Is Your Business Ready to Respond to a Cyber Attack?

With hacking into business websites and security breaches in confidential corporate data on the rise, businesses have developed preventative measures against cyber attacks and become more proactive in recognizing, responding, and prosecuting cybercrimes. This article provides an overview of some practical considerations and tactical strategies in responding to a cyber attack on your business.

Congress has long recognized the devastating impact of computer crimes. The Computer Fraud and Abuse Act (CFAA) and its predecessor statute, is now twenty-seven years old.1 (The California statutory equivalent is California Comprehensive Computer Data Access and Fraud Act, Penal Code section 502, enacted in 1987.) While the CFAA is primarily a criminal law originally intended to address computer hacking and to address federal computer-related offenses involving computers of the federal government or certain financial institutions, the 1994 amendment enabled civil actions to brought under the statute as well2, if the violation causes loss or damage as defined in the CFAA (18 USC § 1030(G))3. The CFAA, in its current iteration, provides that, whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer shall be punished under the Act. The CFAA applies not only to persons who commit or attempt to commit an offense under the Act, but also to those who conspire to do so.

In civil actions, the CFAA can provide grounds for recovery of significant damages. Persons found to be civilly liable for a CFAA violation can be responsible for compensatory damages and injunctive or other equitable relief. Under the CFAA, “loss” includes response costs; damage assessments; restoration of data or programs; wages of employees for these tasks; lost sales from website; lost advertising revenue from website and other reasonable costs. However, loss does not include lost revenue resulting from the theft of proprietary information.4 In the early days of the CFAA, “exceeding authorization” could be shown by demonstrating that the user violated the “Terms of Use” found on most commercial websites. The law is in flux with respect to what a victim of a cyber attack needs to show in conjunction with a violation of the “Terms of Use” to seek criminal penalties.5

Practical Considerations and Tactical Strategies

Businesses that do not already have a cyber attack response plan, should consider the following:

  • Develop a Response Plan. Businesses should create internal systems that first, recognize a breach, isolate and contain a cyber attack problem; and second, investigate, preserve evidence, and develop internal controls for preventing similar attacks in the future);
  • Educate your employees. Best practices for businesses include coordination with employees, management, Chief Compliance Officer, IT, human resources, legal and business units. This coordination involves educating your employees about what constitutes a computer crime, and who to contact in the event they believe that a computer crime has occurred;
  • Evaluate your enforcement options. Not every case is appropriate for criminal referral. Where appropriate, make criminal referrals, seek restitution, and pursue civil remedies under the CFAA when criminal enforcement is not warranted. There is also an Internet Crime Complaint Center (IC3) (formerly known as the Internet Fraud Complaint Center) which has an online form that you can fill out, and IC3 will refer the complaint to the appropriate law enforcement agency for investigation (; and,
  • Develop relationships with law enforcement agencies.6 The Department of Justice and law enforcement agencies devote significant resources to building collaborative relationships with private industry representatives.7 Learn what steps a company or business should take to present the case information to the appropriate law enforcement agencies. In most cases, the law enforcement agency will be the local FBI office8 or the U.S. Secret Service.

Constance Yu is a partner of Sideman & Bancroft LLP in San Francisco, California. Ms. Yu concentrates her practice on business tort issues including disputes over complex commercial transactions, banking practices, intellectual property rights, unfair competition, false advertising, and employment matters. She has handled a wide variety of other commercial disputes such trade secret litigation, disputes arising out of e-commerce businesses, defamation, professional liability, and RICO litigation. Ms. Yu also advises clients in criminal investigations involving corporations, former government officials and private individuals in financial and other business disputes.
Her experience includes representation of individuals, institutions,
and their officers and directors in white collar criminal matters in the
United States and abroad.; 415-392-1960


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s