What is "cybersecurity" and why is it relevant to your business?
Broadly speaking, "cybersecurity" refers to public and private sector efforts to secure the nation's infrastructure against attacks designed to cripple government, defense, commerce, power grids, transportation, and/or other basic services critical to the nation's infrastructure. At one extreme, cybersecurity refers to national cyber-defense strategy against concerted cyber-attacks by foreign powers or terrorists (a/k/a "cyber-warfare"). At the other extreme, the term refers to persistent, sophisticated cyber-hacking, cyber-espionage and cyber-terrorism events, large and small, targeting individual government agencies and private corporations for purposes of sabotage or for acquiring sensitive intelligence information, government secrets and/or commercial trade secrets. These incidents do not only target Fortune 500 businesses; small- to medium-sized businesses have been a major target of cybercrime in recent years.
The Cybersecurity Framework
An executive order issued by the Obama Administration in 2013 launched an effort to promulgate a voluntary national framework under which government agencies and private sector businesses can establish and maintain minimum cybersecurity standards and practices. In 2014, the National Institute for Standards and Technology released a framework for private sector businesses, and amended it most recently in January 2017. Since the NIST framework was released, numerous federal laws have further "federalized" the area of private sector cybersecurity standards, especially for industries designated as critical to the country's infrastructure (such as public utilities, communications networks and defense contractors).
Businesses in all sectors, not only in defense and utilities, have reason to prepare for the U.S. cyber-security regime. As a senior government official put it, "There are two kinds of businesses today: those that know they have been hacked, and those that don't know it yet." Any business that relies on networks and digital systems to conduct operations and store information assets is exposed to cyber-risk. The federal cybersecurity "framework" is likely to expand through federal and state regulatory structures and lead to multiple new compliance mandates and guidelines for all major economic sectors. In 2016, the Department of Defense ("DOD") issued a final rule to address cybersecurity in defense procurement contracts, likely signaling a larger trend across all federal procurement requirements. In the world of financial services, in 2015, the Securities and Exchange Commission published regulatory guidance for financial firms. Evolving federal cybersecurity standards may also affect standards for civil liability associated with maintaining information systems and for the insurability of cyber-risks. Businesses will ignore these developments at their peril.
The Cybersecurity and Privacy team provides the following services:
Incident Response and Breach Preparedness: Data security incidents are routine and pervasive, but, increasingly, businesses are falling victim to sophisticated cyber-attacks (or "advanced persistent threats") designed not to steal customer data but to acquire company assets or to seize control of systems and disrupt business operations. Clients typically require outside legal advice in responding to these incidents, in managing the multiple consumer and regulatory notice obligations imposed by state and federal law, and in mitigating litigation risk. Our litigators, privacy, and health care lawyers have extensive experience in data breach preparedness and response programs. Often these services are coupled with assistance in developing relevant client security and incident response policies.
Privacy Policies, Data Security Policies, and Employee Training: The adoption of appropriate, written cybersecurity policies will be a cornerstone for corporate compliance efforts, including employee training programs and for overall enterprise governance of cybersecurity practices. Our privacy and data security lawyers have substantial experience in developing these policies and in "best practices" approaches to information security governance and training.
Risk Assessments and Compliance: The foundation of cybersecurity preparedness is a comprehensive risk assessment. Risk assessments need to be informed by an organization's particular legal and regulatory compliance posture and liability exposures. Working with clients—and in some cases technical consultants—our lawyers help structure risk assessments and prepare and help clients implement cybersecurity compliance programs. Areas of compliance may include not only primary cybersecurity rules and guidelines but also such matters as export compliance, privacy and data security, computer crime laws, SEC disclosure requirements, health care legal requirements, employment practices, fraud prevention and other agency and industry "best practices."
Internal Investigations: Cybersecurity incidents, threatened incidents, data breaches and even routine compliance efforts may reveal circumstances that call for sensitive internal investigations. Wiggin and Dana's litigation, White Collar and Regulatory Compliance practices have extensive experience in such investigations, and our team includes several partners with substantial prior government experience.
Government Investigations: Government regulators and state attorneys general are increasingly focused on security lapses in the private sector. The Federal Trade Commission, for example, has brought over a hundred enforcement actions in the last few years directed at private sector privacy and security practices. Government contracting practices are under increased scrutiny for their security implications. This compliance and enforcement environment translates into more investigations of data security incidents, data breaches, and other corporate missteps involving security systems or government data. As with internal investigations, our litigation, white collar, and compliance attorneys have extensive experience advising clients in their responses to such investigations.
Litigation: Although it remains to be seen whether cybersecurity regulations will create a new field for civil litigation, there is already a thriving class action industry in data breach litigation under existing state and federal laws. However, standards of liability for security lapses are likely to be affected as cybersecurity law and policy evolve. Businesses that are victims of cyber-attacks will likely find themselves sued in addition to their other compliance related problems. Our litigators have extensive experience in defending consumer protection and privacy claims and in handling complex class action cases.
Cyber-risk in Procurement, Outsourcing Transactions and Supply Chains: As more companies outsource or send parts of their operations into "the cloud," procurement increasingly becomes a cybersecurity risk vector. How companies go about buying technology and technology-related services can have a significant impact on their cyber-risk profile. Many existing regulations obligate businesses to engage in reasonable due diligence and obtain appropriate, written contractual terms from vendors that have access to company systems and data. With the 2016 issuance of Department of Defense cybersecurity rule for procurement, businesses that contract with the federal government can expect cybersecurity to be a prominent requirement for certain federal awards. Any comprehensive approach to managing cyber-risk will involve appropriate procurement and supply chain management policies and practices. Our outsourcing and technology group regularly advises clients on these issues in connection with individual transactions and procurement policies.
Cyber-liability Insurance Products: Lawyers in our Insurance and Litigation practice groups have extensive experience in advising on insurance coverage disputes. Our insurance lawyers have also helped insurers develop new cyber-liability insurance products.
What kinds of businesses should be addressing cybersecurity risks?
Businesses in economic sectors identified by the government as "critical infrastructure," include public utilities, defense contractors, health care, manufacturers, technology companies, banking and financial services companies and transportation businesses.
All other businesses that:
- maintain substantial proprietary information and intellectual property on information systems, whether internal or outsourced;
- contract with, or are otherwise in the supply chain for, "critical infrastructure" businesses or the government, and therefore need to keep pace with the evolving requirements for the critical infrastructure;
- are already subject to state or federal regulatory requirements pertaining to information security (e.g., financial services, health care, education);
- are critically dependent upon the security of their data and information systems to operate and maintain business continuity; or
- for reputational, risk management and brand-protection reasons, seek to limit their exposure to public data breach and cyber-hacking incidents.
What about small and medium-sized businesses?
Small- and mid-sized businesses may assume that they can avoid serious cyber-risk if they just sit quietly and keep their heads down. But the facts indicate otherwise: several major industry studies have emphasized that cyber-assailants are finding some of their richest targets in smaller—and less prepared—businesses. The answer for such businesses is not "zero preparation," but appropriate preparation.