Hardly a day goes by without a headline about a cyberintrusion. No entity is immune — international retailers, airlines, hotels, mom and pop stores, cloud providers — even the U.S. government. However, it seems that few businesses contemplate how important it is for their attorney to know and understand cybersecurity, as well as know what to do when a cyberintrusion occurs.
The U.S. government — itself a cybervictim — provides the guidance we have been waiting for. The Cybersecurity Unit, part of the Computer Crime & Intellectual Property Section (CCIPS) within the Department of Justice Criminal Division, earlier this year issued its Best Practices for Victim Response and Reporting of Cyber Incidents.
The Cybersecurity Unit is responsible for implementing the Department’s national strategies in combating computer and intellectual property crimes worldwide. CCIPS prevents, investigates and prosecutes computer crimes by working with other government agencies, the private sector, academic institutions and foreign counterparts.
Of course, many DoJ employees are lawyers who have to assess crimes and help prosecute the bad guys. The CCIPS therefore is actually one of the best sources of information about cyberintrusions.
The DoJ report includes 15 pages of best practices. This column focuses on just one of them, but you might want to look at the entire report.
Why Should Your Lawyer Know Cyberlaw?
It is a best practice for every business is to have “legal counsel that is familiar with legal issues associated with cyber incidents” and with technology and cyberincident management, since “cyber incidents can raise unique legal questions,” according to the DoJ.”An organization faced with decisions about how it interacts with government agents, the types of preventative technologies it can lawfully use, its obligation to report the loss of customer information, and its potential liability for taking specific remedial measures (or failing to do so) will benefit from obtaining legal guidance from attorneys who are conversant with technology and knowledgeable about relevant laws (e.g., the Computer Fraud and Abuse Act (18 U.S.C. 1030), electronic surveillance, and communications privacy laws),” the report reads.
“Legal counsel that is accustomed to addressing these types of issues that are often associated with cyber incidents will be better prepared to provide a victim organization with timely, accurate advice.
“Many private organizations retain outside counsel who specialize in legal questions associated with data breaches while others find such cyber issues are common enough that they have their own cyber-savvy attorneys on staff in their General Counsel’s offices.
“Having ready access to advice from lawyers well acquainted with cyber incident response can speed an organization’s decision making and help ensure that a victim organization’s incident response activities remain on firm legal footing.”The legal issues get more complicated when you consider that 47 states currently require relatively swift investigation and reporting to individuals when a cyberintrusion is detected. It is pretty obvious that the lawyers representing companies need to understand these state reporting requirements. The U.S. Congress is considering a federal law to replace the 47 state laws to create uniformity.
Credit Card Cyber-Risks
Financial services is another area that demands that lawyers be cyber-savvy.
The PCI (Payment Card Industry) Security Standards Council regulates security for credit card processing. The PCI was established in 2006 by American Express, Discover Financial Services, JCB International, MasterCard and Visa. It created a set of data security standards (DSS), which govern the rules for IT security for companies that process credit card information. They require companies that have experienced a cyberintrusion to permit a PCI investigation through the PCI Forensic Investigator (PFI) Program.
Even though the PCI DSS are not laws, compliance may require legal assistance, and, once again that means the lawyers need to understand those standards. Some states think that credit security should be regulated by law rather than by the credit card companies, but since 2006, no state has enacted any laws.
Healthcare Data Security
Lawyers who represent healthcare providers need to understand HIPAA (Health Insurance Portability and Accountability Act of 1996), which impacts virtually everyone in the U.S. Also, they need to understand applicable state laws.
“Data breaches could be costing the industry (US)$6 billion,” according to the Ponemon Institute’s May 2015 Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data.
More than 90 percent of healthcare organizations that participated in the survey experienced a data breach, and 40 percent reported more than five data breaches over the past two years.
The Ponemon Institute study gathered data from 90 HIPAA-covered entities and 88 business associates, or BAs. “For the first time, criminal attacks are the number one cause of data breaches in healthcare. Criminal attacks on healthcare organizations are up 125 percent compared to five years ago,” the report notes.
“The percentage of criminal-based security incidents is even higher; for instance, web-borne malware attacks caused security incidents for 78 percent of healthcare organizations and 82 percent for BAs,” it says. As a result, healthcare lawyers need to be alert to cybercrimes aimed at protected health information.
What About Your Lawyer?
Because cyber intrusions are now a fact of life, you need to be sure your lawyer can help your company protect itself.
When bad things happen, your lawyer needs to be able to help navigate your company through the web of resulting problems.