Page 30 - Cyber Warnings
P. 30
Preparing for Potential Litigation or Claims. DDoS attacks may lead to litigation or regulatory
scrutiny in a variety of contexts. For example, civil liability could potentially arise where financial
services customers are prevented from accessing financial accounts or buying and selling stock
during an attack, leading to potential lawsuits alleging consequential damages and lost profits
against the website operator or service provider. DDoS attacks could also give rise to claims
against service providers for failing to provide contractually-guaranteed service levels. The theft
of customer information, trade secrets, intellectual property, or other confidential or protected
information could also give rise to multiple sources of liability—both contractual and under state
and federal laws. Following a failure of any type of service provided through or bolstered by the
Internet could result in a variety of lawsuits based on a company’s own failure to adequately
protect against a DDoS attack or appropriately limit liability in its agreements with customers.
Clearly documenting the start and duration of any outages as well as identifying actions the
organization has taken in response will better position it for defending against these claims.
Relatedly, organizations have an obligation to preserve potentially relevant information and
documents once they reasonably anticipate litigation. Organizations should consult with legal
counsel to determine when it is appropriate to put litigation holds in place to ensure that they
avoid potential spoliation issues and sanctions. Note that the timing of the litigation hold may
need to take into account assertion of privilege protections under the work-product doctrine. To
the extent that a company argues that materials prepared by and with legal counsel are being
prepared “in anticipation of litigation” and are therefore protected, it should consider whether this
assertion triggers an obligation to preserve evidence at the same juncture.
About The Authors
David Navetta is a US co-chair of Norton Rose Fulbright's Data Protection, Privacy and
Cybersecurity practice group. David focuses on technology, privacy, information security and
intellectual property law.
His work ranges from compliance and transactional work to breach notification, regulatory
response and litigation. David has helped hundreds of companies across multiple industries
prepare for and respond to data security breaches.
Kris Kleiner and Erin Locker are associates in Norton Rose Fulbright’s Data Protection, Privacy
and Cybersecurity practice group. Kris and Erin regularly advise clients on best practices as well
as compliance with state and federal privacy and cybersecurity regulations and have experience
assisting various clients operating in multiple industries in identifying, remediating, and
responding to data privacy incidents.
David Kris, and Erin can be reached at [email protected],
[email protected], and [email protected] or at our
company website http://www.nortonrosefulbright.com.
30 Cyber Warnings E-Magazine December 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
