As companies report more frequent instances of unauthorized and unwanted conduct being committed over or through their computer networks, corporate lawyers and civil litigators are increasingly being called upon to provide thoughtful legal advice on how to prevent and respond to these cyberattacks. In “Understanding Cyber Attacks: Hands-On,” the Continuing Legal Education program that I teach with Foundstone Inc., a leading provider of network computer security, we prepare lawyers to address these issues. One of the most important lessons we teach is quite simple: Every organization with an Internet presence must adopt policies (i) governing the acceptable use of computer networks, (ii) describing how the organization monitors computer use, and (iii) setting forth a comprehensive incident response plan.
There are a few things that every company with an Internet presence can count on. First, it will suffer a breach of computer security, if not a full-blown computer penetration, at some point. Second, the appropriate response to a hostile cyber incident will be neither obvious nor intuitive at the outset; within the first few hours after an incident, it can be extremely difficult — even for people who have spent years responding to cyberattacks — to distinguish between the actions of a teenage hacker who has social-engineered his way to insider access and a more nefarious cyberintruder acting on behalf of a corporate espionage agent with or without insider assistance. Third, how an organization responds to a cyber incident can be even more important than the incident itself; stolen information can be far less damaging than an accompanying press report that causes a multimillion dollar drop in the company’s market value. For these reasons, adopting comprehensive policies governing computer use, including an incident response plan, is essential.
