Terror, cyber and insider attacks must be defended against as much as their accompanying liabilities.
As if facing down escalating terror, cyber and insider threats is not enough, private businesses are hamstrung by limited budgets that make choosing how and when to defend themselves more and more difficult. This rising cluster of threats demands intense security and substantial financial resources to protect people and assets.
The struggle is most pronounced in the homeland, where private parties own the majority of assets and critical infrastructure. Relying exclusively on the U.S. government for support is no longer an option—they must engage just as vigorously after an attack.
But how much security is required to meet the minimum legal standard of care for terror, cyber and insider threats? In what situations must certain security measures be enacted to comply with a statute or to avoid a contractual breach? How much more security is needed to protect a brand?
To answer these questions, businesses must take the lead in addressing threats to their specific core missions and assets, leveraging existing countermeasures and implementing new ones. A three-pronged approach that separates the threats, prioritizes them and then customizes countermeasures can help organizations make the most of their resources and avoid falling victim to overlooked legal ramifications.
The first prong calls for companies to consider attackers' primary targets, motivations and potential weapons to determine the most appropriate response. The type of threat will define legal or contractual obligations. Companies must differentiate between terror threats that typically target civilians and are politically or religiously motivated; cyberthreats that attempt to expose or steal intangible assets such as finances, intellectual property or trade secrets; and insider threats from maligned employees.
The second prong involves prioritizing threats based on their likelihood of success and possible damage. This step is important because liabilities can arise when private companies neglect to take what could be determined as reasonably prudent measures to prevent an attack. Trying to define reasonably prudent legal measures is tricky. It could be said that because the number of terror and cyber attacks appears to be on the rise, corporate security measures should be enhanced. Any such requirements, however, demand careful scrutiny and professional support because they fall in murky territory. It is vital to know, for example, whether a contract spells out a company's requirement to have in place proven measures to prevent unauthorized access to key assets. Sports centers might be required contractually to prevent unauthorized physical access, while a bank has to guard against theft of financial information. Failure to meet these requirements could lead to claims of contract breach. Luckily, many liabilities can be attenuated with well-negotiated statements of work, inspections, service credits, caps, force majeure and other mitigation terms.
The third prong to mitigating legal liabilities is to prioritize corporate assets. For some companies, particularly those accessed by the public, protecting people from terrorism might be the top priority, requiring appropriate focus and resource allocation. For other businesses, protecting a brand, classified information, financial systems, intellectual property, privacy and other intangible assets from cyberthreats might rank first. Safeguards could include implementing best practices, hiring effective security managers, buying and updating technical products and using modern services to secure information technology. Still others might prioritize physical property and focus on monitoring, detecting and investigating suspicious activities inside and sometimes outside of places of business.
This threat framework and comparative analysis make a solid start to allocating resources and mitigation efforts for threat deterrence. But this is only a start. Threats evolve and even merge. Terrorists are just as apt to shoot up a business meeting as they are to pull off a cyber attack to disrupt government functions or delivery of critical infrastructure and basic services.
These rapidly morphing threats demand innovative solutions. They also demand that companies negotiate proper service and equipment contacts; analyze organizational risks; address and develop corresponding regulatory compliance programs; create and implement internal policies; require internal training; and enforce rights. Perhaps it is time for the private sector to finally adopt the mantra government agencies have long recited: Prepare, react, recover, learn and repeat.
Originally published in Signal Magazine
Mark J. Maier is a lawyer and partner in Arnold & Porter Kaye Scholer's national security practice, a colonel in the U.S. Army Reserve and the Army's emergency preparedness officer for Maryland. The views expressed are his own.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
