In today’s business and legal environment, corporate counsel plays a critical role when their company experiences a data security incident. General Counsels (GC) can no longer profess ignorance on “tech stuff” and pass the buck to Information Technology (IT). The frequency, sophistication, and severity of cybercrimes continues to increase. Every enterprise possesses sensitive information. When that information is compromised the door opens to a range of liability issues.
“There are only two types of companies: those that have been hacked and those that will be.” Yet many in- house counsel remain unprepared.
Note I wrote “when” and not “if.” Former FBI Director Mueller famously said that, “there are only two types of companies: those that have been hacked and those that will be.” Yet many in-house counsel remain unprepared. Like a Little Leaguer stuck deep in right field, counsel knows they must catch the next data security incident that comes their way, but hope nothing happens.
The best advice?
Don’t fret about having to make the big play; prepare and plan your response ahead of time for when the ball comes your way. No one expects a GC to take over the IT department, collect forensic images, extract malware samples from memory, or solve the cyber crime. You will, however, be expected to know the proper steps to take in the event of a compromise, how to find the best help possible, and what pitfalls to avoid.
This blog series offers practical strategies to better prepare in-house counsel for a data security incident.
Know When You Need Outside Help
To achieve readiness to respond to a data security incident, take stock of your organization’s internal capabilities. Under what circumstances can your internal IT team adequately respond and at what point will they be in over their heads?
One tech company I worked with has its own dedicated information security team staffed with seasoned digital forensic experts who can respond to nation-state threat actors with confidence. On the other hand, I also worked with a publicly traded company that relied on a two-person outsourced IT team and a “datacenter” that consisted of two desktop computers in a broom closet. Your organization falls between these extremes. Assess whether you are more like company A or company B.
To find out, talk to your IT team.
- Ask who in the organization is responsible for information security. Speak to those people about the types of incidents they have handled in the past — how they investigated, how they contained the incident, and how they remediated any security gaps.
- Seek out IT or security-based process around incident handling — including policies, procedures, and guidelines. Ask how the team might handle a hypothetical incident that involves access to and exposure of your sensitive data. Is data preservation, collection, and investigation part of the answer? Your discoveries will shape your sense of how long you should wait before calling for outside help.
An important part of this process is establishing an incident escalation protocol. This protocol should be a component of a broader incident response plan and should define escalation and internal notification procedures in the event of a data security incident. A well-developed protocol shared by IT, security, and legal teams ensures that stakeholders have a process for assessing an incident’s potential impact. The protocol should identify an explicit point at which to alert counsel and senior management and at which to call in outside help. Find the sweet spot between keeping false alarms to a minimum and ensuring that genuine risks receive immediate attention and the appropriate response.
How to Find the Incident Response Consultant?
If you already have a relationship with an incident response (IR) consultant, that’s great. If not, start looking now — not in the midst of a crisis. Begin with your current set of trusted advisors. Your outside counsel’s firm may offer a referral. Many national law firms have a privacy and/or data security practice that works regularly with cybersecurity consulting entities. Your insurance broker or agent can be a helpful resource too.
Talk to these recommended providers to understand how they operate, how much they typically charge, and their relative areas of strength and weakness in terms of service delivery. As with any top-notch professional services firm, seek demonstrated subject matter expertise, responsiveness, and an organization that listens to and understands your needs. The firm you select should have direct experience in your industry and in responding to the types of cyber risks you face.
Many national law firms have a privacy and/or data security practice that works regularly with cybersecurity consulting entities. Your insurance broker or agent can be a helpful resource too.
Consider entering into a contract with the IR consultant now, in advance of need or crisis. Many firms offer “IR Retainers” that run from a low up-front cost to hundreds of thousands of dollars. Typically, higher-dollar retainers include lower per-hour fees, pre-incident assessment services, and contractual service-level agreements guaranteeing response times. Find the mix that’s right for you.
Visit company representatives in booth 124 at the ACC Annual Meeting 2019
Assessing the Scope of the Incident
When an incident occurs, your IR consultants will first need to assess its scope. Through one or more initial meetings or calls, they will take time to understand your network infrastructure. If you’ve planned ahead and already have your IR team on retainer, the consultants may have already gained this requisite understanding during an initial assessment. Either way, they will determine what is known about the extent of the incident, identify technical competencies required for the investigation, decide how many consultants should be assigned, and create an overall project budget. The more transparency you provide — the more efficient the knowledge transfer — the better the prospects for a positive outcome.
These initial scoping calls are a two-way street. The consultant assesses your needs and the level of effort required. At the same time, you and your IT and security team assess the consultant’s competence and fit for your needs.
For example, did the consultants take the time to listen and fully understand the problem? Were they responsive? Do they seem resourceful and sufficiently flexible to fit their services or delivery methods to your needs and environment? Do they demonstrate expertise in and knowledge of the type of incident you face? Do they have the capacity to support you at this time? If the answers to any of these questions give you pause, don’t hesitate to reach out to another firm.
Structuring the Engagement
Be mindful of these important strategic considerations in how you structure your company’s engagement with your IR consultant.
Given the sensitive nature of the investigation and potential downstream legal and regulatory risks, consider a three-party engagement letter. In this structure, your outside counsel retains the IR consultant on your behalf. This is the preferred method of protecting privilege in an investigation — the IR consultant works at the direction of outside counsel.
Prepare for the eventuality that while the investigation itself may remain privileged, the facts uncovered may require disclosure.
This arrangement is not bulletproof, however. Prepare for the eventuality that while the investigation itself may remain privileged, the facts uncovered may require disclosure. Make sure you are comfortable with the confidentiality provisions in your engagement letter. IR consultants are often incented to share “war stories” about their more compelling engagements.
These make for potent marketing materials or for presentations at industry conferences. Your contracts must prohibit this behavior.
Consider the budget. Incident response investigations can be expensive. But you needn’t fork over a blank check. Your consultant’s contracts should provide transparency about investigation pricing. These documents should clarify expectations on duration, hours, and deliverables. If you sign an engagement letter providing only a rate schedule, your next month’s invoice will likely deliver a healthy dose of sticker shock.
The next part of this two-part blog series: Corporate Counsel’s Cybersecurity Guide: Managing Incident Response Effectively, will address the key steps general counsel, IT teams, and your IR consultant will take to contain and incident, preserve evidence, prepare a forensic report and advanced business operations to safeguard against future cybersecurity threats.