In October, the Ponemon Institute estimated the average annual cost of cybercrime for large U.S. companies to be $15.4 million. That figure is up 19 percent from last year and up 82 percent from the institute’s first study six years ago. The study examined the total cost of responding to cybercrime incidents, including detection, recovery, investigation and incident-response management. Researchers also examined expenses after events designed to prevent additional costs stemming from the potential loss of business or customers, such as those seen in widely reported breaches at Target, Home Depot and Sony Pictures.
 
Earlier this year, the Department of Justice Computer Crime & Intellectual Property Section (CCIPS) Cybersecurity Unit issued guidance on best practices for responding to data breaches when companies find themselves victims to these cybercrimes. The document, assembled with the insight of federal prosecutors and investigators, as well as with input from private organizations which have experienced and managed cyber threats and cybercrimes, offers valuable information for companies to consider in crafting their data protection policies.
 
The DOJ’s “best practice” guidance is divided into four parts:

1. Steps to Take Before a Cyber Intrusion or Attack Occurs;
    
2. Responding to a Computer Intrusion: Executing Your Incident Response Plan;
    
3. What Not to Do Following a Cyber Incident; and
    
4. After a Computer Incident.

The recommendations include conducting risk assessments to identify and prioritize critical assets, data and services. Organizations should develop response plans with specific, concrete procedures to follow in the event of a cyber-attack. Organizations should test the plan with exercises and update it to reflect changes in personnel, as well as maintain and upgrade necessary technology to respond.
 
The Department of Justice (DOJ) recommends organizations engage counsel familiar with legal issues associated with cyber incidents, including outside counsel who specialize in data breach-related legal services. As the DOJ notes, having outside counsel in place before an information security incident can speed an organization’s response and ensure it complies with the organization’s legal obligations.
 
For a full analysis and recommendations for steps to be taken during an attack, the DOJ’s guide is available here.
 
Patrick Mincey is a trial lawyer in Wilmington, where he founded the Criminal Defense Group at Cranfill Sumner & Hartzog LLP. His criminal practice ranges from representing individuals and corporate clients who are targets, subjects or witnesses in federal and state white collar proceedings to “blue collar” defendants charged with murder, drug conspiracies and assaults. To contact Patrick Mincey, call (910) 777-6017 or email him at [email protected].