Have you heard of cybersecurity? In this digital age, a malicious actor does not need to walk through your doors to steal from you. They can simply click a button. These malicious actors are educated, intelligent, and motivated. While companies strive to establish the impossible perfect defense, a hacker needs to get into their systems only once.

These hackers are not your average criminal—they have advanced tools and can sell the assets they steal on online marketplaces without ever having to be physically present (or even in that country). While their tactics could have been viewed as laughable in the past, hackers have polished them over many years. Emails that used to be from a “Nigerian prince” have been replaced with well-drafted, sophisticated pieces of subterfuge that are highly effective at getting readers to click on a link.

With computers now constantly connected to the Internet, your sensitive data is always at risk. Protecting your data is not just a customer relationship issue—it is now required by various laws and regulations. These laws are there to force businesses to implement appropriate legal and technical measures that are needed to help reduce the adverse consequences of an attack.  Failure to adequately comply with these laws can subject a business to enforcement actions by agencies, lawsuits from affected consumers, and fines from various state regulators. 

Complying with the myriad federal and state cybersecurity laws and regulations is no easy task.  Many laws now require that companies develop a Written Information Security Policy ("WISP") and establish relationships with experts to contact in the event of a suspected breach.  A WISP is an internal company document that establishes a company's procedures for identifying, protecting, detecting, and responding to cybersecurity incidents. A WISP incorporates both legal principles to mitigate damages in the event of an incident and the methods necessary to identify and address potential compliance issues.  It also assists company departments in developing their own methods for handling information by providing a central resource that gives guidance and outlines the company's standard cybersecurity procedures.

As the law develops, many regulations, including the New York Department of Financial Services’ regulations and Europe’s General Data Protection Regulation, are now requiring that companies maintain a WISP. These regulations require a company to document its incident response plan as part of its WISP. Companies, however, should also ensure that any response plan also includes procedures to protect whatever information they can under the confines of attorney-client privilege and in accordance with necessary evidentiary rules. Before having to respond to an incident, a company must know the appropriate information to preserve as well as how to maintain that information in an admissible format. Moreover, if legal counsel was consulted in the WISP’s creation, attorney-client privilege or attorney work product doctrines might shield at least some aspects of the WISP from disclosure in the event of litigation.  Note that creating a WISP might entail communicating with a company's outside vendors and conversations with many different levels of staff hierarchy. Without legal counsel involved, these communications and any information provided to the company from a computer security professional would most likely be unprotected.

As cybersecurity concerns continue to grow and the law struggles to keep up, most businesses are now required to have at least some form of cybersecurity in place.  Businesses can bring real value to their clients and themselves by proactively addressing these concerns and reducing their companies' risks.  Companies that fail to take steps now to implement even basic safeguards might find themselves floundering at the last minute to address these concerns at much greater cost.

Steven S. Rubin, JD, is a partner at Moritt Hock & Hamroff where he serves as chair of its patent practice group and co-chair of its Cybersecurity Practice Group. In the cybersecurity space, Steve relies on his technology background in counseling clients and creating WISPs. The WISP may be used by companies to mitigate the risk of, and potentially limit exposure from, a data breach. In generating a WISP, Steve may serve the role of an external Chief Information Security Officer ("CISO") as is required under 23 NYCRR § 500 et seq.  He also serves as part of a multi-disciplinary team that can be utilized when a company is sued for actions associated with a data breach. As a recognized leader in his field, Steve speaks and publishes extensively on various issues and topics pertaining to cybersecurity law.  He has been quoted in IP Law & Business, Forbes Magazine, Information Week, macnewsworld.com, ecommercetimes.com, TechNewsWorld, Linuxinsider, EE Times, IPLaw360.com, Information Display Magazine, Newsday and Long Island Business News. He serves on the technical advisory board for NYIT and is a member, senior grade, of the Institute of Electrical and Electronics Engineers (IEEE).  Steve earned his J.D. from Hofstra University School of Law and his B.S, magna cum laude, in electrical engineering from NYIT.