In light of the growing concern over cybersecurity, the United Stated Department of Justice (“DOJ”) issued guidance last week on how to prepare for and respond to cyber attacks. Taking lessons learned by federal prosecutors while handling cyber investigations, and input from private sector companies that have managed cyber incidents, the guidance contains a step-by-step guide on what to do before, during and after a cyber incident.
Specifically, the DOJ recommends having a plan in place before any cyber attacks occur. That plan should include identifying critical data and assets that warrant increased security, having the technology and services needed to respond to a cyber incident in place, having legal counsel that is familiar with legal issues associated with cyber incidents, and ensuring that your team knows who is responsible for what tasks in the event of an attack. If an attack happens, the DOJ recommends assessing the scope of the incident and working quickly to prevent any on-going damage, collecting and preserving data related to the attack, and notifying law enforcement. The DOJ cautions against using any systems that have been compromised and trying to “hack back” against the system involved in the attack.
The guidance was unveiled at a roundtable discussion on cybersecurity, during which Assistant Attorney General Leslie Caldwell explained in prepared remarks that “Cyber criminals commit their crimes because they see hacking as a low-risk, high-reward proposition.” The DOJ’s goal is to “alter that assessment.” Caldwell said the United States is number one in data breaches world wide, at an estimated annual cost of no less than $400 billion. Thus, it is important for businesses to be prepared in order to minimize the damage from any attack.
Although not cited in the DOJ guidance, Data Security and Privacy Liability (“Cyberliability”) insurance should be considered as part of an organization’s plan in order to protect against some of the costs associated with a cyber attack. Companies considering placing or renewing cyberliability coverage should contact any Reed Smith Insurance Recovery Group attorney for advice.