Cyber espionage adds a unique element to the relationship between a business and its legal counsel. If your business possesses privileged information that would be useful for a competitor or an industry, then it is crucial that you obtain the best advice possible on what factors pose a threat to your business. There are now specific times when a business needs to consult with legal counsel about cybersecurity precautions. Clearly, one of those times is when the business experiences a cyber-incident and vital information is compromised. However, at this point, the damage is already done. Instead, the business has many opportunities to take pro-active precautions to avoid having such information compromised.
Unfortunately, there is no single law that determines a business’s duty to provide security for its data. Instead, depending on the situation, there can be common law obligations, contractual obligations, or statutes and regulations that determine a business’s obligation to protect certain information. Your business may be required to maintain a certain standard of security concerning the data that it possesses. For example, a covered financial institution, in accordance with the Gramm-Leach-Bliley Act, has one standard while other businesses subject to the Health Insurance Portability and Accountability Act have a different standard.
Additionally, your business must understand the scope of the covered data, which can include financial information to e-mails. In the circumstance when a security breach does occur, different laws, at both the State and Federal levels, may impose a duty to warn of the compromised data and the ways in which to do so. Further, depending on the circumstances, a business may need to follow certain procedures if a data breach has occurred, such as, who receives notice and in what time frame is notice given.
Unlike previous decades, technology now allows business employees to conduct business from portable devices, such as smart phones and tablets. By doing so, sensitive data is now being obtained and maintained outside of the traditional office environment and new processes and security measures must be in place. Although the convenience of a portable device adds to enhanced communication and productivity, this method of doing business also creates increased risk for cyber espionage. Hackers insert malware onto mobile devices, makingit imperative that your business maintain proper mobile device management. For example, if a device is lost or stolen, does your business have safeguards in place to protect the data accessible on that specific device. Also, those using a portable device need to know about the dangers of using public Wi-Fi systems and the danger that confidential communications can be intercepted and redirected elsewhere.
The bad actor is going to look for the weakest link in your business computer network and that is where the attack most likely will be focused. If you outsource work to an outside business that has access to your computer network, then that outside business may be your weakest link. An exploitation can occur, for example, through either a phishing attack or malware involving a virus program. The range of potential negative consequences should a data breach occur can range from unauthorized withdrawals from financial accounts to stolen personally identifiable information. The potential negative consequences can also include loss of nonpublic internal data, intellectual property, and internal operational details. Additionally, the business may be subject to fines or other penalties. If you have been a victim of intellectual property theft, you have rights during the different stages of a criminal prosecution. This is where legal counsel can further protect your interests.