When it comes to conversations around handling cybersecurity incidents, our first impulse as technology experts is often to dive into the technical aspects of security controls and data protection. While these essential systems should never be overlooked, there’s a huge hole in any organization’s incident response plan when it has not taken considerable time to proactively collaborate with its corporate counsel to address the legal implications of a security-related event.
Beyond the technical, internal, and regulatory requirements your business needs to meet, there are also legal ramifications to how your business defines and responds to an incident. In a recent LinkedIn Live session hosted by myself, Jason Rader, and Doug Martin, we tackle this topic in depth, offering advice for how to develop a comprehensive plan for responding to a security incident, which includes involving your legal team in the conversation as early as possible.
In this blog post, I want to summarize the three key takeaways, which cover some of the essential aspects of a comprehensive incident response plan that is also legally accountable.
1. Words matter — definitions surrounding an incident
First, it’s important to understand that there are or may be legal definitions underpinning the words you use, and there may be legal implications if these terms are applied incorrectly or with the improper audience while responding to a security event. Definitions vary from organization to organization and sometimes even between business units or teams within the same organization, so it’s important that your company is aware of the legal definitions of certain words and has alignment on how they should be used. For example, you may choose to define an incident as any unexpected, undesired, or unauthorized handling of data and to define a breach as any time you lose control of impactful data. But be aware that your various regulatory authorities will provide different definitions of “breach” and other relevant terms related to protected data and security concerns, and these will be the legally binding definitions that determine your liability and ensuing response should the incident escalate to include involvement of law enforcement agencies.
Second, as Doug Martin mentioned in our live discussion, it’s important to have legal counsel involved when drawing up a statement of work agreement or purchase order with an outside response partner. Reasons for this include the legality of any determinations made, the preservation of privileged information, and the veracity of the statement as a legal work product.
Third, it’s important to understand which words to use when communicating with different audiences. For example, post-incident, you may need to inform a broad set of impacted individuals — usually referred to as notification. Notification should make relevant parties aware but steer clear of details that could muddy the waters of responsibility and liability. The next level of communication is disclosure and typically includes governing agencies such as state and local regulators, etc. And lastly, if the conditions of the incident are criminal in nature, we have reporting, which implies the inclusion and cooperation with law enforcement. Clearly, care needs to be taken to ensure you are using legally
2. Timing is key — managing preparation and communication
It may seem obvious, but from a legal perspective, the time to prepare for an incident is well beforehand. There is no one individual who can reasonably own every facet of a comprehensive cybersecurity response plan. You have security best practices, regulatory compliance across state, federal, and industry-specific agencies, client-facing contractual obligations, and more to consider. It takes an organization-wide effort characterized by clear communication to outline the data you have, the data that’s at risk, the legal ramifications of various types of breaches, and how and who to contact when all of the above factors are at play.
Another great point from Doug Martin is that one of the foundational aspects of your incident response plan should be determining with your legal team who to notify and when to notify them in the case of an incident well before one occurs. If you wait to identify the relevant notification parties until you’re in the middle of or after an incident, you may run into certain regulations and contractual obligations with strict timeframes that you find are virtually impossible to meet — which could result in your issues snowballing.
Timing your communication around an incident can do a lot to help mitigate the impacts. The better you understand definitions and the more prepared you are for timing your communications, the better equipped you will be to communicate the right amount of information to the right audiences at the right time, without running into further liability issues. If you are able to maintain autonomy over the narrative of an incident before an outside agency comes in and breaks the news for you, the better your organization will be positioned to maintain credibility, both in court and in the court of public opinion.
3. Do your due diligence — beyond technical cybersecurity
One of the strongest reasons for incident response planning from a legal perspective is to create a defensible position for your company. Then, if there’s any kind of litigation, etc., your attorneys are better equipped to manage the fallout.
Doug recommends, during preplanning, that you sit down with your legal counsel and figure out what kind of data you have that malicious actors are most likely to target, or what kind of access certain parties may have to sensitive data. Is it encrypted? At what level is it encrypted? When you’ve asked yourself all these questions, determine what that means for an incident. While all of these factors will vary based on your individual business operations and regulations, there are a lot of things you can do beforehand to build a strong technology defense, as well as a defensible legal position. Your preparation will afford your organization credibility and prove that you performed a level of due diligence in protecting the critical data assets entrusted to your care. As Jason noted in our discussion, the worst thing you can say in a liability situation is, “Well, we were figuring it out as we went along.” The ultimate goal is to reduce your liability as much as possible before it’s tested.
As the number of compliancy standards like NIST, HIPAA, and PCI grow and evolve, so do the legal concerns that are inextricably tied to incident response. Dealing with the legal impacts of a security event is not something that can be handled effectively in the moment. It takes a significant amount of time and effort across the entire organization, including legal counsel, to define, educate, and rehearse a carefully defined response plan well before an event occurs. Just like everything within the technology arena, the legal and regulatory requirements that govern your business are changing and evolving at an ever-increasing rate, making it imperative that your incident response plan doesn’t become a “set it and forget it” exercise, but is something that is revisited and revised often.
To learn more about the extent to which legal should be involved in your incident response planning, watch the full LinkedIn Live session, and to learn more about how to strengthen your organization from a technical standpoint, watch Is a Plan Enough? Creating Resilience in Response to Cyberattacks.