After a cyber incident occurs, response needs to be swift and thorough to limit the fallout and ensure compliance. Some key factors that will dictate how a response should be handled include breach size, type of compromised data, applicable laws or regulations, and time constraints. To be prepared, organizations need to have a designated team to manage an incident response and create comprehensive plans that account for all potential variables. While incident response heavily relies on technical and forensic actions, legal implications are just as important and will come into play at every phase of the response. Breach notification, impact assessment, privacy law compliance, and regulatory reporting are a few areas where the legal team will have an integral role in response efforts.

Bringing Legal to the Tabletop

Despite the several legal issues that are invoked after a breach occurs, legal teams are rarely involved with incident response planning. Proactive incident response is crucial as it lays the groundwork for what needs to happen immediately following the discovery of an incident. Without having legal involved in important planning events like tabletop exercises that simulate a cyber attack, there is more room for future error and delays. Bridging this gap between legal and cyber security teams will make a world’s difference if, and when, an incident actually takes place. Here are four reasons why incident response teams should highly consider bringing legal to the table:

1. If the key actors collaborate beforehand, incident management will be more organized and effective. Preparation dictates how a response will unfold, so keeping legal in the dark during the planning stage may create confusion and unnecessary roadblocks down the road. Best practices say that tabletop exercises occur quarterly or bi-annual, so legal should at minimum be involved in one session.

“Your tabletop exercises validate your existing processes are sufficient and give you an opportunity in a safe space to find and address areas for improvement.” – Jerich Beason

2. Legal can provide input as to the sufficiency of existing processes and determine if any alterations are necessary. Without the ability to review incident response plans prior to implementation, issues will not become clear until it is too late. Maybe a timeline needs to be tightened to comply with a regulation or a client contract invokes unique notification procedures. If these things are missed, consequences will follow. By simply bringing legal into a tabletop exercise can help mitigate those risks. 

3. Legal can ensure that all incident response documents comply with applicable regulations, laws, and client obligations. The big things to consider are timelines, reporting, and contract clauses. This will look different for each incident, depending on what type of data is compromised. For example, breaches involving personal information could be subject to privacy laws or confidential client data that will require more steps and safeguards.

4. Legal can advise on proper consumer and client communication in the event of a cyber incident. Key considerations include when notification is necessary or suggested, mandated or preferred communication mechanisms, and suggested verbiage for notification correspondence. A best practice is to create notification templates beforehand to streamline this process post-incident. Legal should absolutely help create and review these documents to maintain compliance. This also helps with monitoring efforts after a breach since legal will know exactly what was sent out and be confident that all vital grounds were covered.

What Legal Can Do in the Meantime

The trend of legal being invited to tabletop exercises might take a while to materialize, but that does not mean that there are not other opportunities for collaboration until this becomes a more common practice. There are small steps the legal team can proactively take to make incident response smoother in the event of a cyber attack. One way is for legal to independently create the communication templates mentioned above. Besides breach notification, this is also helpful in the event a legal hold needs to be placed or data is subject to attorney-client privilege. That way, parties can be notified quickly to preserve information and the incident response team can focus efforts on tasks like gathering documents for reporting and adding extra encryption or redaction where necessary.

Another way that legal can better prepare for incidents is to create a communication escalation path for the cyber security team. Providing criteria outlining when legal personnel should be contacted in the event of an incident is necessary and the order of contact attempts should be clear. Provide name, title, phone number, and email addresses. Also, designate someone as the “after-hours” contact person in the event of an emergency or time-sensitive matter. To ensure protection, there should be instructions on what actions to take if the incident response team can not reach the legal team quickly enough. Some examples are sending out the notices with tight deadlines or making sure internal employees preserve all documentation until legal can advise otherwise.

“That last thing you want is for legal to figure things out on the fly when tensions and stress levels are heightened. That’s when things are missed.” – Jerich Beason

Conclusion

Cyber incidents are on the rise and can affect organizations both internally and externally. These breaches can result in revenue loss, damaged reputation, client dissatisfaction, employee turnover, regulatory fines, and interrupted business operations. Since legal involvement is greatly needed during the response phases, the cyber security team should ask legal to the table top to better prepare for the growing number of incidents. There are so many variables and potential legal issues to consider and being proactive about anticipating these issues will pay off in the event of an incident. Legal teams should start advocating to be included more in the incident response planning exercises and document drafting to help bridge the current gaps in these processes. Eventually, proactive collaboration between legal and cyber should become a best practice for incident response planning and management.

If you enjoyed this blog, consider listening to the podcast on which it was based called Episode 5: Why legal needs a seat at the next cyber security table top (with Meg Hargrove)

By: Jerich Beason who is the Senior Vice President and Chief Information Security Officer responsible for Epiq’s enterprise and product security functions.