What law firms should know about cyberattacks and the FBI
The steady rise of cyberattacks against U.S. companies—with damages that include tens of millions of dollars, lost trade secrets and threats to critical infrastructures—has prompted the FBI to even more greatly stress the importance of information-sharing on cyber intrusions.
However, the decision to share sensitive data about a company or law firm’s network comes with major legal considerations and should include discussions with legal department heads and outside counsel, Corporate Counsel reports.
“You have to really figure out what exactly you’re going to be willing to do,” said DeVore & DeMarco partner Joseph DeMarco at a New York Bar Association event this week covered by Corporate Counsel. DeMarco specialized in cybercrime as an assistant U.S. Attorney. “These are voluntary requests for information. They don’t come with immunity.”
Attackers could be state-sponsored actors, organized criminal groups, individual hackers or “hacktivists,” company insiders, or terrorists, according to FBI “cyber cop” Mary Galligan. Many law firms first learn they’ve been attacked not from internal sources—but from the government, she said at the New York City Bar Association event.
“What happens with the FBI is right now, approximately 60 percent of the time, we are going out and telling a company that they have been intruded upon,” Galligan said. Although the FBI hasn’t always notified companies of an attack, that policy has changed in the past three years in light of several serious attacks against U.S. banks and an executive order mandating information-sharing, she said. “The government is—and especially after the executive order—sharing information as fast as we can get it,” Galligan told attendees, according to Corporate Counsel.
Despite these efforts, unless general counsel and outside law firms are involved in these security issues from the start and have instituted a recovery plan in the event of a breach, it can be very difficult for the government to help, Galligan noted. “The law has not kept up with the issue,” she said, according to Corporate Counsel. “So I’ve had companies and banks say, ‘OK, come on in and help us,’ but they can’t give us consent for that.” Many firms don’t even know what their networks look like or what’s on their servers, she added.
Hogan Lovells partner and former IBM security counsel Harriet Pearson emphasized the complicated legal issues lawyers must be prepared for in the event of a cyberattack and subsequent government involvement.
“There’s a fair amount of legal uncertainty that comes with this relationship, or this dance that business does with law enforcement,” Pearson said at the event.