When we think about cyber incident response, we think about
detection, analysis, containment, eradication, remediation and reporting. These
stages are not just about technical and forensic response, however. Throughout
each, legal risks and considerations must also be addressed. It is imperative
to focus on gaining technical understanding of what the threat actor did, when
they did it, and how to overcome their interference and resulting business
interruptions. At the same time, equal focus must be given to examining
applicable state and/or federal laws, contractual obligations, and any other
potential legal exposures or rights. This can be accomplished while
simultaneously managing other aspects of incident response, including cyber
insurance carrier updates, public relations, internal communications and, of
course, technical response. Working with legal counsel and the organization’s
incident response team to answer material legal questions through the phases of
incident response often dictates how and when the next phase is handled.
The cyber insurance carrier, incident response team and
legal counsel generally collect information during the detection phase that may
be vital to later determinations about legal obligations such as whether
individuals or regulatory bodies require notice of the incident. At the point
of detection, legal counsel and the incident response team begin to learn about
the incident’s scope, the threat actor’s priority, and the nature of the
vulnerabilities they potentially exploited. Time is a critical factor. Upon
detection, legal may start multiple clocks, each tracking how much time the
company has until reporting deadlines under law or contract.
Questions that relate to legal considerations may include:
Where is the evidence that the threat actor accessed or acquired personal
information? Where was the threat actor’s activity located—in a space populated
with sensitive and confidential information, in an email account, across the
network, or on a web server containing no personally identifiable information?
These and many other context-specific questions help inform the understanding
of legal risks and requirements for responding to a cyber incident. Another
early legal risk stems from the duty to preserve relevant information and
artifacts of an incident, instead of overwriting or deleting them.
Analysis, Containment and Eradication
The next phase is analysis and containment. While the
incident response team works to secure the environment, legal considerations
are refined as more details and forensic analysis becomes available. For
instance, once logs are collected to study the threat actor’s movement and to
review the categories of personal information at risk, legal can identify any
state-specific data breach notification laws that may apply. Legal will then
relay information to the insurance carrier and may involve law enforcement,
depending on the nature of the incident.
New legal risks may arise as more information comes to
light. For instance, the team may confirm that ransomware impacted the
company’s primary systems and back-ups, increasing the pressure to pay threat
actors to receive a decryption key to continue business operations. Paying a
ransom requires consulting with the insurance carrier, appropriate forensic
vendors and, importantly, the Treasury Department’s Office of Foreign Assets
Control (OFAC) and Specially Designated Nationals and Blocked Persons List to
avoid making payment to prohibited entities.
At the same time, the incident response and legal teams
should be reviewing all relevant contracts to identify what responsibilities
may exist to notify clients, or to recognize the impact of any subsequent
business interruptions under the terms of a service-level agreement.
It may also become apparent that the source of the incident
was a vendor or other third party. In such cases, the incident response and
legal teams should review relevant contracts to understand the enterprise’s
contractual rights and remedies, prepare a plan for preserving those rights,
and communicate to the third party about the incident, including instituting a
legal hold of relevant materials and notice of claim.
Remediation and Reporting
With the remediation and reporting phase, the next set of
legal issues to address includes the specific steps to notify the affected
parties and/or regulators, as necessary. Whether by law or contract, there are
usually specific requirements for giving such notice, including the method by
which it is delivered and its content. Depending on the industry and type of
incident, mitigating the risk of regulatory penalty may involve implementing
additional safeguards, building on existing policies, and formalizing specific
protocols. Ignoring these requirements could result in an oversimplified
response that creates unnecessary risk of an enforcement action by regulators.
Similarly, applicable laws may require documenting the process by which you
determined whether to notify individuals, requiring legal to memorialize the
specific factors involved. Reporting also includes honoring contractual
obligations and updating your cyber insurance carrier.
Because different risks can appear throughout the cyber
incident response process and can be highly dependent on context and specifics,
legal considerations are a constant. Cooperation among legal counsel, insurers
and the incident response team is essential to identify and answer key legal
questions, prepare an incident response plan, train incident response team
members, and assist during an actual incident or suspected data breach. A
systematic and well-defined approach to cyberattack mitigation should not only
encompass proactive risk identification, risk assessment and technical
recommendations to reduce risk, but also take legal considerations into
account. Developing and implementing such an approach will best position
organizations to weather any cyber incidents to come.