Cybersecurity risk management is a key component in avoiding cybersecurity incidents. Our law firm assists clients with breach response plans pursuant to the rules and regulations. An Incident Response Plan (“IRP”) should be carefully created to address cybersecurity incidents. There are strategic challenges with implementing an effective IRP within the organization but there could also be legal challenges. Hence, we encourage clients to implement a cybersecurity framework that can effectively prevent breaches. This can be done by working with qualified legal and computer experts.
We encourage clients to coordinate communications with their employees and representatives. The company’s partners and affiliates should also be aware of the breach notification and prevention protocols. This is especially important if the company has various locations and satellite offices. The company must act quickly when it finds out about a breach so that it can follow the rules and regulations. In fact, the European Union’s General Data Protection Regulation (a/k/a “GDPR”) mandates breach notification to the proper authorities within three days. In addition, in California, the law imposes a 72-hour breach notification obligation under the California Consumer Privacy Act (“CCPA”) which became effective on January 1, 2020.
We encourage clients to develop different types of response plans for various cybersecurity incidents. There are different types of breach that can take place on the computer network. In general, the bad actors compromise the computer network to steal personal information. However, availability attacks have also increased which in essence deny access to the system. For example, installing ransomware on the computers or launching a Distributed Denial of Service (“DDoS”) attack on the computer network can accomplish this task. There could be serious legal consequences if the company cannot properly protect its network which yields private and confidential information – e.g., intellectual property, trade secrets. There are various state, federal, and international laws in this context. For example, the Philippines Data Privacy Act defines a “security incident” as an event or occurrence that affects or tends to affect data protection or may compromise availability, integrity, or confidentiality.
We encourage clients to obtain and regularly review their cyber-insurance policies. A cyber-insurance policy is a type of insurance policy that’s designed to protect the insured party against cybersecurity incidents. It is important to review and understand the cyber-insurance policies limitations and exclusions at the outset. This way, the company can be properly insured against cybersecurity incidents. For example, a cyber-insurance policy may have a “war exclusion clause” which excludes coverage if there is any kind of war as a result of an invasion, revolution, or terrorist act. Therefore, the insurance company must prove the cybersecurity incident constitutes an act of war to avoid disbursement. As such, we recommend carefully reviewing the cyber-insurance policy to ensure proper protection, and if necessary, obtain coverage under business interruption or theft and fraud policies.
We recommend implementing preventive and reactive defensive measures on the computer network. For example, we encourage clients to install and properly configure an intrusion detection and prevention system that would control and manage the network system. This kind of system should be installed and managed by a qualified computer expert or information technology consultant. The relevant and applicable laws in this context include, but may not be limited to, the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, and its subtitles, and Cybersecurity Information Sharing Act.
We also recommend conducting due diligence on cybersecurity programs to ensure compliance with the statutory guidelines. A company that’s subject to a security breach must notify its users, members, or customers. It must also notify investors so they can make the right decisions. Therefore, it’s important to regularly assess network systems to determine whether there’s been a cybersecurity incident.