Cyber Espionage: Legal Considerations for the Private Sector

To help get organizations thinking about the potential legal issues that could arise from newly identified threat actors, FireEye, in conjunction with full-service law firm Pillsbury Winthrop Shaw Pittman, has come up with some questions that organizations should be asking:

• Does the threat actor’s host country now constitute a known “cyber hostile environment,” requiring companies to take additional security measures to protect any information systems they have in the country or that their employees may bring along on travel?
• Will the newly identified cyber espionage group become subject to possible sanctions put in place by the U.S. government, thereby limiting the ability of private sector companies to do business with that state?
• Should threat assessments, including the collection and analysis of shared threat information, be modified to take into consideration the threat posed by the newly identified cyber espionage group (and thereby limit possible legal exposures)?
• Should private sector companies reassess the terms and conditions used with companies involved in their global supply chain, particularly those components that are either located in or impacted by the newly identified cyber espionage group?
• How involved should executive leadership be in deciding if additional security measures need to be implemented surrounding business ventures that may be affected by this threat intelligence?

Although this list is not exhaustive, it illustrates the types of legal issues that a private sector company should consider when a new cyber espionage group is identified. We recommend organizations have procedures in place to identify the risks posed by any new cyber threat and that they implement appropriate legal and technical management measures.