When we think about cyber incident response, we think about detection, analysis, containment, eradication, remediation and reporting. These stages are not just about technical and forensic response, however. Throughout each, legal risks and considerations must also be addressed. It is imperative to focus on gaining technical understanding of what the threat actor did, when they did it, and how to overcome their interference and resulting business interruptions. At the same time, equal focus must be given to examining applicable state and/or federal laws, contractual obligations, and any other potential legal exposures or rights. This can be accomplished while simultaneously managing other aspects of incident response, including cyber insurance carrier updates, public relations, internal communications and, of course, technical response. Working with legal counsel and the organization’s incident response team to answer material legal questions through the phases of incident response often dictates how and when the next phase is handled.
The cyber insurance carrier, incident response team and legal counsel generally collect information during the detection phase that may be vital to later determinations about legal obligations such as whether individuals or regulatory bodies require notice of the incident. At the point of detection, legal counsel and the incident response team begin to learn about the incident’s scope, the threat actor’s priority, and the nature of the vulnerabilities they potentially exploited. Time is a critical factor. Upon detection, legal may start multiple clocks, each tracking how much time the company has until reporting deadlines under law or contract.
Questions that relate to legal considerations may include: Where is the evidence that the threat actor accessed or acquired personal information? Where was the threat actor’s activity located—in a space populated with sensitive and confidential information, in an email account, across the network, or on a web server containing no personally identifiable information? These and many other context-specific questions help inform the understanding of legal risks and requirements for responding to a cyber incident. Another early legal risk stems from the duty to preserve relevant information and artifacts of an incident, instead of overwriting or deleting them.
Analysis, Containment and Eradication
The next phase is analysis and containment. While the incident response team works to secure the environment, legal considerations are refined as more details and forensic analysis becomes available. For instance, once logs are collected to study the threat actor’s movement and to review the categories of personal information at risk, legal can identify any state-specific data breach notification laws that may apply. Legal will then relay information to the insurance carrier and may involve law enforcement, depending on the nature of the incident.
New legal risks may arise as more information comes to light. For instance, the team may confirm that ransomware impacted the company’s primary systems and back-ups, increasing the pressure to pay threat actors to receive a decryption key to continue business operations. Paying a ransom requires consulting with the insurance carrier, appropriate forensic vendors and, importantly, the Treasury Department’s Office of Foreign Assets Control (OFAC) and Specially Designated Nationals and Blocked Persons List to avoid making payment to prohibited entities.
At the same time, the incident response and legal teams should be reviewing all relevant contracts to identify what responsibilities may exist to notify clients, or to recognize the impact of any subsequent business interruptions under the terms of a service-level agreement.
It may also become apparent that the source of the incident was a vendor or other third party. In such cases, the incident response and legal teams should review relevant contracts to understand the enterprise’s contractual rights and remedies, prepare a plan for preserving those rights, and communicate to the third party about the incident, including instituting a legal hold of relevant materials and notice of claim.
Remediation and Reporting
With the remediation and reporting phase, the next set of legal issues to address includes the specific steps to notify the affected parties and/or regulators, as necessary. Whether by law or contract, there are usually specific requirements for giving such notice, including the method by which it is delivered and its content. Depending on the industry and type of incident, mitigating the risk of regulatory penalty may involve implementing additional safeguards, building on existing policies, and formalizing specific protocols. Ignoring these requirements could result in an oversimplified response that creates unnecessary risk of an enforcement action by regulators. Similarly, applicable laws may require documenting the process by which you determined whether to notify individuals, requiring legal to memorialize the specific factors involved. Reporting also includes honoring contractual obligations and updating your cyber insurance carrier.
Because different risks can appear throughout the cyber incident response process and can be highly dependent on context and specifics, legal considerations are a constant. Cooperation among legal counsel, insurers and the incident response team is essential to identify and answer key legal questions, prepare an incident response plan, train incident response team members, and assist during an actual incident or suspected data breach. A systematic and well-defined approach to cyberattack mitigation should not only encompass proactive risk identification, risk assessment and technical recommendations to reduce risk, but also take legal considerations into account. Developing and implementing such an approach will best position organizations to weather any cyber incidents to come.