Nick Akerman on Cybersecurity and Legal Challenges

LIFARS question and answers session with cyber security experts, Where,who,when,how,why,what

akerman_nick_0119_head_bA partner in Dorsey’s New York Office, Nick Akerman is a trial lawyer specializing in both complex civil and criminal cases.  He has a well-established expertise on data compliance, the Computer Fraud and Abuse Act, and the Economic Espionage Act. Prior to private practice Nick served as a federal prosecutor.  He was an Assistant United States Attorney in the Southern District of New York, where he prosecuted a wide array of white collar criminal matters, including bank frauds, bankruptcy frauds, stock frauds, complex financial frauds, environmental and tax crimes. He is a nationally recognized expert on computer crime and the protection of competitively sensitive information and computer data.   Nick regularly obtains injunctions for his clients under the federal Computer Fraud and Abuse Act in various federal courts around the country requiring computer thieves to return stolen computer data and prohibiting the dissemination of the data to competitors.  He also consults with clients in developing systems, policies and protocols to protect computer data.
Nick spoke about cybersecurity related cases he has dealt with and legal challenges we can face at an interview conducted by LIFARS.

LIFARS: As a lawyer dealing with complex civil and criminal issues relating to cybersecurity, what would you say are some of the toughest challenges you face in today’s environment?

Nick: The biggest challenge that I face in dealing with clients and prospective clients is having companies understand the breadth of the problem.  Cybersecurity is not just an IT issue; it involves other stake holders in the company who have to collaborate if you’re really going to have a comprehensive cybersecurity program. Some of these players include:

  • HR and Legal, which are responsible for company rules, employee agreements and training and traditionally assist in responding to company data breaches
  • Risk Management, which along with legal, reviews the adequacy of the company’s cyber insurance and compliance, which is often the logical focus of the company’s data protection efforts

Once you deal with involving the appropriate stakeholders, the question becomes: How do you deal with cybersecurity in a comprehensive manner? The current trend, encouraged by federal and state regulators, is to establish an effective data compliance program. Smart companies are adopting the dictates of the federal sentencing guidelines, what has been recognized as the compliance gold standard. This means following 7 steps set forth in those guidelines and adopting them to the protection of data:

  1. Promulgating standards and procedures
  2. Establishing a high level oversight of the program that includes the board of directors
  3. Not placing responsibility with individuals who pose a risk for unethical behavior
  4. Communicating the program to the entire workforce
  5. Conducting periodic audits of the effectiveness of the program
  6. Consistently enforcing the promulgated standards and procedures
  7. Establishing mechanisms for employees to report violations

My biggest challenge when coming into a client is actually looking at certain areas of risk or flashpoints to determine whether a company has in place the elements that will make for a good data compliance program.   These include:

  • Hiring Process; that’s where the company has the opportunity to first explain to employees what the rules are with respect to data. It is also a danger point where people who are being hired from a competitor might bring into the company data belonging to their former employer, creating potential criminal and civil liability for the company.
  • Company Rules; how do they address the protection of data and the new laws that keep changing and evolving, whether it is judicial opinions or statutes?
  • Agreements clients have with their workforce as well as third parties (cloud providers or contractors). Do these agreements take into account the new technologies and adequately protect the data?
  • Technology; is it achieving the company’s legal goals? Do employees only have access to information on a need to know basis? Does the technology capture information in such a way that you can provide an evidentiary basis to prove a case in court? Does the technology create an audit trail so that if someone hacks in from the outside, or an insider steals data, you have the best possible proof to show what was taken and when?
  • Response Protocols; do they exist if in fact there is a breach, whether it be an insider or outsider attack?
  • Insurance; does the company’s general liability cover cybersecurity risks or is it appropriate to have a special cyber policy?

So those are all of the challenges I deal with, particularly when dealing with a new client in this area.

LIFARS: What are the first steps you recommend when a client calls you with a cybersecurity breach?

Nick: The first thing you need to know are the facts. You need to get a forensic investigator in as fast as possible, to determine what actually happened, if anything! To give you an example, I had a client who called me, and said that they had heard from three customers who were complaining that they thought that their information from the company database had been compromised because they were mysteriously contacted by a third party who appeared knowledgeable about the information that was contained on the client’s database. That doesn’t necessarily mean there was a breach, but it certainly gives you a basis to do further investigation.

If you’re dealing with personal information and you are required to respond to one of the 47 state laws that mandate notification of the breach to affected consumers, you need to have a reasonable basis to believe there was an unauthorized breach to the personal information. So the first question becomes: Was there an unauthorized access and if so, was personal information compromised in the course of that breach? Most companies obviously would not like to have to notify their customers that the personal information entrust to them has been stolen – Not a positive development in terms of a business relationship.

If you also have evidence that would in some way identify the perpetrator, you then have legal remedies under 2 federal statutes:

  • The Computer Fraud and Abuse Act – it allows victims of computer crime to sue in federal court
  • Economic Espionage Act – As of May, this statute also allows you to go into federal court to sue for damages and injunctive relief for the theft of trade secret data, and in those circumstances where you can show imminent danger of the data being disseminated in the marketplace, a court can issue a seizure order directing an immediate to retrieval of  the data

In certain circumstances, you may find that the best option is to provide whatever evidence you have to the authorities, the Secret Service or the FBI.

A lot of companies who contact me though have not given advanced thought to their Incident Response plan and waste a lot of precious time in identifying the appropriate forensic examiner to perform the investigation. Also problematic are companies who use their own internal IT people, thinking that they have the expertise to perform forensic investigations. What they do not realize is that by simply opening a file or a program without the proper forensic software, they are destroying thousands of date/time stamps that are potentially valuable evidence in determining the facts of the incident.

A cybersecurity savvy company will have a breach response plan set up in advance to that they have someone they can call immediately to conduct the investigation.

LIFARS: How do the information security laws here in the United States compare to the legal framework you might find abroad?

Nick: Let’s start with the EU: they have essentially a unified system that is based on the privacy of personal information. In the United States, in contrast, there are 47 states that have separate breach notification laws relating to personal information. They are all similar to some extent, but they also all have different requirements.  There have been a number of efforts to pass a national breach notification law in Congress – and none of them have passed. The closest we have come is in the Health Care industry with the HITECH Act, a national breach law that relates to personal health information. The biggest problem in the US is that Congress has yet to pass a comprehensive cybersecurity law, and just like I advocate that companies should look at cybersecurity from a comprehensive viewpoint, the U.S. government should obviously be doing the same. The Obama Administration has tried to put in place certain policies but without   congressional legislation and a political agreement on an overall program, we will continue to lag behind. Even China is now proposing a national cybersecurity law that will establish national standards for dealing with this problem.

LIFARS: With the growing prominence of cybersecurity, what do you think the biggest legal challenges will be in the future?

Nick: By far and by none, the biggest challenge is going to be cooperation among various foreign governments. This has become an international cross-border problem, and it is magnified because you have people in other parts of the world taking advantage of the limited law enforcement jurisdiction of nations and what they can do when someone hacks into a system from another country and data is dispersed all over the world. We need to come up with a way for countries to cooperate and attack this problem comprehensively.

The other big challenge is keeping up with the technology and the changing regulations and laws that relate to cybersecurity. It is a moving target.  Unfortunately, most companies are not equipped to keep apace of this fast moving and changing environment.

Finally, the United States itself needs to come up with a comprehensive approach to cybersecurity, which to date has been a failure of its political institutions.

Nick speaks and writes regularly on protecting computer data, including in his regular column for the National Law Journal.  He was a contributor and a quoted expert in the first global study highlighting the vulnerability of the world’s intellectual property and sensitive information that was released by McAfee on January 29, 2009, at the World Economic Forum in Davos, Switzerland. He has been a featured quoted expert on computer fraud and computer security issues in the New York Times, USA Today, the San Jose Mercury and the Weekly Homeland Security Newsletter. His blog can be found at http://www.computerfraud.us.

Connect with Nick on LinkedIn.