New cybersecurity regulations issued by the NYDFS define the nonpublic information they regulate in exceptionally broad terms. This expanded definition of Nonpublic Information will create major challenges for regulated companies and their third-party service providers that will likely ripple through other ancillary industries.
“No,” says U.S. Assistant Attorney General Leslie R. Caldwell. At the most recent Cybersecurity Law Institute held at Georgetown University Law Center in late May, the head of the U.S. Department of Justice’s (DOJ) Criminal Division offered guidance to attendees on how to prevent and combat cybercrime. She also spoke about significant victories that the Criminal Division had achieved with the help of private sector and foreign collaboration. In the last year or so alone, the U.S. government extradited about a dozen high-level cybercriminals from around the world.
In her speech, Caldwell urged the private sector to work more closely with the government, explaining that “the Criminal Division is better positioned than ever before” to help organizations bring intruders to justice, defend networks and prevent cybercrimes from happening in the first place. Among other things, she reported that the new DOJ Cybersecurity Unit has broken new ground, including recently releasing well-received guidance called “Best Practices for Victim Response and Reporting of Cyber Incidents,” which we discussed on this blog post earlier this month – and made the case for why businesses should not take defensive measures such as “hacking back” against attackers in an effort to punish an attacker or to retrieve or delete stolen data.
Caldwell summed up the Division’s legal position on hacking back: “based on a simple, plain-text reading of the Computer Fraud and Abuse Act, such conduct is generally unlawful.” If that were not reason enough, she explained, businesses should still avoid hacking back for these legal, policy and practical reasons:
- Hacking back tactics pose a significant threat to innocent third parties whose infrastructure may be hijacked by cybercriminals, in order to more easily commit crimes and to mask the hacker’s identity during subsequent investigations;
- Hacking back can interfere with and irreparably harm ongoing government investigations;
- Hacking back carries the danger of dramatic escalation against unknown and potentially sophisticated adversaries who may have powerful and destructive technical capabilities;
- Such activities may be illegal in foreign jurisdictions;
- Hacking back may have serious effects on international relations and could have foreign policy consequences; and
- There is a low likelihood that such activities would be beneficial and yield anything other than the momentary pleasure that comes with taking action.
Caldwell’s points are well taken. From our perspective, one of the best ways for a company to prevent, detect, respond to, remediate, survive and even thrive following a cyberattack is to have in place an effective Incident Response Plan that has been tested, adapted and improved over time to reflect changing technology, business circumstances and emerging threats to the organization. Companies that want to incorporate strategies for hacking back into their plans should carefully consider the legal and practical risks and consult with legal counsel prior to taking any action.