DOJ’s Cybersecurity Guide Opens Door to Liability Risks

May 4, 2015 – In The News

Scott L. Vernick was quoted in the Law360 article, “DOJ's Cybersecurity Guide Opens Door to Liability Risks.” Full text can be found in the May 4, 2015, issue, but a synopsis is below.

Last week, the U.S. Department of Justice released guidance on cybersecurity preparation and response plans, becoming the latest federal agency to define what constitutes a strong plan.

While all of the guidance may not fit every company perfectly, attorneys caution that organizations need to ensure they have at least reviewed the best practices and determined whether the recommendations fit their business models.

According to attorneys, small and midsize businesses will likely have a harder time adhering to the guidance due to the lack of resources compared to their larger counterparts, which could leave them unable to takes steps such as retaining experienced outside counsel and having proper technology in place to identify a breach.

“Large companies have a hard time assessing the nature and scope of an incident and having the best forensics in place, let alone small companies,” said Scott Vernick, a noted privacy attorney. “So to the extent that the guidance creates a floor, a company will likely be accused of being negligent regardless of their size or risk profile if their standard of conduct falls below that floor.”

As with other state- and industry-specific guidance released by agencies, plaintiffs are likely to seize the opportunity on the step-by-step approach the DOJ advocates.

“While the DOJ guidance is useful, the concern is that it becomes the standard and basically creates a recipe for plaintiffs to be able to say, 'Well, here are some standards, and you're not abiding by them, so you're acting negligently and have some type of liability,'” Vernick said.

Click here to view the full article.