The Department of Justice Cybersecurity Unit recently issued its “best practices” for cybersecurity incidents, while the SEC recently circulated a cybersecurity “guidance update.”  These publications recommend that companies institute certain policies and procedures for cybersecurity based on each agency’s experience in the area.

The agencies’ suggestions are good ones.  More importantly, like NIST’s Cybersecurity Framework, such recommendations may become de facto standards that regulators, courts, and juries look to when they assess whether your company’s conduct in securing data and responding to a data security incident is reasonable or not, negligent or not, or a violation of securities laws or not.  So it’s worth paying attention.

Here’s what you need to know:

Department of Justice Cybersecurity Unit’s “Best Practices”

DOJ advises that you should:

  1. figure out what your most critical data is;
  2. have a plan for containing intrusions, mitigating the harm, and collecting and preserving information necessary to assess the nature and scope of the damage and source of the threat;
  3. have technology in place for off-site data back-up, intrusion detection, data loss prevention, traffic  filtering or scrubbing, and real-time network monitoring; and
  4. engage qualified legal counsel before an incident occurs because “[a]n organization  faced  with  decisions about  how  it  interacts  with  government  agents, the  types  of  preventative  technologies  it  can lawfully  use, its obligation to report the loss of customer information, and its potential liability  for  taking  specific  remedial  measures (or  failing  to do  so ) will benefit  from obtaining  legal guidance from attorneys who are conversant with technology and knowledgeable about relevant laws.”

Securities and Exchange Commission’s “Cybersecurity Guidance”

SEC advises that you should:

  1. conduct periodic assessments of your data, threats and vulnerabilities, security controls and processes, the impact of incidents, and the effectiveness of management structures;
  2. create a strategy that is designed to prevent, detect and respond to cybersecurity threats; and
  3. implement the strategy through written policies and procedures and training.

Together, the DOJ and SEC guidance shows an increased legal and regulatory focus on cybersecurity.  If you have not analyzed your data, assessed your risks, and instituted policies, procedures, training, and plans to secure that data and mitigate your risk, you should be doing so as soon as possible.