What Should a Company Do to Prevent Cyberattacks?

Advice from Georgia legal professionals

When it comes to cybercrime, Atlanta has been a veritable Gotham City—with nary a Batman in sight. Atlanta has seen:

  • A Home Depot data breach in 2014 that affected more than 50 million cardholders
  • Repeated cyber-attacks on defense contractor Lockheed Martin (foreign espionage is suspected)
  • A data breach at credit-reporting giant Equifax that affected almost 150 million
  • A 2015 apology from then-Secretary of State Brian Kemp after his office released the personal information of 6 million voters
  • Then in spring 2018, Atlanta’s government was hit by the largest municipal cyberattack in U.S. history.

What’s going on?

The current regulatory landscape is scattered, with few federal cybersecurity laws. Instead, there are 50 sets of state regulations, as well as international laws such as the European Union General Data Protection Regulation, which, says Peter Quittmeyer, a partner specializing in computer law at Eversheds Sutherland, “has some overlap for U.S. companies doing business or collecting data in the European Union. U.S. [regulations] tend to be industry-specific.”

Current U.S. laws direct health care organizations, financial institutions and federal agencies to protect their systems and information. As Congress considers more expansive legislation, it’s a good idea for organizations to keep abreast of the evolving technology and threat, and to have both pre-emptive and response plans in place, says Joe Whitley, who was the first general counsel for the Department of Homeland Security and now heads Baker Donelson’s government enforcement and investigation group.

“When you’re driving down the highway, it’s what you don’t see that can harm you,” says Whitley.

Whitley and his colleagues work directly with their clients’ IT officers, linking them routinely with outside consultants specializing in cybersecurity, as well as his contacts in Homeland Security, the FBI, and the U.S. Attorney’s Office in Atlanta, “which has been very proactive in working with the business community, offering to assist if they have a breach.”

Significant financial and political consequences can result from a cyberattack or data breach, and organizations don’t do themselves any favors by delaying customer notification. But the fallout has been about as inconsistent as the regulatory environment. Home Depot spent $19.5 million to compensate consumers following its data breach, while Kemp was elected governor by the same voters whose personal information his office leaked.

While IT, law enforcement and legal experts try to keep up with evolving technology and regulations, some things are beyond their control.

“You can’t guarantee against human error,” says Quittmeyer. “Mistakes and breaches occur. When you have entire countries focused on finding and exploiting vulnerabilities, it’s really a race to the edge of current knowledge in technology.”

Whitley adds, “Some of the biggest problems are right in front of us—employees who bring their computers that might not be very secure to work, and you have individuals who walk away without turning their computers off. Also, the effects of social engineering have risen steadily.”

Phishing—the use of bogus emails to trick recipients into revealing confidential information—is a prime example. This is a typical means of delivering ransomware: malicious software that can publish a victim’s data or lock down a system unless a ransom is paid.

However, when the city of Atlanta was infected by a ransomware virus last spring, the attackers used a brute-force attack—guessing passwords until they broke in. It’s a strategy geared toward weak IT infrastructures. The attack created havoc. City employees had to keep their computers turned off for five days, the municipal court had no way to accept traffic fines, and years of police footage was lost. Some city systems did not recover. In December 2018, two Iranian nationals were indicted by a federal grand jury on charges of creating and deploying the ransomware.

“This was a situation where we could only respond after the fact,” says David Gevertz of Baker Donelson, who handles work for the city of Atlanta. “I’ve drawn a few important lessons from the experience. First and foremost, if you have the opportunity, definitely work with law enforcement—in this case, the FBI—and take advantage of their sophisticated resources. Also, engage top-notch cybersecurity partners, because having the right vendor allowed us to unlock many systems and plug our holes. They also helped us proactively prepare in case there is a next time.”

And given the ever-evolving tech landscape, there will be.

Other Featured Articles

Business Litigation Business Litigation

How Much Cybersecurity Does My Business Need?

Protecting data is an ongoing process for businesses

Business Litigation Business Litigation

What Laws Govern Charitable Solicitation in Massachusetts?

The state and federal regulations a nonprofit must follow when seeking funds

View More Business Litigation Articles »

Page Generated: 0.05985689163208 sec