Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...
By Yin Wilczek
May 20 — The Justice Department's Cybersecurity Unit is considering whether to issue guidance on “effective and truly defensive countermeasures” for companies that have been hacked, a senior official said May 20.
The unit also is assessing whether it can help in the implementation of those countermeasures by issuing guidance to clarify related legal issues, said Assistant Attorney General Leslie Caldwell, who heads the DOJ's Criminal Division.
However, Caldwell warned that one countermeasure companies shouldn't attempt is hacking back at those whom they think breached their systems.
Caldwell also noted that the Cybersecurity Unit has begun working with other federal agencies on cyber issues. As an example, she cited the Federal Trade Commission's statement—posted on its website May 20—that it will view companies “more favorably” if they cooperate with authorities on data breaches.
The FTC's statement was coordinated with the unit and the DOJ, Caldwell said. She spoke at a cybersecurity conference hosted by Georgetown University Law Center and sponsored by Bloomberg BNA.
One study estimates that business losses from cybercrime could total $2 trillion by 2019. In the past two years, companies such as Target Corp., JPMorgan Chase & Co., Anthem Inc. and Home Depot Inc. have suffered high-profile breaches.
The DOJ's Criminal Division announced its Cybersecurity Unit in December to serve as a central hub for expert advice and legal guidance on cyber issues. The unit recently issued guidance on best practices for companies that experience cyber incidents.
In her address, Caldwell noted that at a recent discussion with leading cybersecurity experts, the unit learned more about the challenges faced by in-house counsel when dealing with unfamiliar legal issues arising from their companies' cyber defenses and breach incidents. The unit has scheduled an initial legal training session with in-house attorneys from a “vital sector” on the matter, she said.
As to hacking back, Caldwell said the DOJ considers the retaliatory activity generally unlawful based on a simple reading of the Computer Fraud and Abuse Act. Even if it were lawful, “we would still recommend against it” because sound policy, including the possibility of interfering with an ongoing government investigation, “militates against the use of hackback tactics,” she said.
Caldwell cited other reasons for why companies shouldn't hack back, including that it:
• poses a significant threat to innocent third parties whose infrastructures may have been hijacked by cybercriminals;
• is illegal in some countries and may jeopardize international relations; and
• has a low likelihood of being beneficial.
A recent poll of Bloomberg subscribers found that most think companies should defer to law enforcement agencies to take retaliatory action for cyber breaches.
In other comments, Caldwell urged companies to read the Cybersecurity Unit's best practices guidance. Even though the recommendations may seem pure common sense, the 2014 Sony hacking incident showed that many companies are unprepared, she said.
The recommendations provide step-by-step advice on what to do before, during and after a cyberattack, and “are the product of experience,” she said.
To contact the reporter on this story: Yin Wilczek in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Ryan Tuck at email@example.com
The text of Caldwell's speech is available at http://www.justice.gov/opa/speech/assistant-attorney-general-leslie-r-caldwell-delivers-remarks-georgetown-cybersecurity.
The FTC statement is available at https://www.ftc.gov/news-events/blogs/business-blog/2015/05/if-ftc-comes-call.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)