Page 28 - Cyber Warnings
P. 28
certain to raise and adequately address these issues during the contract negotiation process to
ensure that the risks associated with these incidents are properly allocated between or among
the parties involved. Specifically, the repercussions of a DDoS attack may need to be
addressed in various terms, including: (i) revising force majeure provisions or other exceptions
to contractual service guarantees to exclude downtime attributable to these type of incidents
from uptime or reliability calculations; (ii) creating disclaimer or limitation of liability language in
agreements that expressly limits or eliminates potential liability associated with the inability to
perform transactions during a system or website outage; (iii) carefully drafting security incident
notification clauses to avoid contractual liability where notice might be required under a contract,
but would not be required under any other law or regulation; and (iv) allocating risk and liability
for potential outages in terms governing limitations on liability and indemnity.
DDoS Mitigation. We recommend that organizations consider retaining third parties to provide
the types of DDoS mitigation services described above. For companies that are already using
these services, we recommend reviewing the level of services provided to ensure that they have
an adequate amount of protection in light of the volume of the recent IoT-based attacks.
Historical levels of protection may be insufficient in light of the increasing numbers of IoT
devices that are becoming more easily exploitable.
Documenting Security and Preventative Measures. Organizations should be certain to
document the various security measures taken, including those designed to prevent and
mitigate the effects of DDoS attacks. As outlined further below, these incidents have the
potential to generate litigation against the victim organizations. Because of this, companies
should evaluate their litigation and regulatory action risk from various sources and which actions
are likely to be seen as reasonable under the circumstances when viewed in hindsight by a
court, jury, or regulator. Organizations must remain cognizant of the fact that documenting their
security decisions and practices can significantly bolster defenses against claims of negligence
or breach of contract by litigants or non-compliance by regulators. Companies should seek a
“reasonable” level of security and mitigation with respect to DDoS attacks to help defend against
litigation.
During an Attack
Establishing and Preserving Attorney-Client Privilege. A key step in the investigation of and
response to any cyber incident is working with internal or outside legal counsel to ensure that
the investigative findings and documents are protected under the attorney-client privilege and/or
work-product doctrine. As we have previously outlined, important steps in preserving privilege
include: (i) retaining or involving legal counsel early in the process, (ii) focusing the investigation
on providing legal advice to the organization, including providing legal advice in anticipation of
litigation and regulatory inquiries, and (iii) retaining forensic or security experts through legal
counsel.
Balancing Remediation and Investigation Objectives. The primary objective for most businesses
following a DDoS attack is to ensure that websites are back online and critical business
functions are protected. However, steps to remediate the attack are often taken at the expense
28 Cyber Warnings E-Magazine December 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
