as other computer incident reporting organizations before any incident. Establish these contacts and drafting a set procedure with each outside organization that will maximize them as a resource to you in the event of a cyber-incident.

Support During Crisis

  • Keeping records and logs. Things can get very hectic during a cyber-incident, it is very important to keep detailed records of whatever steps are taken and costs are incurred to mitigate damage. Determine what information will be important when recovering damages from responsible parties and for any criminal investigation that results.
  • Communication with state and federal law enforcement. Identify the appropriate law enforcement agencies, such as the Department of Homeland Security and the National Cybersecurity & Communications Integration Center, who need to be contacted in the event of a cyber-incident and work with those agencies to maximize their resources and knowhow for you.
  • Technical and Operational Specialists. For smaller organizations that do not have robust information or technical security resources, find a partner to assist in the onboarding and management of third-party professional incident response experts that you need.
  • Notification of affected parties. As of January 2015, at least 47 states have laws that require companies to notify customers when their data has been compromised by an intrusion. Determine your obligations under each of these laws as well as additional implications if you are in a regulated industry.

Post-Incident Audit

  • On-site review. It is important to ascertain from those that were "in the mix" during a cyber-incident what worked and what didn't. Conduct post-incident reviews of your organization's employees and stake-holders, third-party contractors and governmental agencies to assess the strengths and weaknesses of your organization's performance.
  • Recommendation for the future. Cyber-incidents can be very disorienting. Get your business back on track fast by minimizing lingering operational and reputational risks and providing guidance on how to mitigate the revealed weaknesses in your organization's security so that such an incident doesn't happen again.

For More Information

If you or your organization has questions or concerns about the DOJ's new cyber guidance or the creation and/or implementation of a cybersecurity plan, contact the author or a Polsinelli Privacy and Data Security team member.












Atlanta  Chattanooga  Chicago  Dallas  Denver  Edwardsville  Jefferson City  Kansas City  Los Angeles  Nashville  New York
Overland Park  Phoenix  Raleigh  St. Joseph  St. Louis  San Francisco  Springfield  Topeka  Washington, D.C.  Wilmington








real challenges. real answers.SM  
Polsinelli is a first generation Am Law 100 firm serving corporations, institutions, entrepreneurs and individuals nationally. Our attorneys successfully build enduring client relationships by providing practical legal counsel infused with business insight, and with a passion for assisting General Counsel and CEOs in achieving their objectives. Polsinelli is ranked 18th in number of U.S. partners* and has more than 740 attorneys in 21 offices. Profiled by The American Lawyer and ranked as the fastest growing U.S. law firm over a six-year period**, the firm focuses on health care, financial services, real estate, life sciences and technology, energy and business litigation, and has depth of experience in 100 service areas and 70 industries. The firm can be found online at Polsinelli PC. In California, Polsinelli LLP.

* Law360, March 2014
** The American Lawyer 2013 and 2014 reports







Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. The choice of a lawyer is an important decision and should not be based solely upon advertisements.

Copyright © 2015 Polsinelli PC.

Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook. Privacy and Data Security Polsinelli Privacy and Data Security