Portfolio Media. Inc. | 860 Broadway, 6th Floor | New York, NY 10003 | www.law360.com
Phone: +1 646 783 7100 | Fax: +1 646 783 7161 | [email protected]
3 Questions GCs Should Be Ready To Answer After A Breach
By Melissa Maleske
Law360, New Orleans (April 29, 2015, 5:56 PM ET) -- It's an increasingly common scenario for general
counsel: A phone call in the middle of the night brings news that someone unauthorized has accessed
company data. The decisions that come next raise a host of delicate considerations that need to be
carefully assessed and balanced, according to compliance experts and an FBI cyberintrusion investigator
who spoke at a conference Tuesday.
How do we balance mitigation and preservation?
When general counsel get the call, they first need to try to stem the bleeding by working with
information technology and security managers to regain control of their data, perhaps by disconnecting
machines from the network, said panelists who ran a cyberattack response simulation Tuesday at
the Association of Corporate Counsel's 2015 Advanced Compliance Education Seminar.
At the same time, general counsel need to launch what will likely become an extensive informationgathering process and preserve all evidence related to the breach. But sometimes seemingly innocuous
measures aimed at containing an attack can destroy metadata that is valuable for investigative
purposes.
“Isolate and control, but then don't manipulate it after that,” said Cyndi Baily, chief compliance officer at
Alere Toxicology. “[We want] to save the data but stop the data breach. Given the choice, I'm going to
go with stopping the damage and hopefully having enough to preserve to get the bad guys later.”
Whatever steps are taken to mitigate the breach should be carefully documented, said Corey Harris, a
cyberintrusion investigator with the Federal Bureau of Investigation. It's critical that general counsel are
later able to tell law enforcement what the company did, Harris said. The FBI will ask about what server
was affected, whether it was taken offline, and whether the breach response team accessed any files on
it before it went offline.
“If you start playing around with files, you're erasing critical evidence,” Harris said. “[For example], every
time you access a file, the time stamp changes, so you need to be very careful about what you access,
and when you do, make sure you document everything you access. You can record the time stamps
before you access a particular file. It gives us an idea of when this occurred and how long they may have
been accessing these files.”
When should we begin notifying key parties?
A general counsel trying to assess the impact of a breach needs to determine when or if to begin
informing the company's CEO, law enforcement and their cybersecurity insurance carrier about the
breach.
Looping in the CEO should come before reaching outside the organization, but general counsel may not
necessarily want to call top executives immediately. First, they should collect all the facts they can in the
earliest stages of their investigation and formulate a suggested plan of action.
“It's a delicate balance,” Baily said, “but you have to have enough to have some substantive discussion,
or at least to be able to say, 'This is what we know now, and here's what we do.' Because your job in
many of these situations is to keep calm and to keep working.”
General counsel also may want to develop a clearer view of the breach before contacting law
enforcement. They'll want to determine how sensitive the data is and how severe the incident is before
going to authorities such as the FBI. The FBI doesn't need to know every time a company's antivirus
software flags a potential virus, said Mark Thibodeaux, a privacy and data security deputy practice
leader at Sutherland Asbill & Brennan LLP.
And general counsel need to make the call about when to notify their cyber insurance carriers. A
standard policy will offer a window of a few days after discovering a breach to notify them — and those
days are good wiggle room. It's often a question of control. Some general counsel want to take charge;
others may wish to use their carrier's counsel and vendors, which may be free under their policy.
“I'm reluctant to get them involved too early, as they have the rights in the policy to take over, and you
lose some control,” Baily said. “Hopefully you'll benefit from the coverage, but again you have to find
the sweet spot. Bring them in too early, and you may be Chicken Little.”
Some general counsel may decide to delay notifying outside parties to avoid a leak to the press about a
data breach before they even know many of the details.
Nevertheless, Harris encouraged companies to contact law enforcement early in the investigation, even
if just to give them a heads-up that an issue could be coming down the pike, but the company needs to
do its due diligence before providing more information.
"I've had companies do that, and I have no problem with it," Harris said. "As for exposure, the last thing I
want is for the media to find out that I'm conducting a particular investigation. If I divulge that
information to the media, I'm subject to losing my job. So it's a myth that as soon as the FBI finds out,
they want to let everyone know there was an incident."
How do we preserve privilege during the investigation?
Notifying and looping in various parties also raises questions of privilege. If general counsel want to keep
their investigation cloaked under the attorney-client privilege, they need to make an early call to bring in
outside counsel and minimize the circle of individuals privy to incident details.
“My recommendation is that at least in the early days when you don't know anything, you want to have
the privilege,” Thibodeaux said.
If more information becomes available, general counsel may determine it's not necessary to bring in
pricey outside counsel to investigate.
“Obviously if we think the risk is really high ... you may decide to have external counsel conduct the
investigation so it's all privileged,” said Sarah Sederstrom, contracts counsel at KPM Group. “If it looks
like it's going to be a little less bet-the-company, we may decide we're fine with doing it internally.”
Keeping IT staff, engineers and other data security experts on the case could expose companies to
discovery down the road, Thibodeaux said. They will likely document in emails and reports their early
findings and first impressions — and even if they are proved to be wrong after a factual investigation,
they're now on the record.
“Once it's in writing, it's not cloaked under the privilege, and it's potentially discoverable,” Thibodeaux
said. “It will at least be something you have to explain in a deposition later on.”
As investigations progress, in-house counsel should be present in any conversation or questioning they
hope to keep privileged, he said. Even if it's information the company later decides to divulge, it's best to
preserve the option to invoke privilege.
In other jurisdictions, extra steps may be necessary to preserve privilege. In much of the European
Union, for example, bringing in outside counsel will be an easier decision since most EU nations do not
consider in-house counsel attorneys for privilege purposes.
--Editing by Kat Laskowski and Mark Lebetkin.
All Content © 2003-2015, Portfolio Media, Inc.