The Department of Justice Cybersecurity Unit recently issued its “best practices” for cybersecurity incidents, while the SEC recently circulated a cybersecurity “guidance update.” These publications recommend that companies institute certain policies and procedures for cybersecurity based on each agency’s experience in the area.
The agencies’ suggestions are good ones. More importantly, like NIST’s Cybersecurity Framework, such recommendations may become de facto standards that regulators, courts, and juries look to when they assess whether your company’s conduct in securing data and responding to a data security incident is reasonable or not, negligent or not, or a violation of securities laws or not. So it’s worth paying attention.
Here’s what you need to know:
Department of Justice Cybersecurity Unit’s “Best Practices”
DOJ advises that you should:
- figure out what your most critical data is;
- have a plan for containing intrusions, mitigating the harm, and collecting and preserving information necessary to assess the nature and scope of the damage and source of the threat;
- have technology in place for off-site data back-up, intrusion detection, data loss prevention, traffic filtering or scrubbing, and real-time network monitoring; and
- engage qualified legal counsel before an incident occurs because “[a]n organization faced with decisions about how it interacts with government agents, the types of preventative technologies it can lawfully use, its obligation to report the loss of customer information, and its potential liability for taking specific remedial measures (or failing to do so ) will benefit from obtaining legal guidance from attorneys who are conversant with technology and knowledgeable about relevant laws.”
Securities and Exchange Commission’s “Cybersecurity Guidance”
SEC advises that you should:
- conduct periodic assessments of your data, threats and vulnerabilities, security controls and processes, the impact of incidents, and the effectiveness of management structures;
- create a strategy that is designed to prevent, detect and respond to cybersecurity threats; and
- implement the strategy through written policies and procedures and training.
Together, the DOJ and SEC guidance shows an increased legal and regulatory focus on cybersecurity. If you have not analyzed your data, assessed your risks, and instituted policies, procedures, training, and plans to secure that data and mitigate your risk, you should be doing so as soon as possible.