Of course the best way to avoid damages is to prevent a hack. Unfortunately, that’s mostly an IT function beyond the control of a general counsel. The most effective role a lawyer can play is in coordinating response to an attack.
Jill Rhodes, part of the American Bar Association’s Cybersecurity Task Force as well as its standing committee on law and national security, recommends consulting the National Institute of Standards and Technology cybersecurity framework for guidance. She notes that any incident-response plan should focus on five areas: identify, protect, detect, respond and recover.
“Identify where your risk is. Determine how you are going to detect anomalies. What are you doing to protect the data? How are you responding when an incident may hit? And how are you recovering from that incident?” she said.
Experts generally agree on key components an incident-response plan should include:
Get the lay of the land
The general counsel needs to know and understand the risks and the procedures of the organization. “They should be asking questions regularly about how we are protecting data, who is protecting data, who has access to this data, how data comes into our organization, and how does it go out and what happens to it along the way,” Rhodes said. “If they can answer those questions effectively, then they know that yes, indeed, we are finding ways to protect customer information.”
Find out what you have
Figure out what kinds of personally identifiable information your company collects. “We call this data-mapping,” said Lucie F. Huger, a shareholder at Greensfelder, Hemker & Gale’s data privacy and security group in St. Louis. “It is basically trying to take an inventory of the types of protected information that the company might have, whether relating to company employees for payroll purposes, clients of the company for business or marketing purposes, or some kind of trade-secret information.”
Gather the troops
Identify specific representatives from each department who will meet in case of a breach and define what tasks they should perform. Said Jena Valdetero, a partner in the Chicago office of Bryan Cave Leighton Paisner: “Where I’ve seen clients stumble is when they have no idea who is supposed to be doing what or everyone thinks they need to have a say in each and every decision. Then you end up sometimes getting that analysis-paralysis problem.”
Run some drills
James Shreve, a partner in Thompson Coburn’s Chicago office and head of its cybersecurity practice, recommends “tabletop exercises” to vet your plan. “Even if you don’t have an incident, you can test your plan to see how it works,” he said. “That’s something where the counsel’s office absolutely needs to be involved because you want to keep the findings of that process under privilege.”
Have a spokesperson
The company should present a united front after a data breach, and the plan should reflect that. “It will include how you handle communications about an incident,” said Shreve. “Who speaks for the organization? How do statements get vetted before they go out?”
Be prepared to respond quickly
Discovering a breach triggers a whole array of notification requirements, and if state regulators aren’t informed within days, you may be stumbling into a thicket of legal violations without knowing it. “You are going to have legal compliance issues that may arise within the first 24 hours,” said Daniel C. Nelson, a partner and co-chair of Armstrong Teasdale’s privacy and data security group in St. Louis. “It is not something where you can put out the fire and do a leisurely investigation and decide to bring in counsel and look at the legal compliance days or weeks or months after the fact.”
Bring in more attorneys
Retaining experienced outside counsel can be an essential early step to recovery from a hack. The biggest legal threat to a company isn’t from affected individuals but rather from state laws and the attorneys general who enforce them. Legal experts in the field will usually know both — and the process can remain under privilege. “Oftentimes, outside counsel is one of the first responders because they are sophisticated in breach response and they can coordinate a lot of that initial first-hour, first-day kind of response,” Nelson said.
Get technical help
The IT department that fell victim to the breach may not be the best resource for mitigating it. An external forensics firm can help to stop the bleeding, preserve valuable evidence and investigate the mess left behind. “Having external forensics come in and take over gracefully and politely is also in the company’s best interest because in human nature sometimes, if you accidentally created the problem, that may skew your response to the problem,” Nelson said.