Cybersecurity Legal Strategies

And that's a big mistake waiting to happen ' again and again.

So, with that in mind, e-commerce operators should design and implement (or have designed and implemented) cybersecurity programs with multiple defense layers, including a well planned legal layer that should take full advantage of legal-based strategies, legal battle plans and legal controls to prevent or deter cyberthreats – and keep losses, liabilities and other adverse legal consequences from cyberthreats at a minimum.

Objectives Of The Legal Layer

Security risks of various types are increasing, making cybersecurity risk-management a boardroom issue. Company management ' and boards of directors ' need to implement a comprehensive risk-management strategy to avoid (the best scenario) or mitigate potential liabilities and the enormous exposure resulting from serious cyberthreats. But don't fall into this common trap: Most cybersecurity programs fail to take full advantage of appropriate legal-based strategies, which should be used to:

• Reduce or deter the chances that some cyberthreats will occur;
• Mitigate disruptions, other loses and legal consequences if cyberthreats occur;
• Make sure that legal remedies are available and can be rapidly deployed to deter some cyberthreats, improve survivability, and enforce legal rights and remedies against responsible parties;
• Reduce the risk that liability will be asserted against the company directly or indirectly on a negligence theory; and
• Otherwise strengthen and facilitate implementation and rapid deployment of security, business-resumption, contingency, and disaster-recovery plans and programs.

Keep in mind that the legal stratum of a multilayered information-security program should complement, supplement and reinforce other security plans, policies and programs. Below unfolds an outline for implementing a legal layer for cybersecurity plans.

Legal Layer Rationale

Many different cyberthreats exist, including this short list of obvious possible attacks by:

• Hackers;
• Corporate-espionage thieves;
• Internal spies; and
• Disgruntled employees.

A longer list of threats includes:

• Computer viruses and worms;
• Denial-of-service attacks;
• Electric-power, equipment-system and telecommunications-network failures;
• Snooping
• Sabotage;
• Surveillance;
• Fraud;
• Theft;
• Terrorist attacks;
• Phishing;
• Malicious acts;
• Unauthorized access and use of system resources and data; and
• Insertion of harmful code in software (such as a computer virus).

And that's not a complete menu of possibilities.

The openness of the Internet has amplified the need for security plans and policies to deal with these threats.

Cyberthreats can be viewed as the product of a probability that a particular threat will occur multiplied by the likely losses in the event that the threat does occur. Many cyberthreats may be controlled, reduced or managed using particular software and hardware services and procedures. Some threats can be reduced to a minimum by adopting better security plans, policies and procedures ' and by training employees about the threats and how to respond to them. And, of course, legal strategies can be implemented to reduce the probability that many of these threats will occur and, if they do occur, to lessen losses and legal exposure.

Legal Battle Plans

A big part of a company's security plan is the planned response to a cyberthreat. Companies must develop incident-response plans and be prepared to launch cyberwarfare counterattacks. Legal battle plans should be viewed as a critical component of these incident-response plans, and as necessary so that alternative courses of action and related resources might be deployed rapidly against cyberattacks.

In today's cyberthreat environment, companies need to react quickly. In many situations, companies have no time to study options after a cyberattack. They need off-the-shelf plans that can be quickly adapted and executed to combat cyberincidents. Legal battle plans are part of the legal layer of a complete, multilayer cybersecurity defense. They are a component of well organized business process, and are designed to supplement and complement a company's disaster-recovery, business-resumption, contingency and other security plans so that incident-response plans take full advantage of legal rights and remedies to control, manage, avoid and mitigate losses, and disruptions.

Legal battle plans will address the threats and vulnerabilities having the greatest adverse effect on the company. The battle plans should spell out in advance the defenses and counterattacks the company can deploy rapidly, such as legal notices that must be provided under affected contracts and actions regarding other matters, including insurance coverage, civil and criminal claims that may be applicable, evidence that should be collected and contact points. Battle plans for incident responses will include:

• Incident reporting;
• Investigation resources and assistance;
• Responsibilities of response teams;
• Legal options; and
• Strategies and other information that the expert planners decide would be helpful to executing the battle plan.

These legal battle plans are meant to increase a company's ability to respond to a cybercrisis ' and counted among the capabilities are successfully identifying and prosecuting a perpetrator, including anonymous perpetrators. They also include limiting damages, recouping losses and limiting legal regulatory and contractual exposures. Also, the battle plans must provide sufficient flexibility to be readily adapted to circumstances of specific incidents and be coordinated with a company's public-relations response and other incident-response plans. One major reason for coordinating legal battle plans with public-relations response plans is to ensure the company's preparedness to respond to public inquiries regarding cyberattacks, and to take actions to limit damage to the company's reputation. A key objective of incident-response plans should be to maintain public confidence and trust in the company.

Legal battle plans, then, will detail responses to a cyberincident, but not all incidents will be amenable to cyber counterattacks. In most situations, however, legal strategies may be deployed to keep damages to a minimum. The battle plans should, for instance, provide contingencies for escalating response rapidly, if such response is deemed appropriate. And battle plans should be tested periodically so that a company's ability to execute the plans will be up-to-the-minute. Employee training on cyberincident responses should include training on the company's cybersecurity legal battle plans.

Legal Strategies

Employee risks

Employees are a source of continuing and fundamental – and serious – cyberrisks. They also represent one category of risk most amenable to legal-based strategies. Employment agreements, employment policies and practices, and employment training need to reflect security risks, and must be included in a cybersecurity plan's legal layer. So, an effective cybersecurity risk-management program should provide the legal framework for companies to identify, measure, monitor and control employee cyberrisks. Along these lines, officials planning and implementing the plans should be sure that all employees are subject to policies relating to use of company information systems, proprietary information, the Internet and e-mail. The company should have the right to monitor employee use of the company's information systems and to establish penalties for misuse. It should also be clear from company policies that employees have no expectation of privacy in their use of company information systems. And the policies should prohibit actions by employees that could provide computer hackers easy entry to a company's information systems, including importing unwanted computer viruses or worms, infringing content, unwanted open-source software and other undesirable content. Generally, employees should be subject to written confidentiality agreements. Today's employment agreements must be drafted with full recognition that they are an integral part of a company's cybersecurity risk-management program. Employees should agree to comply in full with company security policies and procedures and should not be allowed to access any computer system, file or records they are not specifically authorized to access, nor should they use a computer system beyond the extent specifically authorized.

Employment practices also need to be adopted with cybersecurity risk-management programs in mind. A company's hiring practices should include pre-employment background checks to screen out employees who have previously been penalized, warned or terminated for misuse of corporate information systems. Disciplinary action against employees who violate the company's policies on use of computer information systems, the Internet or e-mail should include termination. Employee risks should also be addressed in employee handbooks, employment agreements, employee training and employment practices relating to cybersecurity.

Hackers and corporate espionage

Another major cybersecurity risk concerns unauthorized access to a company network. People who attempt to gain network access without permission range from isolated hackers to individuals involved in organized efforts to steal valuable trade secrets. Because of these possible breaches, cybersecurity risk-management programs must address unauthorized network access from an information-systems and a legal perspective.

Along with other fundamental information-systems security procedures, information-systems controls include:

• Firewalls;
• Authentication systems;
• Policies regarding passwords;
• Restrictions on physical access;
• Deployment of an intrusion-detection system;
• Management of modem lines; and
• Auditing of login and logout activity.

Also, there are many legal defenses that should be adopted as part of a cybersecurity program.

For instance, Web site terms of use and acceptable use policies are designed to strengthen legal remedies against hackers and corporate espionage. Terms of use and acceptable use policies should be drafted and updated to reflect current cybersecurity risks. Warnings, legal notices and proprietary legends should be used in a manner that is consistent with and that strengthens available legal remedies. Web site terms of use and acceptable use policy must clearly state what constitutes authorized and unauthorized use of a company's information systems.

It's also crucial that access controls, password management, and program and digital-rights management controls be implemented that ensure Digital Millennium Copyright Act (DMCA) anticircumvention remedies and other available legal remedies are used to full advantage in a cybersecurity legal defense. Cybersecurity legal defense needs are designed to anticipate legal counterattacks to hacker attacks and corporate espionage. Because of this, record-keeping practices must be adopted to document necessary evidentiary support to establish available legal claims ' criminal and civil ' as appropriate.

Critical IT contracts

The purposeful use of contracts is an essential part of any cybersecurity risk-management program. For this reason, security risks also must be considered in all critical information-technology contracts, which need to be consistent with and allow execution of a company's overall business-resumption, contingency, security and disaster-recovery plans.

Corporate officers, directors, counsel and others on the team designing a cyber legal battle plan mustn't lose sight of the fact that contract protection is a very important part of cybersecurity risk-management programs. Contracts may be used to limit risks by knowingly allocating security dangers to others and, by means of indemnification, limitation of liability and insurance provisions. Contracts allow companies to create specific prohibitions and obligations and, in some circumstances, to allocate risk and loss to another party.

Consider, too, that service-level agreements (SLAs) are being used to deal with availability and timeliness of services, confidentiality and integrity of data, security-standards compliance ' including vulnerability and penetration management ' and business-continuity compliance. SLAs addressing business-continuity compliance should be designed to measure the vendor's contractual responsibility for backup, record-retention, data-protection, maintenance of disaster-recovery contingency plans, and security-patch software-maintenance programs.

But security clauses aren't confined to special e-commerce activities or other perhaps esoteric Internet or systems contracts. Indeed, security provisions should be included in most information-technology contracts because of the critical importance of information security today. The provisions can address unauthorzed access, security controls, secure communications, backup and recovery, and audit rights. These security-audit rights are becoming more common. The audit seeks to assess adequacy of security provided on behalf of the company, and otherwise review the service provider's compliance with the company's security and confidentiality policies.

The importance of written contracts to cybersecurity risk-management programs is often overlooked ' but don't be shortsighted: Written contracts serve to allocate risk, protect against varying contingencies and limit damages.

Legal Remedies

Many other aspects of the legal layer could be addressed, if space permitted. For example, a strong trade-secret program is a very important part of the legal layer of a cybersecurity risk-management program. But for each risk identified in a risk-management program, companies should determine what legal remedies, if any, the company could pursue to recover losses that might be incurred ' or prevent more damage from an event expected from such risk and, if possible, recover losses.

For good reason, cybersecurity has become a vital risk-management concern, and legal-based strategies, procedures and controls are essential parts of today's all-encompassing cybersecurity risk-management programs.

It seems a given.

Unfortunately, although many companies have written preparedness and cyberattack-defense plans, many have overlooked crafting the shielding armor of a well constructed legal layer.

And that's a big mistake waiting to happen ' again and again.

So, with that in mind, e-commerce operators should design and implement (or have designed and implemented) cybersecurity programs with multiple defense layers, including a well planned legal layer that should take full advantage of legal-based strategies, legal battle plans and legal controls to prevent or deter cyberthreats – and keep losses, liabilities and other adverse legal consequences from cyberthreats at a minimum.

Objectives Of The Legal Layer

Security risks of various types are increasing, making cybersecurity risk-management a boardroom issue. Company management ' and boards of directors ' need to implement a comprehensive risk-management strategy to avoid (the best scenario) or mitigate potential liabilities and the enormous exposure resulting from serious cyberthreats. But don't fall into this common trap: Most cybersecurity programs fail to take full advantage of appropriate legal-based strategies, which should be used to:

• Reduce or deter the chances that some cyberthreats will occur;
• Mitigate disruptions, other loses and legal consequences if cyberthreats occur;
• Make sure that legal remedies are available and can be rapidly deployed to deter some cyberthreats, improve survivability, and enforce legal rights and remedies against responsible parties;
• Reduce the risk that liability will be asserted against the company directly or indirectly on a negligence theory; and
• Otherwise strengthen and facilitate implementation and rapid deployment of security, business-resumption, contingency, and disaster-recovery plans and programs.

Keep in mind that the legal stratum of a multilayered information-security program should complement, supplement and reinforce other security plans, policies and programs. Below unfolds an outline for implementing a legal layer for cybersecurity plans.

Legal Layer Rationale

Many different cyberthreats exist, including this short list of obvious possible attacks by:

• Hackers;
• Corporate-espionage thieves;
• Internal spies; and
• Disgruntled employees.

A longer list of threats includes:

• Computer viruses and worms;
• Denial-of-service attacks;
• Electric-power, equipment-system and telecommunications-network failures;
• Snooping
• Sabotage;
• Surveillance;
• Fraud;
• Theft;
• Terrorist attacks;
• Phishing;
• Malicious acts;
• Unauthorized access and use of system resources and data; and
• Insertion of harmful code in software (such as a computer virus).

And that's not a complete menu of possibilities.

The openness of the Internet has amplified the need for security plans and policies to deal with these threats.

Cyberthreats can be viewed as the product of a probability that a particular threat will occur multiplied by the likely losses in the event that the threat does occur. Many cyberthreats may be controlled, reduced or managed using particular software and hardware services and procedures. Some threats can be reduced to a minimum by adopting better security plans, policies and procedures ' and by training employees about the threats and how to respond to them. And, of course, legal strategies can be implemented to reduce the probability that many of these threats will occur and, if they do occur, to lessen losses and legal exposure.

Legal Battle Plans

A big part of a company's security plan is the planned response to a cyberthreat. Companies must develop incident-response plans and be prepared to launch cyberwarfare counterattacks. Legal battle plans should be viewed as a critical component of these incident-response plans, and as necessary so that alternative courses of action and related resources might be deployed rapidly against cyberattacks.

In today's cyberthreat environment, companies need to react quickly. In many situations, companies have no time to study options after a cyberattack. They need off-the-shelf plans that can be quickly adapted and executed to combat cyberincidents. Legal battle plans are part of the legal layer of a complete, multilayer cybersecurity defense. They are a component of well organized business process, and are designed to supplement and complement a company's disaster-recovery, business-resumption, contingency and other security plans so that incident-response plans take full advantage of legal rights and remedies to control, manage, avoid and mitigate losses, and disruptions.

Legal battle plans will address the threats and vulnerabilities having the greatest adverse effect on the company. The battle plans should spell out in advance the defenses and counterattacks the company can deploy rapidly, such as legal notices that must be provided under affected contracts and actions regarding other matters, including insurance coverage, civil and criminal claims that may be applicable, evidence that should be collected and contact points. Battle plans for incident responses will include:

• Incident reporting;
• Investigation resources and assistance;
• Responsibilities of response teams;
• Legal options; and
• Strategies and other information that the expert planners decide would be helpful to executing the battle plan.

These legal battle plans are meant to increase a company's ability to respond to a cybercrisis ' and counted among the capabilities are successfully identifying and prosecuting a perpetrator, including anonymous perpetrators. They also include limiting damages, recouping losses and limiting legal regulatory and contractual exposures. Also, the battle plans must provide sufficient flexibility to be readily adapted to circumstances of specific incidents and be coordinated with a company's public-relations response and other incident-response plans. One major reason for coordinating legal battle plans with public-relations response plans is to ensure the company's preparedness to respond to public inquiries regarding cyberattacks, and to take actions to limit damage to the company's reputation. A key objective of incident-response plans should be to maintain public confidence and trust in the company.

Legal battle plans, then, will detail responses to a cyberincident, but not all incidents will be amenable to cyber counterattacks. In most situations, however, legal strategies may be deployed to keep damages to a minimum. The battle plans should, for instance, provide contingencies for escalating response rapidly, if such response is deemed appropriate. And battle plans should be tested periodically so that a company's ability to execute the plans will be up-to-the-minute. Employee training on cyberincident responses should include training on the company's cybersecurity legal battle plans.

Legal Strategies

Employee risks

Employees are a source of continuing and fundamental – and serious – cyberrisks. They also represent one category of risk most amenable to legal-based strategies. Employment agreements, employment policies and practices, and employment training need to reflect security risks, and must be included in a cybersecurity plan's legal layer. So, an effective cybersecurity risk-management program should provide the legal framework for companies to identify, measure, monitor and control employee cyberrisks. Along these lines, officials planning and implementing the plans should be sure that all employees are subject to policies relating to use of company information systems, proprietary information, the Internet and e-mail. The company should have the right to monitor employee use of the company's information systems and to establish penalties for misuse. It should also be clear from company policies that employees have no expectation of privacy in their use of company information systems. And the policies should prohibit actions by employees that could provide computer hackers easy entry to a company's information systems, including importing unwanted computer viruses or worms, infringing content, unwanted open-source software and other undesirable content. Generally, employees should be subject to written confidentiality agreements. Today's employment agreements must be drafted with full recognition that they are an integral part of a company's cybersecurity risk-management program. Employees should agree to comply in full with company security policies and procedures and should not be allowed to access any computer system, file or records they are not specifically authorized to access, nor should they use a computer system beyond the extent specifically authorized.

Employment practices also need to be adopted with cybersecurity risk-management programs in mind. A company's hiring practices should include pre-employment background checks to screen out employees who have previously been penalized, warned or terminated for misuse of corporate information systems. Disciplinary action against employees who violate the company's policies on use of computer information systems, the Internet or e-mail should include termination. Employee risks should also be addressed in employee handbooks, employment agreements, employee training and employment practices relating to cybersecurity.

Hackers and corporate espionage

Another major cybersecurity risk concerns unauthorized access to a company network. People who attempt to gain network access without permission range from isolated hackers to individuals involved in organized efforts to steal valuable trade secrets. Because of these possible breaches, cybersecurity risk-management programs must address unauthorized network access from an information-systems and a legal perspective.

Along with other fundamental information-systems security procedures, information-systems controls include:

• Firewalls;
• Authentication systems;
• Policies regarding passwords;
• Restrictions on physical access;
• Deployment of an intrusion-detection system;
• Management of modem lines; and
• Auditing of login and logout activity.

Also, there are many legal defenses that should be adopted as part of a cybersecurity program.

For instance, Web site terms of use and acceptable use policies are designed to strengthen legal remedies against hackers and corporate espionage. Terms of use and acceptable use policies should be drafted and updated to reflect current cybersecurity risks. Warnings, legal notices and proprietary legends should be used in a manner that is consistent with and that strengthens available legal remedies. Web site terms of use and acceptable use policy must clearly state what constitutes authorized and unauthorized use of a company's information systems.

It's also crucial that access controls, password management, and program and digital-rights management controls be implemented that ensure Digital Millennium Copyright Act (DMCA) anticircumvention remedies and other available legal remedies are used to full advantage in a cybersecurity legal defense. Cybersecurity legal defense needs are designed to anticipate legal counterattacks to hacker attacks and corporate espionage. Because of this, record-keeping practices must be adopted to document necessary evidentiary support to establish available legal claims ' criminal and civil ' as appropriate.

Critical IT contracts

The purposeful use of contracts is an essential part of any cybersecurity risk-management program. For this reason, security risks also must be considered in all critical information-technology contracts, which need to be consistent with and allow execution of a company's overall business-resumption, contingency, security and disaster-recovery plans.

Corporate officers, directors, counsel and others on the team designing a cyber legal battle plan mustn't lose sight of the fact that contract protection is a very important part of cybersecurity risk-management programs. Contracts may be used to limit risks by knowingly allocating security dangers to others and, by means of indemnification, limitation of liability and insurance provisions. Contracts allow companies to create specific prohibitions and obligations and, in some circumstances, to allocate risk and loss to another party.

Consider, too, that service-level agreements (SLAs) are being used to deal with availability and timeliness of services, confidentiality and integrity of data, security-standards compliance ' including vulnerability and penetration management ' and business-continuity compliance. SLAs addressing business-continuity compliance should be designed to measure the vendor's contractual responsibility for backup, record-retention, data-protection, maintenance of disaster-recovery contingency plans, and security-patch software-maintenance programs.

But security clauses aren't confined to special e-commerce activities or other perhaps esoteric Internet or systems contracts. Indeed, security provisions should be included in most information-technology contracts because of the critical importance of information security today. The provisions can address unauthorzed access, security controls, secure communications, backup and recovery, and audit rights. These security-audit rights are becoming more common. The audit seeks to assess adequacy of security provided on behalf of the company, and otherwise review the service provider's compliance with the company's security and confidentiality policies.

The importance of written contracts to cybersecurity risk-management programs is often overlooked ' but don't be shortsighted: Written contracts serve to allocate risk, protect against varying contingencies and limit damages.

Legal Remedies

Many other aspects of the legal layer could be addressed, if space permitted. For example, a strong trade-secret program is a very important part of the legal layer of a cybersecurity risk-management program. But for each risk identified in a risk-management program, companies should determine what legal remedies, if any, the company could pursue to recover losses that might be incurred ' or prevent more damage from an event expected from such risk and, if possible, recover losses.