Partner Jessica Lee and associate Menelaos Karampetsos co-wrote an article on navigating cyber-attacks for Corporate LiveWire’s Litigation and Dispute Resolution 2023 Expert Guide.
The article, entitled “Don’t Byte: Key Points for Navigating Cyber-Attacks,” explores the legal and regulatory issues associated with data breaches, as well as the impact on public trust and credibility in the eyes of the stakeholders for businesses.
“Understanding vulnerabilities and likely target areas for attack is therefore key to any business in seeking to establish preventative and risk mitigation measures against cyber-attacks. This includes robust controls and reporting capabilities across the business to ensure that any vulnerabilities are identified and addressed rapidly; investment in appropriate software and security for both detection and prevention; regular cyber-risk awareness training for employees; maintaining regular back-ups of critical data and systems; and/or obtaining appropriate cyber insurance,” they wrote.
When an attack happens, it’s important to take a two-prong approach: strategic and legal.
The strategic response relies on having a properly developed incident response plan that outlines the internal points of contact and immediate IT and security response to contain and mitigate the damage, they wrote. That plan should also outline the notification obligations for the company, including the legal and regulatory obligations.
That business will also have to consider the legal issues that can arise from a cyber-attack, including preventing the use of confidential information, potential criminal action and ransom payments, they wrote.
“Paying a ransom is often a complex issue,” they wrote. “In some jurisdictions, it may be illegal and could give rise to potential sanctions and anti-terrorist financing issues. Where an attack involves a request for ransom, this will almost exclusively be in the form of a request for cryptocurrency, according to the Financial Action Task Force’s March 2023 report on ransomware.”
In today’s landscape, it is likely a matter of when a business will experience a cyber-attack, not if. Businesses can and should take proactive steps to protect themselves and also mitigate the impact of those attacks and allow for the recovery of data and/or funds through the appropriate legal action, they advised.
Read the full article here.