The stakes involved in cybersecurity have never been higher, and there is no reason for them to discontinue increasing in scope and size. More and more, business value is tied to information such as intellectual property and market data. Damages to reputation and consumer trust may be hard to quantify but are potentially fatal. Moreover, the data that is vulnerable to attack is increasingly voluminous, dispersed, mobile and constantly changing. These realities dictate that executives must make cybersecurity a top priority and take their seat at the table along with the technology personnel and others steering the organization’s defense of its digital assets. Given the regulatory implications of cybersecurity breaches and the possibility or even likelihood of ensuing litigation, lawyers also need to reserve a seat at that table.
While a generalized need for cybersecurity measures is broadly acknowledged, the importance of being well prepared to detect and respond to a security breach is often overlooked. This includes executing the necessary steps, including forensically sound preservation and collection, to implement the duty to preserve and collect the electronically stored information (ESI) implicated in the breach. Ad hoc reaction is not a responsible or effective strategy.
Many experts agree that given enough time and resources, any system can and will be breached, and therefore a pre-planned electronic discovery process directed at cyber breaches is essential. Technology that facilitates cyber breaches is developing at least as rapidly as technology that defends against such breaches. Moreover, breaches often have their source in “social engineering” or other human security failures that cannot be fully prevented technically. For these and other reasons, e-discovery should be accompanied by a parallel effort to detect additional breaches. Attackers may use a conspicuous breach as a distraction to draw focus from other less obvious breaches.
Another factor indicating the importance of detection and response is that many jurisdictions impose a legal obligation to disclose cyber breaches. In many cases, a disclosure that is inaccurate or incomplete can have even worse consequences than the breach itself. A failure to quickly, comprehensively and precisely ascertain the specifics of a cyber breach can invite regulatory scrutiny and investigation, as well as public suspicion. It is also a signal to other potential attackers that the victimized organization is ill-prepared to respond to a breach.
Lawyers need to work closely with other business and technical executives to identify and prioritize data sources vulnerable to attack. Without doing so, it is impossible to develop a sound plan for an effective response. These sources may include, for example, financial data in database systems, design drawings on personal computers, work papers in collaborative electronic workspaces, as well as email and social media. Each source and system will present different challenges for detection, investigation and electronic discovery, in terms of policy, procedure and technology. These challenges could involve, for example, access control, methods of collecting data and software for searching particular types of systems or data.
Different industries will place emphasis on different categories of data. Life sciences businesses may focus on intellectual property, while consumer-oriented businesses may be most concerned with items like credit card data. Other sources of data, such as email, are likely to contain highly sensitive information regardless of industry. However, even in the case of common systems like email, sophisticated tools can apply industry-specific search and analytics technology to identify the highest value or most sensitive information. To assess the right way to detect and respond to cybersecurity breaches, lawyers should be aware of these capabilities to get answers from data.
Geography is another factor that will impact the appropriate manner of detection and response. Different countries have different laws and regulatory regimes that intersect with cyber security, separate and apart from laws covering disclosure of cybercrime. For example, data privacy laws, typically much more stringent outside the United States, require close attention to methods of searching and retrieving data. Violations of such laws can result in criminal penalties. In addition, cultural sensitivities on issues like data privacy should also be considered before a business goes forward with an investigation that is well-intentioned but ends up alienating employees and customers.
Cybersecurity presents issues that go to the heart of the overall health of the modern business enterprise. Therefore, lawyers representing such clients should be familiar with these issues. While many businesses focus on preventing access to their data, very few recognize that detecting and responding to an incident of unauthorized access is equally as important. A “defense-in-depth” strategy requires recognizing the reality of the security situation and acknowledging that breaches are possible and even likely. The ability to detect breaches and to respond with lightning speed in a way that is both comprehensive and precise, including electronic discovery and breach detection, is fundamental to cybersecurity.
The views expressed are those of the author and do not necessarily represent the views of Ernst & Young LLP.