Attorneys counsel at-ready stance on cyber-attacks

The rising tide of digital attacks touching politics, finance and retail also poses significant threats for the pharmaceutical and medical device industries. During a Thursday webinar, attorneys at King & Spalding LLP counseled that internal identification of "crown jewel" trade secrets, rigorous protection plans and an at-ready stance for incident response to thefts should form the core of corporate game plans.

With trade secret thefts costing American businesses billions of dollars annually, according to estimates by PricewaterhouseCoopers LLP and others, the question is not if an organization will incur costs from cybersecurity breaches, but rather when and at what magnitude, said presenters Chris Burris, a partner in King & Spalding's special matters and government investigations group, and Nick Oldham, an attorney in the firm who assists clients with cybersecurity and risk management issues.

The theft and occasional malicious encryption of medical records has justifiably become a top concern for health care businesses. Five of the eight largest health care security breaches since the beginning of 2010 – those with more than 1 million records reportedly compromised – took place during the first six months of 2015, according to IBM Corp.'s 2016 Cyber Security Intelligence Index. As recently as last week, a pointed orchestration of hijacked internet-connected devices laid waste to access to popular internet sites for hours.

However, for life sciences companies, the threats are more often internal, Burris and Oldham said. Citing three client examples from the past four years, they said that key trade secrets, including research data and manufacturing processes for drugs, were spirited into competitors hands in China via simple personal emails, thumb drives or storage devices, generally with insiders to blame.

"Life sciences companies often rely on trade secret protection to protect research and methodology that's not yet market-ready," said Burris. Because of that, they're particularly vulnerable to thefts. To counter that vulnerability, he suggested, companies need to put in place internal processes and controls intended to make sure that insiders are not in a position to access materials they need nor are in a position to easily ex-filtrate such data.

Recurring issues King & Spalding attorneys see include companies failing to preserve trade secrets by mandating escalated cybersecurity precautions; the mixing of trade secrets with general corporate data on the same network; an overreliance on nondisclosure agreements, which don't help if the signatories get hacked; and a shortcoming in education of employees.

Because courts making determinations in trade secret theft cases often focus on whether reasonable steps have been taken to protect those secrets, Oldham pointed to the importance of taking concrete steps, including the segregation of secrets from general corporate information, electronic tagging of trade secret information, encryption, complex password policies and employee trainings. Nonetheless, he said, "a policy is only as good as people's application of that policy."

For companies looking to establish or improve their own cybersecurity programs, Oldham and Burris suggested building on the National Institute of Standards and Technology's (NIST) Cybersecurity Framework, the first version of which was established in 2014. "The core presents five functions – identify, protect, detect, respond and recover – that taken together allow any organization to understand and shape its cybersecurity program," according to NIST.

With a written policy in place, the next and ongoing steps need to be practice, practice and more practice, the attorneys said. "If it's 3 or 4 in the morning and you get the call that you've had some kind of security breach, that's not the time when you want to start thinking to yourself, 'Which security vendor do we need to bring in to augment our I.T. security resources inside the company?' or 'Which one of the law firms on the Rolodex do we need to go to?'" said Burris. "It's too late to start doing interviews. You're going to have to move and you're going to have to move quickly. You should be thinking about that response well in advance of the incident occurring."

Source