Skip to Content (custom) - bh


Counsel and the Breach Response Lifecycle: Best Practices at Every Stage

  • Cyber Breach
  • 3 Mins

The shift to automated business processes and digital data management has definitely been a key enabler for organizations across industries. This fosters more efficient transactions, saves on costs, reduces time spent on projects, and helps organizations maintain competitive. With digitization also come increased cybersecurity risks. Data becomes more vulnerable to interception, potentially leading to legal, regulatory, or other compliance violations. It is important for organizations to have a dedicated incident response team that can detect breaches earlier and quickly jump into action if one materializes. A breach creates a chaotic time for any organization, so having a tested plan that delineates key actors can help limit the fallout and streamline remediation.

Involving counsel during strategy talks and tabletop exercises will limit risk by considering important legal implications from a breach in advance. Collaboration between legal and cybersecurity teams prior to a breach has been lacking historically. Some areas counsel can weigh in on include what data will be more vulnerable or targeted, breach notification obligations, regulatory and legal compliance, anticipated deadlines, communication phrasing, reporting, privacy considerations, and applicable contract clauses. Best practice is to proactively outline counsel’s role at each stage in a breach response plan.

Taking a closer look, here are some ways to do so:

  1. Identification: After detecting a breach comes the investigatory phase where the response team needs to identify and analyze scope, attack location, threat actor information, type of data that was stolen or compromised, affected operations, and any other crucial information. At this point, the team should already know who to notify from legal and have relevant contact information. Make those calls immediately so counsel can advise on applicable laws, regulations, and contractual obligations. This will dictate what needs to be preserved, where legal holds apply, reporting requirements, and who to notify. This also supplies protection from spoliation claims in the event of future litigation stemming from the breach and a realistic timeline for the team to follow. The team can then work with a partner using trusted technology to cull the data set down to include only what is needed for notification and remediation purposes.

  1. Containment and Eradication: Next, the response team must act quickly to contain the breach in order to limit exposure. This includes technical measures such as isolating servers and changing passwords. Shortened containment cycles will significantly reduce overall breach response expenses, so tools that streamline this process add significant value. Eradication is necessary before restoring affected operations. Hardening security, removing any artifacts associated with the breach, and making necessary updates is what occurs during the technical side of the eradication stage.

    While it may be difficult to envision counsel’s role during this highly technical stage of breach response, this cannot be discounted. During containment and eradication, more information will likely come to light regarding compromised data that contains sensitive information. This, along with the already culled data set, should be sent to legal and escalated to the review team. It is crucial for counsel to collaborate with the review team on which information to extract and any relevant deadlines.

  1. Notification and Reporting: After creating a final notification list, time is of the essence. Reaching those affected by the breach needs to be done quickly, thoroughly, precisely, and reliably. The internal team or outside provider will perform final contact verification, send out appropriate notices, set up a call center, and establish credit-monitoring services if needed. Collaboration between counsel and any provider assisting with remediation is necessary to align notification with compliance obligations.

    Incident response teams need to consult with legal regarding any unique notification or reporting requirements. This can require action earlier in the process than when consumer notification occurs. For example, the GDPR requires an organization to notify the appropriate supervisory authority without undue delay and within 72 hours after discovery, when feasible. Counsel should help facilitate this process to reach appropriate regulators and meet any additional content requisites. Legal can also help with cyber insurance reporting obligations, which will come into play throughout the entire breach response lifecycle. Lastly, counsel can opine on whether press releases or image rebrand are necessary, and what that should entail.

Factoring the above into breach response strategy will help anticipate response needs and workflows, allowing teams to create or alter plans so they are thorough and legally defensible. After an incident occurs, the aftermath can be a long process. Having an established plan, involving counsel at every stage, and collaborating with vetted provider partners all helps streamline the process. Remember to document efforts and legal advice to maintain compliance and defensibility. In the event future litigation ensues stemming from the breach, there will already be attorney-client privilege established regarding breach response efforts and greater defensibility on process.

The contents of this article are intended to convey general information only and not to provide legal advice or opinions.

Subscribe to Future Blog Posts