Recent highly publicized cyberattacks, including WikiLeaks’ dump of CIA documents in early March and the hack of the Democratic National Committee in 2016, underscore the threat that both companies and government agencies face from cyberattacks. Now more than ever, companies should be cognizant of the imminent risk of attack and the potential catastrophic effects. In a December 2015 report, the Association of Corporate Counsel found that one-third of reporting companies had experienced a data breach within the past few years. Cybersecurity and privacy issues impact every industry and present ongoing challenges that must be clearly understood and addressed by executive management and at the board level.
Cyberattacks often fall into one or more common scenarios, which include insider attacks, social engineering, exploitation malware, extortion and blackmail, and ransomware.
In an insider attack, employees or contractors may exploit their positions to hack the company’s computers or otherwise compromise its IT systems. Social engineering is a hacking technique that uses low tech or nontechnical approaches to persuade people to compromise security procedures and disclose sensitive information, most often through email “phishing” or in-person interaction aimed at uncovering access codes and passwords. Exploitation malware – commonly viruses and malware that infect systems through emails – exploits vulnerabilities in a company’s computer systems and can steal Social Security numbers and bank account information. Under an extortion and blackmail scenario, a company may receive threats from individuals claiming to have hacked its computer systems offering to return stolen confidential information in exchange for money. Ransomware attacks combine malware and extortion attacks, and typically occur when attackers install malware that makes a company’s systems or data inaccessible, then demand payment to release the systems or data back to the company, often through hard-to trace online payment methods such as Bitcoin.
A number of federal and state criminal and civil laws are potentially implicated in a cyberattack. The Computer Fraud and Abuse Act (CFAA) is the main federal criminal statute regulating computer crimes. The CFAA criminalizes accessing computers without authorization and governs cases involving computers used by or for a financial institution or the U.S. government, or computers used in interstate or foreign commerce. The penalties for committing CFAA offenses range from imprisonment for up to one year for simple cyber trespassing to life imprisonment when death results from intentional computer damage. The Wiretap Act, as amended by the Electronic Communications Privacy Act, prohibits the interception, use or disclosure of wire and electronic communications and allows for civil and statutory damages. The Stored Communications Act makes it illegal to intentionally access, without authorization, a facility through which an electronic communication service is provided. Offenses are punishable by fine and/or imprisonment. Civil and criminal actions may be available for copyright infringement under the federal Copyright Act and trademark infringement under the federal Lanham Act or state trademark law. The Digital Millennium Copyright Act prohibits the circumvention of technological, anti- piracy measures built into most commercial software that control access to copyrighted works. Further, the Racketeer Influenced and Corrupt Organizations Act (RICO) provides criminal penalties, including up to 20 years of imprisonment, for acts performed as part of an ongoing criminal organization.
Where trade secret theft is involved, a civil action may be commenced under the relevant state trade secret act or common law. Under the California Penal Code, it is illegal to knowingly access and without permission damage any computer system in order to defraud or extort.
In today’s environment, companies should be proactive in preparing for and resolving cyberattacks, and in addressing any resulting crisis management, legal or insurance issues. One step that companies can take is to engage an outside consultant to conduct risk assessments for business lines or an entire enterprise. Working closely with senior management and a company’s IT, compliance and legal departments, an outside cybersecurity consultant can assist a company in critically analyzing cybersecurity and privacy organization and governance, policies and procedures, as well as technology and controls that are within the company’s desired scope and tailored to the company’s needs. The end result provides for actionable recommendations that can be immediately deployed by the company.
In selecting a cybersecurity consultant, companies should consider whether they want to also engage outside legal counsel to assist in overseeing the testing of their cybersecurity infrastructure so that at least some aspects of the process can potentially remain confidential.
There is no avoiding the fact that breaches are inevitable and part of doing business in today’s data-driven marketplace. Well-rounded preparedness and testing is crucial in responding properly and mitigating liability.
VINCE L. FARHAT, PARTNER – HOLLAND & KNIGHT [email protected].
JOHN A. CANALE, ASSOCIATE – HOLLAND & KNIGHT [email protected]