Last week’s news reports that hackers had breached the New York Times was the latest reminder of the existential threat that all private-sector businesses face from cyber attacks. In the legal community, cyber incidents have taken place at nearly all major U.S. law firms and cybersecurity challenges are increasingly affecting small and midsized law firms as well.
Earlier this month, the Obama Administration’s National Cyber Investigative Joint Task Force released a new cybersecurity alert that “establishes a unified federal government response to potential cyber incidents,” according to the ABA Cybersecurity Legal Task Force.
“This alert provides an excellent fact sheet for when, what and how to report to federal agencies in the event of a cyber incident,” said Jeff Norris, CISSP, senior director of data security for LexisNexis Managed Technology Services. “If law firms are obligated by law or contract to report an incident, they should comply with that obligation as noted in the federal directive. If voluntarily reporting, the alert provides a useful list of relevant federal agencies and their specific points of contact.”
The “Presidential Policy Directive on U.S. Cyber Incident Coordination” provides clarity on the cross-agency federal response posture to private-sector cyber attacks. Excerpts from the directive include the following:
When to Report: “victims are encouraged to report all cyber incidents that may result in a significant loss of data, system availability, or control of systems; impact a large number of victims; indicate unauthorized access to, or malicious software present on, critical information technology systems; affect critical infrastructure or core government functions; or impact national security, economic security, or public health and safety.”
What to Report: “A cyber incident may be reported at various stages, even when complete information may not be available. Helpful information could include who you are, who experienced the incident, what sort of incident occurred, how and when the incident was initially detected, what response actions have already been taken, and who has been notified.”
How to Report: “Private sector entities experiencing cyber incidents are encouraged to report a cyber incident to the local field offices of federal law enforcement agencies . . . The federal agency receiving the initial report will coordinate with other relevant federal stakeholders in responding to the incident. If the affected entity is obligated by law or contract to report a cyber incident, the entity should comply with that obligation, in addition to voluntarily reporting the incident to an appropriate federal point of contact.”
“This alert serves as an important reminder to law firms that they should have an Incident Response plan that addresses how they will respond to a cyber incident,” said Norris. “This should be done in conjunction with the partners, the communications team and the business leaders to understand specific reporting steps you will take and any communications you will generate, both internally and externally. Law firms are good at serving as external counsel to companies on how they should handle data breaches, so it’s important to take their own advice when it comes to their incident response planning.”
* * *