We’ve been hacked.
Those words send a chill the first time you hear them, trigger flashbacks any time after that.
You know there are things that you need to do. Many of those things are some combination of painful, expensive, and embarrassing.
And they need to be done quickly and correctly. You need the right kind of person to get it done. You need the right Cyber Incident Response Manager…
You need a lawyer.
At this point, I’d be willing to bet that, regardless the size of your company or the nature of your business, among the very last things you want to do right now is call your lawyer.
Who Is Your Cyber Incident Response Manager?
An effective response to a cybersecurity incident of any type, from the proverbial (and paradoxical) “near miss” to a full-on data breach, rests largely on the actions taken by your Cyber Incident Response Manager. This person has a laundry list of responsibilities, and they need the authority necessary to perform them all.
They’re not James Bond. They’re M.
They define the mission and set the goals at the outset. They closely monitor the progress, and adjust the strategy as needed.
Your Cyber Incident Response Manager should be a lawyer.
How Is Your Cyber Incident Response Plan Structured?
In my experience, there are three generally accepted models for the way a Cyber Incident Response Team can be structured:
- Internal – Your entire Team – including your Cyber Incident Response Manager, your IT assets, and your communications staff – are all employees (or contractors whose employment is unrelated to a specific cyber incident) who receive no guidance or intervention from outside parties.
- Vendor-Assisted – Some of your Team’s responsibilities in the event of an Incident (or some aspect of your Cyber Incident Response Plan) are outsourced to one or more third party vendors.
- External – Your entire Team, and in fact the entire execution of your Cyber Incident Response Plan (other than executive decision making) is outsourced to one or more third party vendors. (This includes models that use on-site contractors, but exclusively related to execution of the Cyber Incident Response Plan.)
I’ve seen all three structures in action. Some were used well. Some were used poorly.
Regardless of the model used, in the small- and medium-sized businesses I’ve worked with, the selection of Cyber Incident Response Manager has almost always been either a company employee or a third-party IT Vendor.
Meaning it wasn’t a lawyer.
Relying on an employee or an existing vendor may seem like a good idea when you’re putting your Cyber Incident Response Plan together. They seem like less expensive options, and they already know your systems. However, both have significant, if not-immediately-obvious drawbacks and hazards. In my experience, there is a vastly superior option:
Your Cyber Incident Response Manager should be a practicing lawyer.
5 Reasons Why Your Cyber Incident Response Manager Should Be a Lawyer
And no, I’m not saying any lawyer. I’m talking about a lawyer who has experience with cybersecurity.
Full disclosure: I am a Cybersecurity Lawyer.
In my career thus far, I have served both as a Cyber Incident Response Manager and (much more commonly) as the Cybersecurity Lawyer who cleans up after the original Cyber Incident Response Manager.
Through that experience, I’ve learned some simple truths about managing the response to a cyberattack. Those truths have led me to the conclusion that a cyber incident response needs to be directed by someone who is not part of your company’s ordinary operating structure, and who has experience managing responses to cyberattacks.
But what are those “truths” you mentioned? Glad you asked.
1. Your Cyber Incident Response Manager Should Never Be Investigating Themselves
Most small business owners I talk to about cybersecurity rely on either their internal systems administrator or their IT vendor with whom they have a managed services agreement for any Cyber Incident Response. My first question is always the same:
The people you hire to secure your data systems are the same people you hire to tell you why that security failed?
To say that I enjoy the response would be an overstatement. But it’s not wrong either.
It’s clear that not much thought had been given to the idea that their response plan may be equivalent to hiring an arsonist to investigate a fire. Yet, it’s also an understandable response.
However, “understandable” and “acceptable” are entirely different things. Over the past five years, between 20-30% of reported data breaches (meaning not only was there an attack, but data was stolen) were the result of an internal actor (either an employee or a vendor who relied on legitimate access to the breached system). Moreover, even ordinarily good people will steal from their employers given the right circumstances.
Your IT personnel may be great at their job. In all likelihood, they’re not responsible for the cyberattack. However, given that IT is highly specialized, it’s also likely that they would be among very few within your organization who understand your company’s systems at a technical level, and have, by necessity, unlimited access.
What if they are the hacker? What if their mistake resulted in the breach? How would you ever know?
Hiring an attorney from outside of your company essentially eliminates the chance that you’re hiring a thief to investigate his own robbery.
2. Your Cyber Incident Response Manager Needs the Freedom to be Honest
Among the most important things Cyber Incident Response Manager does is provide you and any other decision makers with important information about the response.
That information must be clear, understandable, and brutally honest.
When you rely on an internal employee, you are trusting their loyalty in a general sense. However, that loyalty exist within – and likely because of – a relationship with an uneven power dynamic.
You’re their boss.
This imbalance may give them reasons not to be direct and honest with you (or not direct and honest with other stakeholders, potentially at your direction) if doing so could impact their employment.
Your IT vendor is in a similar situation – being honest with you might get them fired. They have built-in incentive to downplay or omit information that may suggest their cybersecurity setup was inadequate. If that’s not enough, they may be able to cover up their weak security by charging you for fixing their errors and responding to the breach. Your worst day works out well for them.
On the other hand, hiring a practicing, licensed attorney means that the attorney will be subject to your state’s Rules of Professional Conduct. These rules require that an attorney’s first loyalty is to their client. That loyalty includes providing complete, candid information. Failure to do so is grounds for an ethics complaint, with consequences as significant as disbarment.
In addition to your ability to fire them.
That’s what I call incentive. Speaking of the advantages of hiring a lawyer…
3. Everything You & Your Employees Say About the Incident WILL Be Used Against You
In the event of a cyberattack, particularly one resulting in an actual data breach and loss of confidential information, you’re not going to be able to keep the whole thing a secret. In fact, there is a bunch of information that you’re legally obligated to share.
But that doesn’t mean you want people to know everything that was said or done in the chaos of recovering from a cyberattack.
If the cyberattack results in a criminal proceeding, regulatory investigation, or civil litigation, everything in your possession related to the cyberattack will be discoverable.
Until you hire an attorney, which triggers protections such as the attorney-client privilege and the work product doctrine.
While the privilege won’t let you simply withhold everything, privilege allows you considerably more control over the information in your possession, especially the discussions and processes related to your business decisions following the cyberattack.
Wouldn’t you like a little control of that information?
However, having an attorney who specializes in cybersecurity is critical here, because courts have been narrowing the information protected by privilege. Attorneys who have experience dealing with cyberattacks should be quite familiar with how to keep your information protected though. Experience matters.
4. Your Cyber Incident Response Manager Will Need A Lawyer Anyway
Being the victim of a data breach, particularly one in which the data that was accessed contains information about your customers, makes your life VERY complicated for a while.
Among the most significant sources of that complication is your “Duty to Notify.”
Depending on what information was accessed, you now have a series of things you have to do, in a very specific way, in a limited amount of time. Failure to do those things could result in you being sued just for failing to do those things, in that very specific way, in that limited amount of time.
Seem crazy? There’s more…
If your business has customers or clients in a different state, you have another list of things you have to do, but this one is slightly different, and must be done in a slightly different-but-still-specific way, in a limited, but also slightly different, amount of time.
I’m talking about your duty to notify individuals if their personal information has been compromised. That duty arises out of what are known as Data Breach Notification Laws, and they are (mostly) state law-based. And they are virtually all different.
Take note – although most types of contractual relationships allow the parties to identify a forum for disputes and which state’s laws will apply (which are only rarely ignored by a court), the same is NOT the case for data breach notification laws. Those laws are written for the most part to circumvent the parties’ waiving jurisdictional issues. In other words, the Data Breach Notification law that applies is the one where your customer lives.
Don’t believe me? From the North Carolina data breach statute (skip):
Any business that [holds the personal information of North Carolina residents] shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement… and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
The notice shall include all of the following:
(1) A description of the incident in general terms.
(2) A description of the type of personal information…
(3) A description of the general acts of the business to protect the personal information from further unauthorized access.
(4) A telephone number for the business that the person may call for further information and assistance, if one exists.
(5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
(6) The toll-free numbers and addresses for the major consumer reporting agencies.
(7) The toll-free numbers, addresses, and Web site addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office, along with a statement that the individual can obtain information from these sources about preventing identity theft.
Notice… may be provided by one of the following methods:
(1) Written notice.
(2) Electronic notice, for those persons for whom it has a valid e-mail address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. § 7001.
(3) Telephonic notice provided that contact is made directly with the affected persons.
(4) Substitute notice, if the business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000) or that the affected class of subject persons to be notified exceeds 500,000, or if the business does not have sufficient contact information or consent to satisfy subdivisions (1), (2), or (3) of this subsection… or if the business is unable to identify particular affected persons… Substitute notice shall consist of all the following:
E-mail notice when the business has an electronic mail address for the subject persons.2. Conspicuous posting of the notice on the Web site page of the business, if one is maintained.3. Notification to major statewide media.
That’s North Carolina’s Data Breach Notification Law. And yes, that was shortened for the sake of clarity.
Failure to comply specifically as written means that a customer who was injured by the attack can sue you for any damages they suffered, then have that number multiplied by three, and then force you to pay their attorney’s fees!
Virginia’s is different. So is South Carolina’s. So is Tennessee’s. Mistakes are easy to make, even if you’re being careful.
Or, since interpreting and providing specific, actionable advice on how to follow the law is a lawyer’s job, you could just hire the lawyer to begin with.
5. When Your Cyber Incident Response Manager is a Hammer…
… don’t be surprised when they treat everything as though it were a nail.
Because to a hammer, everything is a nail.
In any cyber incident response, there are two competing – and oftentimes opposing – forces at play: 1) the need to restore order and get back to business, and 2) the need to preserve sufficient breach-related data for analysis and investigation.
Any Cyber Incident Response Manager is going to approach their job with a unique perspective and a set of natural biases. You can try to limit these idiosyncrasies, but you can never eliminate them entirely.
If you put a systems administrator or IT vendor in charge of managing your response, you’re going to get a response that prioritizes the technical aspect of the response. Their focus will be on identifying the intrusion, isolating it, removing it, and restoring the system as quickly and completely as possible.
Sounds great, right?
The “Bull-in-a-China-Shop” or “Slash-and-Burn” Approach to Cybersecurity
It may sound like a good idea, but while the traditional IT approach to breach remediation isn’t necessarily wrong, it can cause a lot of problems. Stopping at nothing to remove a threat causes a lot of collateral damage. Unfortunately, much of the data necessary to fully investigate the circumstances of the cyber incident ends up being corrupted or destroyed.
Your Cyber Incident Response Manager will need to ensure that IT’s response is measured, performed in steps, moving on only when backups have been made and logs complete. Your IT specialists should find working on your breach a little frustrating, because retaining all the data that may be important in later analysis or investigation is not the fastest way to restore your system.
But unless you want to explain to federal regulators, a judge, your insurance company, your employees, and your customers why all the data necessary to understand the nature and impact of the cyberattack was destroyed, accept that going just a little slower will be a LOT better in the long run.
In The End…
You may trust your company’s systems administrator or your local IT company, the owner of which comes in and helps you fix the email on your phone once a month, and that’s great.
But trust them to do those things you hired them to do. Coordinating the response to a cyberattack requires a specific knowledge and skill set, and the ability to keep the business’s executives informed and up-to-date with clear, complete, accurate, and brutally honest assessments of the situation.
Hiring outside counsel with experience in Cyber Incident Response Management is the best way for small- to mid-sized businesses to prevent recovering from the cyberattack to cause more damage than the attack itself.
About the Author
Brian Focht is a cybersecurity and civil litigation attorney based in Charlotte, North Carolina at the Law Offices of Brian C. Focht. In addition to being the author of Resilience Cybersecurity & Data Privacy, he is also the author of the The Cyber Advocate, a blog on tools and technology for lawyers, the producer and host of the Legal Technology Review podcast, and co-founder of B&R Concepts, a small business technology consulting company.