We’ve been hacked.
Those words can trigger the proverbial life flashing before your eyes.
You know there are things that you have to do, many of them some combination of painful, expensive, and embarrassing.
And they need to be done quickly and, more importantly, correctly. You need the right kind of person to get it done. You need the right Cyber Incident Response Manager…
You need a lawyer.
At this point, I’d be willing to bet that, regardless the size of your company or the nature of your business, among the very last things you want to do right now is call your lawyer.
Who Is Your Cyber Incident Response Manager?
An effective response to a cybersecurity incident of any type relies on the skills and conduct of your Cyber Incident Response Manager. They have a laundry list of responsibilities, and they need the authority necessary to perform them all.
They’re not James Bond. They’re M.
They’re not Batman. They’re the one who decides when to even turn the Bat Signal on (Commissioner Gordon, FYI).
They define the mission and set the goals at the outset. But they also closely monitor the progress, adjusting the strategy accordingly.
They should be a lawyer.
How Is Your Cyber Incident Response Plan Structured?
In my experience, there are three generally-accepted models for the way a Cyber Incident Response team can be structured:
- Internal – Your entire Cyber Incident Response Team, including your Cyber Incident Response Manager, your IT assets, and your communications staff, are all employees (or contractors who’s employment is unrelated to a specific cyber incident) who receive no guidance or intervention from outside parties.
- Vendor-Assisted – Some part of your Cyber Incident Response Team’s responsibilities (or some aspect of your Cyber Incident Response Plan) is outsourced to one or more third party vendors.
- External – Your entire Cyber Incident Response Team, and execution of your Cyber Incident Response Plan (other than executive decision making) is outsourced to one or more third party vendors. (This includes models that use on-site contractors, but exclusively related to execution of the Cyber Incident Response Plan.)
I’ve seen all three used well and poorly – and even effective models vary widely from one company to the next. Regardless of the model used, in the small- and medium-sized businesses I’ve worked with, the selection of Cyber Incident Response Manager has almost always been either a company employee or a third-party IT Vendor.
Relying on an employee or an existing vendor may seem like a good idea when you’re putting your Cyber Incident Response Plan together. They seem like less expensive options, and they already know your systems. However, both have significant, if not-immediately-obvious drawbacks and hazards. In my experience, there is a vastly superior option:
Your Cyber Incident Response Manager should be a practicing lawyer.
5 Reasons Why Your Cyber Incident Response Manager Should Be a Lawyer
Full disclosure: I am a Cybersecurity Lawyer. And no, I’m not saying any lawyer. I’m talking about a lawyer who has experience with cybersecurity.
In my career thus far, I have served both as a Cyber Incident Response Manager and (much more commonly) as the Cybersecurity Lawyer who cleans up after the original Cyber Incident Response Manager.
Through that experience, I’ve learned some simple truths about managing the response to a cyber attack. Those truths have led me to the conclusion that a cyber incident response needs to be directed by someone who is not part of your company’s ordinary operating structure, and who has experience managing responses to cyber attacks.
1. Your Cyber Incident Response Manager Should Never Be Investigating Themselves
Most small business owners I talk to about cybersecurity rely on either their internal systems administrator or their IT vendor with whom they have a managed services agreement for any Cyber Incident Response. My first question after I hear that is always the same:
So the people you hire to secure your data systems are the same people you hire to determine why that security failed?
To say that I enjoy the response would be an overstatement, but it’s clear that none of them have given much thought to the idea that their response plan may be trusting the proverbial arsonist to investigate the fire.
Remember, 28% of data breaches reported in 2018 were the result of an internal actor (either an employee or a vendor who relied on legitimate access to the breached system). Moreover, even ordinarily good people will steal from their employers given the right circumstances.
Hiring an attorney from outside of your company essentially eliminates the chance that you’re hiring the thief to investigate his own robbery.
2. Your Cyber Incident Response Manager Needs the Freedom to be Honest
Your Cyber Incident Response Manager has a lot of important things to do. Among the most important will be to provide you and any other decision makers with important information about the response.
That information must be clear, understandable, and brutally honest.
When you rely on an internal employee, I’m reasonably certain that you can count on their loyalty in a general sense. However, that loyalty exist in – and possibly because of – a relationship with an uneven power dynamic. They may actually have reason not to be direct and honest with you (or not direct and honest with other stakeholders, at your direction) if doing so could impact their future employment.
The situation is similar with your IT vendor. Their interest in maintaining a continuing business relationship could directly impact their management of a cyber incident. They have built-in incentive to downplay or omit information that may suggest their cybersecurity setup was inadequate. Additionally, you’re putting the mechanic in charge of telling you what he needs to fix, for which you’ll be charged. Would you do that at a car dealership?
Hiring a practicing, licensed attorney means that the attorney will be subject to your state’s Rules of Professional Conduct. These rules require that an attorney’s first loyalty is to their client. That loyalty includes providing complete, candid information to the client. Failure to do so is grounds for an ethics complaint, with consequences as significant as disbarment.
That’s what I call incentive. Speaking of the advantages of hiring a lawyer…
3. Everything You & Your Employees Say About the Incident WILL Be Used Against You
In the event of a cyber attack, particularly one resulting in an actual data breach and loss of confidential information, you’re not going to be able to keep the whole thing a secret. In fact, there is a bunch of information that you’re legally obligated to share.
But that doesn’t mean you want people to know everything that was said or done in the chaos of recovering from a cyber attack.
If the cyber attack results in a criminal proceeding, regulatory investigation, or civil litigation, everything in your possession related to the cyber attack will be discoverable.
Until you hire an attorney, which triggers protections such as the attorney-client privilege and the work product doctrine.
While the privilege won’t let you simply withhold everything, provided you follow your lawyer’s instructions, the privilege allows you considerably more control over the information in your possession, especially the discussions and processes related to your business decisions following the cyber attack.
Wouldn’t you like a little control of that information?
4. Your Cyber Incident Response Manager Will Need A Lawyer Anyway
Guess what? Being the victim of a data breach, particularly one in which the data that was accessed contains information about your customers, makes your life VERY complicated for a while.
Among the most significant sources of that complication is your “Duty to Notify.”
So, depending on what information was accessed, you now have a series of things you have to do, in a very specific way, in a limited amount of time. Failure to do those things could result in you being sued just for failing to do those things, in that very specific way, in that limited amount of time. Seem crazy?
Well, if you do business online, and have customers living in another state, you have another list of things, this one slightly different, to do in a slightly different-but-still-specific way, in a limited, but also slightly different, amount of time.
Take note – although most types of contractual relationships allow the parties to identify a forum for disputes and which state’s laws will apply (which are only rarely ignored by a court), the same is NOT the case for data breach notification laws. Those laws are written for the most part to circumvent the parties’ waiving jurisdictional issues. In other words, the Data Breach Notification law that applies is the one where your customer lives.
Don’t believe me? From the North Carolina data breach statute (skip):
Any business that [holds the personal information of North Carolina residents] shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement… and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
The notice shall include all of the following:
(1) A description of the incident in general terms.
(2) A description of the type of personal information…
(3) A description of the general acts of the business to protect the personal information from further unauthorized access.
(4) A telephone number for the business that the person may call for further information and assistance, if one exists.
(5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
(6) The toll-free numbers and addresses for the major consumer reporting agencies.
(7) The toll-free numbers, addresses, and Web site addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office, along with a statement that the individual can obtain information from these sources about preventing identity theft.
Notice… may be provided by one of the following methods:
(1) Written notice.
(2) Electronic notice, for those persons for whom it has a valid e-mail address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. § 7001.
(3) Telephonic notice provided that contact is made directly with the affected persons.
(4) Substitute notice, if the business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000) or that the affected class of subject persons to be notified exceeds 500,000, or if the business does not have sufficient contact information or consent to satisfy subdivisions (1), (2), or (3) of this subsection… or if the business is unable to identify particular affected persons… Substitute notice shall consist of all the following:
1. E-mail notice when the business has an electronic mail address for the subject persons.
2. Conspicuous posting of the notice on the Web site page of the business, if one is maintained.
3. Notification to major statewide media.
That’s North Carolina’s Data Breach Notification Law. And yes, that was shortened for the sake of clarity.
Failure to comply specifically as written means that a customer who was injured by the attack can sue you for any damages they suffered, then have that number multiplied by three, and then force you to pay their attorney’s fees!
Or, since interpreting and providing specific, actionable advice on how to follow the law is a lawyer’s job, you could just hire the lawyer to begin with.
5. When Your Cyber Incident Response Manager is a Hammer…
… don’t be surprised when they treat everything as though it were a nail.
Because to a hammer, everything is a nail.
In any cyber incident response, there are two competing – and oftentimes opposing – forces at play: 1) the need to restore order and get back to business, and 2) the need to preserve sufficient breach-related data for analysis and investigation.
Any Cyber Incident Response Manager is going to approach their job with a unique perspective and a set of natural biases. You can try to limit these idiosyncrasies, but you can never eliminate them entirely.
If you put a systems administrator or IT vendor in charge of managing your response, you’re going to get a response that prioritizes the technical aspect of the response. Their focus will be on identifying the intrusion, isolating it, removing it, and restoring the system as quickly and completely as possible.
Sounds great, right?
The “Bull-in-a-China-Shop” or “Slash-and-Burn” Approach to Cybersecurity
It may sound like a good idea, but while the traditional IT approach to breach remediation isn’t necessarily wrong, it can cause a lot of problems. Stopping at nothing to remove a threat causes a lot of collateral damage. Unfortunately, much of the data necessary to fully investigate the circumstances of the cyber incident ends up being corrupted or destroyed.
Your Cyber Incident Response Manager will need to ensure that IT’s response is measured, performed in steps, moving on only when backups have been made and logs complete. Your IT specialists should find working on your breach a little frustrating, because retaining all of the data that may be important in later analysis or investigation is not the fastest way to restore your system.
But unless you want to explain to federal regulators, a judge, your insurance company, your employees, and your customers why all the data necessary to understand the nature and impact of the cyber attack was destroyed, accept that going just a little slower will be a LOT better in the long run.
In The End…
You may trust your company’s systems administrator or your local IT company, the owner of which comes in and helps you fix the email on your phone once a month, and that’s great.
But trust them to do those things you hired them to do. Coordinating the response to a cyber attack requires a specific knowledge and skill set, and the ability to keep the business’s executives informed and up-to-date with clear, complete, accurate, and brutally honest assessments of the situation.
Hiring outside counsel with experience in Cyber Incident Response Management is the best way for small- to mid-sized businesses to prevent recovering from the cyber attack to cause more damage than the attack itself.
About the Author
Brian Focht is a cybersecurity and civil litigation attorney based in Charlotte, North Carolina at the Law Offices of Brian C. Focht. In addition to being the author of Resilience Cybersecurity & Data Privacy, he is also the author of the The Cyber Advocate, a blog on tools and technology for lawyers, the producer and host of the Legal Technology Review podcast, and co-founder of B&R Concepts, a small business technology consulting company.