Why companies and their security teams need to engage with a lawyer before an incident occurs

Presentations at Black Hat often involve slides full of data or code. Rarely, or maybe never, have I seen a slide that details parts of a policy, contract or general legal text. Nick Merker, a partner at ICE Miller LLP, attracted a sizeable crowd of attendees for his presentation titled ‘Legal Pitfalls to Avoid in Security Incidents’. The eagerness of attendees to listen to a lawyer demonstrates how critical cybersecurity is to a business and how legislation and legal action are a reality that cybersecurity professionals deal with on a far-too-frequent basis.

‘Privileged and confidential’ – those magical words in the subject line of an email are an indication that the content will, or should, remain confidential from regulators or lawyers bringing action against the company. I am sure that you, like me, you have seen one of these emails land in your inbox without the company lawyer on copy or discussing something that is never likely to need legal defense. The company lawyer is mandatory if the heading needs to be meaningful. The explanation that during a security incident there need to be two distinct tracks: the first being operational on what the attacker did and how do we get things running again, and the second controlled by the lawyer on building the defense needed should someone to start legal action based on the incident.

A cyber-forensics team brought in to detail an incident is likely to uncover processes or gaps that are not favorable to the company and provide ammunition if handed to the other side of a legal complaint. Nick provided examples of incidents where courts have decided that all the details be handed over regardless of the ‘privileged and confidential’ heading. The expert lawyer brought in to gather information on the incident needs to have their own forensics team and the information uncovered by this team should not be shared within the company. This avoids discovery by another party while providing the company retained lawyer all the information on the incident needed to defend as necessary – ‘litigation preparedness’.

Another topic of discussion was the importance of logging all the decisions made during an incident, as these may be needed to demonstrate the company had process and policy in place to deal with the incident and minimize risk. This follows the guidance of cybersecurity frameworks and standards such as NIST on Incident Response.

If the incident is likely to lead to the payment of funds to a cybercriminal, then proper investigation and legal advice is highly recommended to ensure the company does not transact with a person, entity or country that is on the OFAC’s sanctions list. While there are very few cyber-related entries on the sanctions list, it’s important to be able to show that the company made every effort possible to avoid this. The bank, cyber-risk insurer and cryptocurrency exchange being used are likely to seek this same due diligence and confirmation as they, too, can be held accountable. For the purposes of research, it was recommended that the cryptocurrency wallet address for payment be sought early on, so a thorough check can be carried out.

If someone had told me 20 years ago that a cybersecurity team would work closely with the company legal team in this way, I would likely to have muttered something about utter nonsense. In today’s litigious world and with regulators around each corner it has become an essential relationship in a business. My takeaway and advice having attended this valuable presentation is that companies and cybersecurity teams should engage with a lawyer ahead of any incident so that they are clear on what to do should an incident occur.