How can your organization reduce its legal exposure immediately following a data breach?
Cybersecurity events like data breaches make headlines regularly and cost businesses millions in fines and lawsuits. Breach announcements topple executives, destroy shareholder confidence, push customers away, invite regulatory scrutiny, and inflict lasting damage to organizations. Right after a cybersecurity incident, everyone is in reactive mode trying to respond quickly and effectively. While most organizations have a plan for incident response, few consider how their actions during a response affect their legal exposure.
Doug Meal, one of the most sought-after cyber law attorneys in the US, has handled the legal proceedings from several of the world’s largest breaches, including Sony and The Home Depot. During last month’s Symposium on Cyber Culture and Team Building hosted by the Cyber Education Foundation, Doug Meal addressed the legal exposure that affects companies when they incur a significant cybersecurity event, and he provided practical tips on how to address the event before and after the fact. We highly recommend reading the first installment of this series in which Mr. Meal discusses 5 Most Common Pre-Breach Cybersecurity Mistakes and How to Avoid Them.
Here are 5 mistakes companies make following a cybersecurity event that significantly increase their legal exposure.
1. Denial Increases Legal Exposure
When an organization first has reason to believe that it was breached, many react with denial. They say, “That’s impossible. There’s no way that our data could have been stolen. There’s no way that attack vector could ever work on our organization.”
Every major cybersecurity event occurs in a way that an Information Security team has not predicted. If InfoSec had thought that it could happen that way, they would have blocked the vulnerability and it wouldn’t have happened. It’s always the case that the impossible has seemingly occurred in the event of a major security event.
The reason why that’s important not to go into denial is that every day that you are in denial about an event, the event continues for another day and more data leaks out. Achieving fast containment of an event is crucial to minimize the legal exposure that’s inevitably going to follow. If you act quickly, what could have resulted in a million-record event may turn out to only be a hundred thousand-record event because you reacted quickly.
2. Not Supporting Your InfoSec Team
When a company suffers a major data security event, the information security team is most likely going to be psychologically destroyed. InfoSec’s mission is to prevent a major cybersecurity event from happening. They’ve probably given assurances throughout the company and to leadership that they’ve done everything possible to prevent an event from occurring. Now the worst has happened, and the entire InfoSec team feels that they’ve let the company down. The truth is that a breach can happen to any company, regardless of how professional or robust its information security.
What is really important, from a company perspective, is to have a mindset that you’re going to rally around the information security function in the wake of a significant event. The absolute worst thing that a company can do is fire the head of information security the day after an event occurs. In order to move forward and address the situation, you’re going to need a functioning IS team. You can’t have them feeling defeated.
3. Thinking like a Victim
This is a costly mistake that causes an unnecessary amount of legal exposure. While many companies believe that they are the victim, everybody else — whether it’s the press, the regulators, the class action plaintiffs’ bar — thinks that the company is the criminal. Your organization will be considered the problem and will be looked at as if it’s under investigation. You are under investigation, and you have to judge everything you do and everything you say through that prism. Don’t make the mistake of thinking, “I’m a victim of a crime here. I want to help catch the criminal. I’ll gladly work with the government and give them everything and anything they ask for.”
When organizations think like a victim, they make the mistake of saying the wrong thing about what happened. This comes up in the breach scenario, especially when it’s early on in the breach. Everything you think you know one week after you discover the event, 50 percent of that is going to be proven false over the next two weeks. And then 50 percent of what you thought was proven false will actually be proven true two weeks after that. It’s an incredible moving target.
“The famous phrase about the fog of war applies so much to the early days after a data security event.” ~Doug Meal
Communication is key immediately following a cybersecurity event. If you’re not attentive to circumstances, it could lead to somebody saying the wrong thing. Data security breach scenarios are risky and the key thing is to understand both risks: the risk if you stay quiet and complete your investigation versus disclosing premature information that turns out to be wrong.
Companies will say, “Well, at this point in the investigation, it’s possible that ten million records were involved so we will go out with a disclosure that says we think that as many as ten million records were involved just to be on the safe side.” The reality is that you are not on the safe side! You just put yourselves in the crosshairs of the investigators, the regulators, the class action plaintiffs who are now drooling over a ten million record breach. When you complete your investigation months later, there may be only a few thousand records, and you can try to walk it back at that point. The problem is that you have already drawn the regulatory investigation. You’ve already drawn class action litigations. You’ve already drawn enormous publicity around that event all because the organization rushed out a statement.
Too often companies take the early disclosure risk when they should have waited until they had something that was backed up by independent third party forensics. The key thing is to make a disclosure that’s accurate.
5. “Creating a Bad Record”
In a cyber-attack scenario, there is a lot of information generated by the systems on the network that can be incredibly valuable from a forensic point of view in terms of recreating what occurred in the event. When the cybersecurity event occurs, somebody has to look at changing the company’s normal log retention policies to protect the logs from rolling off or being deleted. The organization’s ability to determine what happened and reach the right conclusions depends immensely on that data. Organizations are “creating a bad record” by having information disappear from the logs that is vital to the investigation.
Final Thoughts on Reducing Legal Exposure
A key takeaway is that when a company investigates an event, it is important to be aware of the legal exposure that may result from any action the company takes. Organizations have an Incident Response Plan and run tabletop exercises to practice what they will do in the event of a breach. Likewise, they should also have a playbook for how to mitigate their legal exposure. There is an opportunity to define how your organization will improve incident response to protect itself from unnecessary legal exposure from discoveries of documents and information that could be very, very problematic if they were discovered.
Michael Daugherty, founder of The Cyber Education Foundation and Idenhaus Board Member, invited Cyber Law attorney Doug Meal to speak at the the Symposium on Cyber Culture and Team Building in Atlanta. This full-day workshop helped prepare executives for what is already viewed as the inevitable: a significant cybersecurity event. Doug Meal, who recently joined Orrick Herrington & Sutcliffe LLP, is an established leader in the field of Cyber Law.
An IAM Assessment is a quick, expert evaluation of your environment that identifies and addresses the most common issues organizations face when implementing a solution.
This is ideal for organizations that:
- Are struggling to get their IAM solutions deployed
- Have a misalignment between their processes and technology
- Have an immature IAM solution with too many workarounds
- Companies that want to accelerate their IAM programs
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us