CYBERATTACKS PROMPT DECLARATION OF NATIONAL EMERGENCY
In March, Lockheed Martin Corp., a leading security company serving critical infrastructure industries, confirmed that it has seen significant growth—it used the term “sea change”—in the workload of its cybersecurity division since 2013.
Further, Lockheed Martin projects that demand for its cybersecurity products will continue to grow into 2020, particularly among utility, oil and gas, chemical, and financial customers. This should not come as surprise given the increased focus on data breaches by the media, U.S. government and practically everyone else. But whereas headline-generating hacking scandals involving big-name companies like Target, Sony Pictures, and Anthem/BlueCross BlueShield primarily threated individuals’ privacy and security, mounting concern is being directed toward cyber warfare conducted against targets with significant national security implications.
Indeed, the threat of a serious cyberattack has escalated past the point of mere concern. On April 1, 2015, President Obama declared a national emergency surrounding the issue in an executive order that calls the “increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States…an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”
In the wake of the White House’s strong words of warning, all companies, but especially companies responsible for or with ties to critical infrastructure or national defense, would be wise to take steps now to comply with all privacy and security laws and regulations—of which there are many, on the both the federal and state levels. It is also crucial that companies adopt all commercially reasonable precautions, whether or not required by law, to avoid the loss, and unauthorized disclosure and use, of confidential information and devise a sound plan of action that could be quickly implemented should a data breach occur.
Unfortunately, cyberattacks can be difficult to detect before the damage is done. A large manufacturer with significant government and private-sector contracts, for example, recently experienced the misappropriation of highly sensitive information when a likely-foreign hacker bypassed its firewall and infiltrated its system as long as a year before the breach was discovered. It seems that the hackers were able to implant malicious—and stealthy—software on the company’s servers that lied dormant and undetected until activated by the hackers for the purpose of mining the manufacturer’s data.
Our attorneys, led by Gary Schober and Michelle Merola, were called upon to represent the manufacturer in the subsequent—and ongoing—investigation into the incident. We have teamed with the client and others to determine the origins, scope and impact of the attack. To this end, one of the leading forensic IT consultants in the country was retained to analyze our client’s system—the idea being that, after we have determined how the breach occurred, we can take remedial steps to minimize the damage to our client’s data and reduce the likelihood that another security breach will occur.
Companies in this situation run the risk of being labeled an “unintended accomplice” to a security breach if investigators find that, among other things, inadequate infrastructure, training, and practices in any way encouraged or aided hackers’ malicious actions. That’s why preventative steps are so crucial. In the unfortunate event that your company is hacked, investigators will evaluate your preexisting security measures relative to existing technology and industry standards, and they will be looking for evidence of culpability—a finding that could be seriously damaging, on top of any negative publicity from the breach itself.
Cyber Risk: Tips for Limiting Exposure
- Recognize that all companies are vulnerable to cyberattack and that your company’s cybersecurity cannot simply be relegated to the IT department. It should be a major concern and responsibility of all c-suite executives and board members, who can be held accountable when data breaches do occur.
- Establish a cybersecurity review committee to assess your company’s unique cyber security needs and goals; identify the systems, assets, and data that require protection; and determine what threats your company faces.
- Adopt policies and practices that will reduce the risk of a security breach.
- Permanently delete any unnecessary personal and other sensitive data. Encrypt any data that you must keep, and implement other technological safeguards as appropriate.
- Develop and test a data breach response plan. Establish in advance contacts with forensic investigators to ensure a timely response in the event a data breach does occur.
- Review and reassess the cybersecurity measures you are contractually obligated to meet by reviewing existing agreements and any applicable law.
- Reevaluate the security promises/assurances you communicate to third parties or otherwise agree to meet in the future.
- Review third-party vendor agreements for cybersecurity clauses and provisions; ensure third-party access to sensitive information is limited.
- In the event of an acquisition or other significant business transaction, conduct proper cybersecurity due diligence.
- Update cyber risk disclosures in SEC filings and other investor disclosures.
- Train employees to prevent, identify, and report cybersecurity threats.
- Remind employees that even “private” e-mails could be made public if the company is hacked.
- Your insurance may not cover a data breach. Review your policy, and if necessary, consider a specialty cybersecurity insurance product