WASHINGTON, D.C. — As cyber-crime and incidents of hacking grow in severity and sophistication, lawyers need to become keenly aware of the best practices for protecting clients, because more seeming victims of cyber-hacking can eventually find themselves the targets of regulators’ enforcement actions.
In fact, big data and the threat of breaches or misuse of that data was discussed throughout almost every panel at the recent Defending Corporations and Individuals in Government Investigations forum. The day-long seminar, sponsored by Thomson Reuters’ Legal Executive Institute, was hosted and moderated by Daniel Fetterman, a partner at Kasowitz Benson Torres & Friedman; Mark Goodman, a partner at Debevoise & Plimpton. (The forum was inspired by a book of the same name, written by the co-presenters.)
In a panel dedicated to hacking and cybersecurity issues, Debevoise partner Luke Dembosky traced the arc and sophistication that cybercrimes have taken, with hacking and data breaches committed early on by individual actors who then started forming loose-knit groups before organized crime decided to get involved. “Organized crime saw data breaches and hackings and thought why break kneecaps down the street and risk yourself when you can set up folks around the world to do this and be far more profitable,” Dembosky said.
Now, some of the biggest and most public cyber-hacking incidents in the United States involve nation-state actors, such as the Sony email hacking by North Korea and the alleged Russian hacking of the Democratic National Committee’s emails. Former FBI director and Wilmer Hale partner Robert Mueller — who gave the luncheon keynote speech at the forum — noted how rogue nations can use cyber-hacking to take out an area’s resources prior to an attack or invasion. At least, ISIS hasn’t specifically organized it’s 40,000-plus members worldwide to take advantage of cyber-hacking or data breaches, Mueller noted.
But terrorists have started targeting businesses or institutions used personally by key military personnel, obtaining information about those individuals, then posting it publicly for any rogue group or individual to attack that person, Dembosky added.
James Silver, Computer Crime Deputy Chief at the U.S. Department of Justice, said that at this point, hackers don’t even need to take your information — all they need is a way into your network. Once they’ve gotten in, they can monetize their access — by encrypting the server to lock you and all other employees out, and then hold your server and information hostage until they are paid a ransom.
Indeed, Capsicum Group CEO Samuel “Sandy” Goldstein noted that we’ve gotten to the point where there is no way to stop or prevent these attacks, but instead just plan better for them to minimize the interruption and mitigate the damage. Goldstein outlined four steps a company can take ahead of time to prepare for any kind of breach: i) create an intrusion response plan, subjected to tabletop testing and training; ii) regularly have outsiders conduct security testing (including a penetration test conducted by “white hats” — ethical hackers you invite to attempt to break into your networks); iii) conduct a code review (because, as Goldstein explained, custom code is rife with vulnerabilities, as “programmers are great artisans but not security experts”); and iv) finally, make certain the company has good backups located outside the facilities to ensure the organization can quickly get back up and running.
Turning to the defense of clients who may be victims in these incidents, several white collar attorneys in attendance repeatedly cited the tension of following some of the commonly suggested advice, such as inviting law enforcement in as soon as attacks happen, while protecting clients from subsequent prosecution for negligence in securing such information. Fetterman himself noted that when dealing with the U.S. Attorney’s Office, defense lawyers often will be told early on if their client is being considered a witness, subject or target, but that the Securities and Exchange Commission (SEC) or the Commodity Futures Trading Commission (CFTC) are not as forthcoming with this information. This leaves attorneys wondering if they should cooperate or whether their clients need to plead the Fifth Amendment, just in case they may be in harm’s way.
DOJ Deputy Chief Silver acknowledged that many corporations may feel a bit whipsawed when the DOJ sees them as a victim in one of these attacks while another entity like the FTC may later view them as a culpable party, especially if the company previously made statements about security to their consumers. To combat this catch-22 for companies, Silver noted that the federal government is trying to do a better job about speaking in one voice.
Indeed, the CFTC recently stating in a blog post that if companies initially cooperate with the DOJ or other law enforcement agencies, the CFTC would view that favorably if the CFTC subsequently considers action against the company. Silver noted that the CFTC is encouraging other regulatory and enforcement agencies to publicly take a similar stance to reassure and encourage early corporate cooperation in cybersecurity investigations. Early cooperation is important because many law enforcement agencies have folks who have handled many similar matters and are specifically trained in how to quickly marshal the specific information needed. Dembosky and Mueller both noted that law enforcement investigators have a lot of information that can help a company respond more quickly and most of the time do not need to see a corporation’s private emails, but just the metadata.
Further, attorneys play a vitally important role in any investigation, providing privilege over the processes. However, privilege gets very complicated in multi-jurisdictional situations, when countries have conflicting privacy and privilege rules. And some countries have no privilege or data privacy regulations whatsoever. Additionally, disclosure to one agency for purposes of investigation of the crime could constitute waiver of privilege to other agencies or insurers; lawyers also must navigate 47 different states’ laws on disclosures.