The threat of a cyber attack is among the most potentially costly and harmful risks facing businesses and individuals today. Even an unsuccessful attack can raise a host of significant and complex issues for any business, such as regulatory investigations and enforcement actions, civil lawsuits, adverse media attention, and duties to notify customers, regulators, and investors. And as the nature of the cyber threat is constantly changing, so too is the legal and regulatory landscape, as lawmakers across multiple jurisdictions scramble to enact new rules to address cyber threats and civil litigants explore new theories of liability against businesses that have suffered a data breach.
Our team of cybersecurity attorneys – which includes former federal cybercrime prosecutors, regulatory and enforcement attorneys, and litigators – counsel companies and individuals in addressing today’s emerging cybersecurity threats and in best practices for complying with new rules and requirements.
We work with companies to prepare for the reality of persistent cyber attacks and to comply with cybersecurity rules and regulations. To that end, we assist companies in developing data security policies and procedures, as well as incident response plans. Further, we team with cybersecurity and forensic experts to facilitate data and network mapping exercises, assess risks posed by third-party service providers, and test a company’s cyber preparedness.
In the event of a cyber attack, we assist companies with cyber crisis management. This encompasses efforts to identify the threat, determine its scope and severity, consider whether and how to work with law enforcement, obtain forensic analysis and support, determine whether customers or government agencies should or must be notified, draft appropriate disclosures, and defend companies in regulatory investigations and civil litigation arising from cyber incidents.
We also defend individuals in cyber-related investigations and prosecutions, and work with victims of cyber stalking and extortion to obtain justice.
The past two years have seen a series of mega-breaches that exposed the highly-sensitive personal data of hundreds of millions of Americans. Already, the EU, New York, California, and several other jurisdictions have implemented strict new data protection and data privacy laws. We expect 2019 will continue this trend and, further, that regulators will start to take a more aggressive posture in dealing with companies that fail to take sufficient steps to protect their systems and data. In particular, the SEC has signaled that its regulatory priorities will be cybersecurity risk disclosures, timely disclosure of cybersecurity incidents, insider trading controls, effectiveness of data security policies, and internal accounting controls. Accordingly, companies need to take concrete action to avoid becoming the next victim — or the government’s next “example.”