X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
There’s no doubt that e-commerce has made businesses vulnerable to Internet security threats. Front-page headlines — like the denial-of-service attacks that brought down Yahoo!, the “I Love You” e-mail attack, and others — have caught the attention of even the most casual Internet observer. And for every high-profile case that goes public, there are hundreds more that don’t make the news. In fact, Pinkerton’s recent survey of Fortune 1000 corporate security professionals confirms that the potential threat to Internet sites and computer networks is their second-biggest security concern after workplace violence. And a recent survey by the Computer Security Institute and the San Francisco FBI’s Computer Intrusion Squad found that 90 percent of respondents — primarily large corporations and government agencies — detected computer security breaches within the last 12 months. What can a company do to be prepared for a cyber-attack? The answer is surprisingly simple. Design a data security response plan now. Every company that operates on the Internet should establish a procedure for handling Internet security incidents — before they happen. Unprepared companies whose data system is victimized can lose more than time and data — they are open to liability issues, loss of intellectual property, damage to reputation, and erosion of customer trust. Here are 10 steps your client companies should take to combat Internet security threats: 1. Start now! No matter how good a company’s tech team is, it could be a victim. If intruders can’t get into a company’s system, they can still spoof, spam, set up a lemon site, or hit the company internally. Nobody is invincible. Every company should make the time to protect itself now, no matter how busy a firm might be with those critical startup business issues. It shouldn’t wait until everything is up and running smoothly. It never runs smoothly. 2. Develop an incident response plan. An incident response team should be established with designated employees from the following areas: technical, legal, administrative and public relations. Designate a boss or team leader — the incident response coordinator — and a lead department. Establish a formal line of communication within the team. Once the team is identified, put it to work immediately to design a comprehensive incident response plan. At a minimum, the plan should include immediate incident reporting procedures, follow-up reporting procedures, the coordinator’s contact information, and a list of the team members. The plan should be put on paper and made freely available. Employees on the front lines of a potential attack — such as the information systems department, online help desks, and phone and online customer service representatives — should be briefed on the plan and know whom to contact and what steps to take in the event of an incident. 3. Develop an immediate technical response. An incident has occurred, and everyone is lined up to react. Now what? The technical response team needs to jump in immediately with an action plan that focuses on ending the offensive conduct as quickly as possible. The specific response is contingent on the incident. Perhaps the company needs to communicate with third-party hosts or servers who may wittingly or unwittingly be facilitating the breach. Or, for an infringing or counterfeit Web site, contact the Web site server (if known) and request a site shut down. Then steps should be taken to analyze saved programs (such as viruses) involved in the incident. A comprehensive written report should be prepared — this responsibility needs to be sure to assign this early on to ensure that all of the available facts, including information on the initial notification, technical response, accumulation of evidence, and public relations response, are incorporated. If the damage to the company’s system was severe, or revealed a potentially severe weakness, it should consider moving beyond its in-house Internet security resources to engage a third-party security consultant. Independent consultants are also effective at detecting internal or employee-related security breaches. 4. Preserve the evidence. Evidence is critically important, for legal and technical reasons. Evidence helps diagnose the security breach and determine the best technical response. Evidence also supports a legal response. So a company should obtain and preserve all available evidence of the incident. In each case, this includes the initial correspondence notifying the firm of the incident and all electronic communication related to the incident. From there, the type of evidence depends on the situation. If the breach infringes or counterfeits the Web site, the technical team should collect color “screen prints” of the Web site and all related pages, an electronic and hard copy of the Web site’s HTML code, and a copy of any interactive program (such as a virus) related to the site, along with screen prints of the downloading and execution of the virus. If the company has been spammed or spoofed, collect copies of the message(s) and catalogue the identities of the targeted recipients. This could reveal patterns that help identify the sender. 5. What did it cost? Next step — the company should assign the administrative team to crunch some numbers. What impact will the incident have on the company financially? Certainly, this will be needed for business reasons; the company will also need this information, with supporting evidence, for its lawyers. The aim is to measure downtime and/or system slowdowns caused by the incident, as well as the amount of time spent and expenses incurred to resolve the attack and restore the Internet infrastructure to full working order, including labor and material costs. More difficult to determine are the lost opportunity costs. To what degree are expected lost sales and increased expenses due to redirection of customer communications from the Web site to phone lines and other media? Evidence of costs, expenses, and damages should be retained. 6. Staying coordinated — the administrative response. The unsung heroes of the incident response plan will probably be the administrative team — those people responsible for coordinating team member responses and communicating with relevant people inside and outside the company. This is critical. All team members must be promptly informed of developments and their potential impacts for them and the company. This means keeping the lines of communication up and running with all staff, outside contractors (including lawyers), and the operations folks who can wrap the incident in a business perspective. 7. Let the lawyers take a look — the legal response. The legal team needs to be told what’s going on immediately. The lawyers — both in-house and outside counsel — can act right away, contacting appropriate experts and directing the coordinator and the technical team in the collection and organization of evidence. The legal team should then review the evidence, technical information, and business costs, to prepare your options for a legal response. 8. To sue or not to sue — recourse options. There are three options for a legal response to a security breach: politely ask the perpetrators to stop; bring litigation in civil court; or notify the authorities and pursue a criminal prosecution. In less severe cases, it may take as little as a telephone call or a cease-and-desist letter. If the damage has been significant, a civil lawsuit may be in order, allowing the company the power of subpoena and access to the defendant’s evidence. Of course, particularly for Internet security breaches, there is a strong possibility that the defendant will not have the money to satisfy a civil judgment. When the incident is really serious, the company could involve the FBI Computer Crime Squad — there’s an office in most major cities. If the case is strong, the FBI might pursue criminal prosecution, and the company may be able to recover restitution. 9. Don’t forget customer service. Old business adage — keep the customer happy. Little makes the e-customer more nervous than a security breach. In some cases, customers will experience the breach firsthand; in others, they’ll hear about it in the press or on the Web. The company needs to reassure customers immediately. Alternatives need to be determined so the company can continue to provide services and determine what to tell customers about the incident and the company’s response. Have informed customer service staff on hand, dedicated to handling potentially hostile calls and e-mails. Better yet, the company should not wait to hear from its customers — it should tell them about the problem first. 10. Damage control — the PR response. There are several reasons to execute a public relations response. One is to alleviate investor and consumer concern about a publicized security breach. And when the e-perpetrator is successfully apprehended, publicity on that success may deter other potential hackers or, more likely, encourage the market to get aggressive with other hackers. The company should review any statements or press releases with its lawyers before making them public, particularly important in the midst of a legal response. There’s a lot to think about, and more to do, when starting up a new Internet venture — whether from scratch or from the sanctity of an established brick-and-mortar operation. It’s not easy to pile on more work, especially for something that a company hopes never to use. But with all the risks riding on a potential security breach, the dividends are high for companies that prepare a data security response plan. The process of developing the plan could expose an underlying weakness in the company’s security system. And if an incident does occur, the company saves money and manpower and is in the best position to respond quickly and positively for its customers and the market. Richard R. Hays is a partner in the Atlanta office of Alston & Bird.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.