Thank you for sharing!

Your article was successfully shared with the contacts you provided.
As companies report more frequent instances of unauthorized and unwanted conduct being committed over or through their computer networks, corporate lawyers and civil litigators are increasingly being called upon to provide thoughtful legal advice on how to prevent and respond to these cyberattacks. In “Understanding Cyber Attacks: Hands-On,” the Continuing Legal Education program that I teach with Foundstone Inc., a leading provider of network computer security, we prepare lawyers to address these issues. One of the most important lessons we teach is quite simple: Every organization with an Internet presence must adopt policies (i) governing the acceptable use of computer networks, (ii) describing how the organization monitors computer use, and (iii) setting forth a comprehensive incident response plan. There are a few things that every company with an Internet presence can count on. First, it will suffer a breach of computer security, if not a full-blown computer penetration, at some point. Second, the appropriate response to a hostile cyber incident will be neither obvious nor intuitive at the outset; within the first few hours after an incident, it can be extremely difficult — even for people who have spent years responding to cyberattacks — to distinguish between the actions of a teenage hacker who has social-engineered his way to insider access and a more nefarious cyberintruder acting on behalf of a corporate espionage agent with or without insider assistance. Third, how an organization responds to a cyber incident can be even more important than the incident itself; stolen information can be far less damaging than an accompanying press report that causes a multimillion dollar drop in the company’s market value. For these reasons, adopting comprehensive policies governing computer use, including an incident response plan, is essential. In the eight months since the Cyberlaw & Information Security Practice Group was formed at Kirkland & Ellis, we have worked on issues including computer penetration and network abuse; unwanted and harassing e-mails; disclosure of confidential information; piracy committed through Internet Web sites and peer-to-peer networking; and potential violations of the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and the Economic Espionage Act. Two goals invariably emerge when companies react to any of these issues. When immediate response is necessary, the first goal usually is to identify Internet wrongdoers in a cost-efficient manner. The second and related goal is to acquire sufficient proof of the wrongdoer’s identity and misconduct to build a case for civil litigation or criminal referral. Sound corporate policies will greatly enhance a corporation’s ability to accomplish both of these goals. To preserve their ability to achieve a nimble response to cyber crime, we advise companies to develop a policy framework that prevents and deters employee misconduct and provides enough flexibility to investigate potential computer misconduct without having a deleterious effect on employee morale. This generally involves adopting clear acceptable use policies that prohibit the uses of certain technologies easily susceptible to misuse, such as steganography (hiding messages in picture files), peer-to-peer file-sharing programs, PGP encryption and specific monitoring policies that permit employers to monitor all Internet communications sent through their computer systems and disclose the content of such communications as the employer deems necessary to protect its interests. Due to the increasing number of employees that telecommute, corporate lawyers have to be especially careful to ensure that corporate information stored on home computers is safe from outside penetration, and can be inspected and examined by the corporation immediately and/or remotely if it suspects the telecommuter of wrongdoing. Once a company has positioned itself to respond, it is also critical to plan for the response itself. Although each organization’s framework will vary, incident response plans always should include the following elements: � The identity of the incident response team. Because incident response is a multi-disciplinary process, the team should consist of representatives from the counsel’s office, the IT security staff, the chief information officer or the chief information services officer, and people skilled in media and investor relations. � The technical and physical environment. The incident response team should be familiar with the organization’s computer infrastructure before an incident occurs. At a minimum, they must understand who has access to the network (including affiliates, strategic alliance partners, subcontractors and clients), where the information systems are physically located and what investigative activity the organizational policies governing computer use permit. � Events or actions requiring notification or disclosure. To enable the team to get experience in understanding and analyzing computer incidents, the incident response policy should identify those events that require notification to the incident response team. To understand the magnitude of an event, the team should have a basic familiarity with the normal frequency of potentially hostile Internet traffic (also known as “background noise”) on the network. � External reporting procedures and criteria. The incident response policy should prescribe the manner and method of reporting an incident to local or federal law enforcement in the event that the response team chooses to do so. Although the mechanisms for reporting will vary considerably-depending on whether the company wants to encourage local personnel to develop strong personal relationships with local law enforcement entities or to control all reporting tightly in an effort to avoid any miscommunications-companies should establish the criteria for reportable incidents in advance. Such criteria must conform to industry-specific regulations and the requirements of the corporation’s cyber-risk and business-interruption insurance carriers. � Forensic response and outside counsel and consultants. Incidents involving the theft of proprietary information or resulting in significant damage to computer systems are more likely than others to result in civil or criminal litigation. In such cases, proper forensic responses are essential to preserve the evidentiary value of the computer evidence. If possible, companies should select and retain incident response providers in advance so that they can respond on short notice. When organizations don’t do this, they are forced to rely on their existing counsel and security staff, who may not be trained in forensic procedures or have experience responding to computer intrusions. If members of an organization’s IT staff (especially disgruntled former ones) are the subjects or targets of the investigation, this creates additional concerns. Every organization needs to shield its networks and information infrastructure from hostile cyber events and to maintain the organizational capability to investigate potentially hostile cyber events properly. Adopting a coherent policy framework of the type described in this article is essential to achieving these goals. Marc J. Zwillinger is a partner at Kirkland & Ellis in Washington, D.C., where he serves as the head of the firm’s Cyberlaw and Information Security practice and helps companies to prevent, minimize and recoup losses resulting from cyber-incidents by drafting preventive policies and conducting internal investigations into electronic attacks and thefts of proprietary information. E-mail: Marc J. Zwillinger. He is also the legal instructor for Foundstone’s one-day continuing legal education course for in-house counsel, titled Understanding Cyber Attacks: Hands-On. For more information on the class, please visit www.foundstone.com.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.