We have released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014.

Tens of thousands of cyber attackers employed by Chinese People’s Liberation Army and other employees and contractors of the Chinese Ministry of State Security work diligently every day to steal information from U.S. businesses. Attackers from Russian and Eastern European organized crime groups also extract valuable personal and commercial data from U.S. corporate networks. Together these groups steal terabytes of valuable data from U.S. businesses each year, including hundreds of millions of records about U.S. residents.

If Chinese soldiers and spies, and Russian and European organized crime gangs, were physically breaking into U.S. corporate offices and stealing valuable physical property, corporate boards and managers would make sure that enough barriers and guards were deployed to defend the company’s property. Many business leaders fail, however, to ensure that their cyber defenses are adequate to defend against cyber thieves.

One of the first steps a company should take to improve its chances of defeating cyber attackers is to conduct a risk-based security assessment. If the risk assessment contractor is hired as a contractor to the company’s outside lawyers to enable the lawyers to advise company managers about how to address the company’s data security obligations, and if communications about the assessment are kept confidential, there is a strong argument that those communications, including the risk assessment report and remediation roadmap, should be shielded from discovery by the attorney-client privilege.

A thorough assessment should include:

  • a compromise assessment to determine if attackers are already in the company’s network;
  • a data inventory and network mapping to identify where valuable data are stored and processed;
  • internal and external vulnerability scans and penetration tests;
  • web application tests to find coding errors, such as those that allow SQL injection and cross-site scripting attacks;
  • a wireless network security assessment;
  • social engineering tests, such as phishing tests and spoofed phone calls;
  • an assessment of the company’s security governance structure, staffing levels, and security policies and procedures;
  • an assessment of the company’s incident response program; and
  • a security control assessment to determine whether or not the company has the technical tools it needs to defend against likely cyber attacks.

The deliverables from such assessments should include a roadmap listing the prioritized steps the company should take to improve its cyber defenses. Capable risk assessment contractors will work with counsel and the company’s information technology staff to identify best-in-class technical tools to meet the company’s security goals.