”The Sony cyber attack should teach companies an entirely different lesson. Target, Sony and myriad other attacks over the last two years highlight that every company is vulnerable to cyber attacks, regardless of their size, industry or the information they hold.
As just one example, at Skadden, we have seen clients attacked by politically motivated hackers not because of the company’s business agenda but through “ransomware” attacks, where the hackers sought money to finance their politically focused operations. Other companies have suffered the theft of valuable business information, ranging from intellectual property to confidential business plans. While each company’s exposure to risk varies, no company should consider their risk exposure so low that cyber-attack preparedness is not front and center on their agenda for 2015.
In many ways, cyber-attack preparedness is a technology issue, but the companies that are best prepared for these attacks take a holistic approach, with heavy involvement from the legal department and business units. Every company’s legal department should be spearheading regular privacy and cybersecurity audits in order to identify weak spots within their organization that could expose them to costly litigation or regulatory charges should an attack occur. The legal department should also coordinate the creation of a Cyberattack Response Plan (also called a Severe Incident Response Plan) that identifies (1) the roles and responsibilities of a rapid response team, (2) the response logistics and (3) key decisions to consider. Companies that develop and train staff on such plans are far better at responding quickly and effectively to cyber attacks, and in a way that minimizes their risk exposure.
As has happened in nearly every cybersecurity attack, the recent attack on Sony has already generated class action litigation.1 In this case, a lawsuit was filed on December 15, 2014, purportedly on behalf of all current and former Sony employees whose personally identifiable information (PII) was compromised in the attack. Since it is difficult to sue a company simply for being hacked, the plaintiffs, as in other cybersecurity class action lawsuits, are attempting to establish a set of steps that Sony failed to take, and that allegedly would have prevented the attack. Inthat respect, the complaint provides a roadmap of the types of issues plaintiffs’ counsel raise when a company suffers a cyber attack….”
Full article –