Cybersecurity, Cybercrime, & Incident Response

    Our recent significant engagements include representation and counsel for:
  • a financial services entity in responding to a data breach and potential loss of client PII (personally identifiable information) by utilizing our StraDIM (Strategic Discovery Information Management) team to identify potentially compromised information in client files, thereby permitting the client to notify its clients and state regulators, as necessary, of the potential data breach.
  • a middle office employee of a financial services firm charged by the US Attorney’s Office with hacking into his former employer’s email to steal company secrets; ultimately resolved via a misdemeanor plea and probation.
  • advising a financial software company about the application of, and compliance with, the new cybersecurity rules issued by the New York Department of Financial Services.
  • advising broker-dealers and investment advisers regarding the application of and compliance with cybersecurity rules to their businesses.
  • successfully defended an IT professional for a financial institution in a federal grand jury investigation in which the professional was suspected of “hacking back” in attempting to defend the financial institution from a cyber attack; no charges were brought.
  • defended a foreign payment card processor in extradition proceedings and in connection with his prosecution in the U.S. for his alleged role in a major cybercrime ring; negotiated plea and obtained a significantly reduced sentence for client, who was able to serve most of the sentence in his home country.
  • successfully brought an action on behalf of a small business under the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act to identify an individual who was illegally intercepting the business’s emails; upon identifying the violator, obtained a speedy and favorable resolution for the client.
  • an international dating website that was victimized by a DDoS (distributed denial of service) attack and extortion scheme, by working with in-house counsel and forensic experts to locate the perpetrators of the scheme, then presenting the matter to US law enforcement for prosecution.
  • various victims of cyber stalking and cyber extortion by teaming with computer forensics experts to seek to identity the locations and identities of the perpetrators, and by preparing “prosecution memos” for presentation to law enforcement personnel.

Looking Forward

The past two years have seen a series of mega-breaches that exposed the highly-sensitive personal data of hundreds of millions of Americans. Already, the EU, New York, California, and several other jurisdictions have implemented strict new data protection and data privacy laws. We expect 2019 will continue this trend and, further, that regulators will start to take a more aggressive posture in dealing with companies that fail to take sufficient steps to protect their systems and data. In particular, the SEC has signaled that its regulatory priorities will be cybersecurity risk disclosures, timely disclosure of cybersecurity incidents, insider trading controls, effectiveness of data security policies, and internal accounting controls. Accordingly, companies need to take concrete action to avoid becoming the next victim — or the government’s next “example.”