What Should Companies Do to Prevent Cyberattacks?
Insights from Atlanta-based attorneys on addressing cyber risksBy Jerry Grillo | Reviewed by Canaan Suitt, J.D. | Last updated on August 21, 2023 Featuring practical insights from contributing attorneys Peter C. Quittmeyer, Joe D. Whitley and David E. Gevertz
Use these links to jump to different sections:
- The Laws Protecting Business Information from Cyber Threats
- How to Protect Your Company’s Sensitive Information
- Some Cyber Threats are Extremely Difficult to Control
- When the Government is the Victim of a Cyber Attack
- Find an Experienced Cybersecurity Lawyer
When it comes to cybercrime, Atlanta has been a veritable Gotham City—with nary a Batman in sight. Atlanta has seen:
- A Home Depot data breach in 2014 that affected more than 50 million cardholders;
- Repeated cyber-attacks on defense contractor Lockheed Martin (foreign espionage is suspected);
- A data breach at credit-reporting giant Equifax that affected almost 150 million;
- A 2015 apology from then-Secretary of State Brian Kemp after his office released the personal information of 6 million voters; and
- In the spring of 2018, Atlanta’s government was hit by the largest municipal cyberattack in U.S. history.
What’s going on?
The Laws Protecting Business Information from Cyber Threats
The current regulatory landscape is scattered, with few federal cybersecurity laws.
Instead, there are 50 sets of state regulations, as well as international laws such as the European Union General Data Protection Regulation (GDPR), which, says Peter Quittmeyer, a partner specializing in computer law at Eversheds Sutherland, “has some overlap for U.S. companies doing business or collecting personal data in the European Union. U.S. [regulations] tend to be industry-specific.”
Current U.S. laws direct healthcare organizations, financial institutions, and federal agencies to protect their systems and information from cybercriminals.
As Congress considers more expansive legislation, it’s a good idea for organizations to keep abreast of the evolving technology and threat, and to have both pre-emptive and response plans in place, says Joe Whitley, who was the first general counsel for the Department of Homeland Security and now heads Baker Donelson’s government enforcement and investigation group.
“When you’re driving down the highway, it’s what you don’t see that can harm you,” says Whitley.
How to Protect Your Company’s Sensitive Information
Whitley and his colleagues work directly with their client’s IT officers, linking them routinely with outside consultants specializing in cybersecurity, as well as his contacts in Homeland Security, the FBI, and the U.S. Attorney’s Office in Atlanta, “which has been very proactive in working with the business community, offering to assist if they have a breach.”
Significant financial and political consequences can result from a cyberattack or data breach, and organizations don’t do themselves any favors by delaying customer notification. But the fallout has been about as inconsistent as the regulatory environment. Home Depot spent $19.5 million to compensate consumers following its data breach, while Kemp was elected governor by the same voters whose personal information his office leaked.
Some Cyber Threats are Extremely Difficult to Control
While IT, law enforcement, and legal experts try to keep up with evolving technology and regulations, some things are beyond their control.
“You can’t guarantee against human error,” says Quittmeyer. “Mistakes and breaches occur. When you have entire countries focused on finding and exploiting vulnerabilities, it’s really a race to the edge of current knowledge in technology.”
Whitley adds, “Some of the biggest problems are right in front of us—employees who bring their computers that might not be very secure to work, and you have individuals who walk away without turning their computers off. Also, the effects of social engineering have risen steadily.”
Phishing—the use of scam emails to trick recipients into revealing confidential information—is a prime example. This is a typical means of delivering ransomware to an operating system: malicious software that can publish a victim’s data or lock down a system unless a ransom is paid.
When the Government is the Victim of a Cyber Attack
However, when the city of Atlanta was infected by a ransomware virus last spring, the attackers used a brute-force attack—guessing passwords until they broke in. It’s a strategy geared toward weak IT infrastructures.
The attack created havoc. City employees had to keep their computers turned off for five days, the municipal court had no way to accept traffic fines, and years of police footage were lost. Some city systems did not recover. In December 2018, two Iranian nationals were indicted by a federal grand jury on charges of creating and deploying the ransomware.
“This was a situation where we could only respond after the fact,” says David Gevertz of Baker Donelson, who handles work for the city of Atlanta. “I’ve drawn a few important lessons from the experience:
- First and foremost, if you have the opportunity, definitely work with law enforcement—in this case, the FBI—and take advantage of their sophisticated resources.
- Also, engage top-notch cybersecurity partners, because having the right vendor allowed us to unlock many systems and plug our holes. They also helped us proactively prepare in case there is a next time.”
And given the ever-evolving tech landscape, there will be.
Find an Experienced Cybersecurity Lawyer
Whether you’re the leader of a large or small business, you need to be prepared for the cyber threats posed by hackers. It’s imperative that your company is following best practices—things like having antivirus software on company laptops, strong passwords, and multi-factor authentication—and that you have strategies in place for potential data breaches, such as data backups and data encryption.
For help crafting your company’s cybersecurity policies or to assess your preparedness against cybersecurity threats (including security breaches and ransomware attacks that aim to steal customer information, business data, or other sensitive data), consult with a data privacy lawyer in your area.
For more information on this area, see our technology transactions overview and related content on data privacy.
Find top lawyers with confidence
The Super Lawyers patented selection process is peer influenced and research driven, selecting the top 5% of attorneys to the Super Lawyers lists each year. We know lawyers and make it easy to connect with them.Find a lawyer near you