3 Questions GCs Should Be Ready To Answer After A
Portfolio Media. Inc. | 860 Broadway, 6th Floor | New York, NY 10003 | www.law360.com Phone: +1 646 783 7100 | Fax: +1 646 783 7161 | [email protected] 3 Questions GCs Should Be Ready To Answer After A Breach By Melissa Maleske Law360, New Orleans (April 29, 2015, 5:56 PM ET) -- It's an increasingly common scenario for general counsel: A phone call in the middle of the night brings news that someone unauthorized has accessed company data. The decisions that come next raise a host of delicate considerations that need to be carefully assessed and balanced, according to compliance experts and an FBI cyberintrusion investigator who spoke at a conference Tuesday. How do we balance mitigation and preservation? When general counsel get the call, they first need to try to stem the bleeding by working with information technology and security managers to regain control of their data, perhaps by disconnecting machines from the network, said panelists who ran a cyberattack response simulation Tuesday at the Association of Corporate Counsel's 2015 Advanced Compliance Education Seminar. At the same time, general counsel need to launch what will likely become an extensive informationgathering process and preserve all evidence related to the breach. But sometimes seemingly innocuous measures aimed at containing an attack can destroy metadata that is valuable for investigative purposes. “Isolate and control, but then don't manipulate it after that,” said Cyndi Baily, chief compliance officer at Alere Toxicology. “[We want] to save the data but stop the data breach. Given the choice, I'm going to go with stopping the damage and hopefully having enough to preserve to get the bad guys later.” Whatever steps are taken to mitigate the breach should be carefully documented, said Corey Harris, a cyberintrusion investigator with the Federal Bureau of Investigation. It's critical that general counsel are later able to tell law enforcement what the company did, Harris said. The FBI will ask about what server was affected, whether it was taken offline, and whether the breach response team accessed any files on it before it went offline. “If you start playing around with files, you're erasing critical evidence,” Harris said. “[For example], every time you access a file, the time stamp changes, so you need to be very careful about what you access, and when you do, make sure you document everything you access. You can record the time stamps before you access a particular file. It gives us an idea of when this occurred and how long they may have been accessing these files.” When should we begin notifying key parties? A general counsel trying to assess the impact of a breach needs to determine when or if to begin informing the company's CEO, law enforcement and their cybersecurity insurance carrier about the breach. Looping in the CEO should come before reaching outside the organization, but general counsel may not necessarily want to call top executives immediately. First, they should collect all the facts they can in the earliest stages of their investigation and formulate a suggested plan of action. “It's a delicate balance,” Baily said, “but you have to have enough to have some substantive discussion, or at least to be able to say, 'This is what we know now, and here's what we do.' Because your job in many of these situations is to keep calm and to keep working.” General counsel also may want to develop a clearer view of the breach before contacting law enforcement. They'll want to determine how sensitive the data is and how severe the incident is before going to authorities such as the FBI. The FBI doesn't need to know every time a company's antivirus software flags a potential virus, said Mark Thibodeaux, a privacy and data security deputy practice leader at Sutherland Asbill & Brennan LLP. And general counsel need to make the call about when to notify their cyber insurance carriers. A standard policy will offer a window of a few days after discovering a breach to notify them — and those days are good wiggle room. It's often a question of control. Some general counsel want to take charge; others may wish to use their carrier's counsel and vendors, which may be free under their policy. “I'm reluctant to get them involved too early, as they have the rights in the policy to take over, and you lose some control,” Baily said. “Hopefully you'll benefit from the coverage, but again you have to find the sweet spot. Bring them in too early, and you may be Chicken Little.” Some general counsel may decide to delay notifying outside parties to avoid a leak to the press about a data breach before they even know many of the details. Nevertheless, Harris encouraged companies to contact law enforcement early in the investigation, even if just to give them a heads-up that an issue could be coming down the pike, but the company needs to do its due diligence before providing more information. "I've had companies do that, and I have no problem with it," Harris said. "As for exposure, the last thing I want is for the media to find out that I'm conducting a particular investigation. If I divulge that information to the media, I'm subject to losing my job. So it's a myth that as soon as the FBI finds out, they want to let everyone know there was an incident." How do we preserve privilege during the investigation? Notifying and looping in various parties also raises questions of privilege. If general counsel want to keep their investigation cloaked under the attorney-client privilege, they need to make an early call to bring in outside counsel and minimize the circle of individuals privy to incident details. “My recommendation is that at least in the early days when you don't know anything, you want to have the privilege,” Thibodeaux said. If more information becomes available, general counsel may determine it's not necessary to bring in pricey outside counsel to investigate. “Obviously if we think the risk is really high ... you may decide to have external counsel conduct the investigation so it's all privileged,” said Sarah Sederstrom, contracts counsel at KPM Group. “If it looks like it's going to be a little less bet-the-company, we may decide we're fine with doing it internally.” Keeping IT staff, engineers and other data security experts on the case could expose companies to discovery down the road, Thibodeaux said. They will likely document in emails and reports their early findings and first impressions — and even if they are proved to be wrong after a factual investigation, they're now on the record. “Once it's in writing, it's not cloaked under the privilege, and it's potentially discoverable,” Thibodeaux said. “It will at least be something you have to explain in a deposition later on.” As investigations progress, in-house counsel should be present in any conversation or questioning they hope to keep privileged, he said. Even if it's information the company later decides to divulge, it's best to preserve the option to invoke privilege. In other jurisdictions, extra steps may be necessary to preserve privilege. In much of the European Union, for example, bringing in outside counsel will be an easier decision since most EU nations do not consider in-house counsel attorneys for privilege purposes. --Editing by Kat Laskowski and Mark Lebetkin. All Content © 2003-2015, Portfolio Media, Inc.
© Copyright 2024