Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Computer intrusions by hackers used to be a problem handled primarily by system administrators in the information-technology department. Bad guys sipping Mountain Dews in bedrooms dimly lit by computer screens would hack into an organization, and good guys sipping Mountain Dews in the server room dimly lit by computer screens would respond to the security breach. Both sides hurled their digital kung fu at one another, sometimes for months, without the organization’s legal counsel knowing — or caring — about the electronic combat. Computer security breaches were perceived solely as an IT problem, and legal counsel was usually notified about the incident as an afterthought — not as a part of the “incident-response” process. Then computer security breaches evolved into a component of more nefarious acts, such as software piracy, theft of intellectual property, economic espionage, identity theft, wire fraud, and more conventional crimes. I have been involved in responding to these breaches for more than 15 years, starting as a computer security officer at the Pentagon. In the past 11 years, I have assisted financial-services organizations, government agencies, and e-commerce sites in responding to international computer intrusions, theft of customer information, and widespread compromises of sensitive data. Nearly all of these attacks were conducted for economic gain; intruders sought information, trade secrets, credit cards, or some other means to make money. In other words, computer security breaches evolved into an IT and business problem, with legal counsel affecting decisions in an advisory role. The handling of computer security breaches is now changing into an IT, business, and compliance problem. As the impact of unlawful or unauthorized cyberattacks is felt by consumers, this area is increasingly regulated, with baseline information-security requirements as well as legislation protecting consumers’ “right to know” when a security breach affects the confidentiality of their private information. The full impact of these notification laws and other new statutes and regulations is still unfolding. One thing is clear, however: In today’s networked business environment, knowledgeable and prepared legal counsel is required to appropriately manage and resolve computer security incidents in all businesses. I have responded to hundreds of computer security breaches in my work in the past 11 years. During this time, I have seen that the incident-response management role of corporate legal advisers, whether internal or external, has grown considerably. I have also seen that firms that handled incidents effectively and efficiently had knowledgeable legal counsel involved as an active participant. These firms worked quickly to handle the incidents and avoided being slowed down by the need to analyze the problem or worry about the legal implications. They avoided these pitfalls because their legal counsel was involved and prepared to assist. As the response strategies adopted by compromised companies depend more on emerging regulations and legislation, the need for legal counsel’s involvement will increase. Because it is likely that every company or law firm will experience a computer security breach at some point, many attorneys will find themselves involved in a company’s incident-response efforts. The following paragraphs outline essential items to consider, especially for those on the incident-response team. REVIEW YOUR PLAN Many companies have an incident-response plan in place. The incident-response plan documents what your company intends to do should any cyberattacks occur. You should familiarize yourself with the process outlined in these documents before an incident occurs and provide input where appropriate. When you review the document, examine whether your incident-response plan fails to account for any applicable regulations (such as industry regulations for the treatment of sensitive information), legislation (for example, “breach notification” or privacy laws), or corporate policies (such as privacy policies or disaster-recovery policies). Most of all, ensure that the internal legal department or external counsel has a place on the incident-response team and is involved in all aspects of the incident-response process. If possible, champion a dry-run exercise of the plan. Dry runs are usually inexpensive and relatively simple to execute while providing you with the opportunity to meet the technical staff involved in your company’s incident-response efforts. The dry run also allows an operational assessment of the plan’s effectiveness so you can provide enhancements to the plan based on firsthand observations. Firms that perform dry runs are much more efficient and effective when a real incident occurs. Of course, most attorneys are not going to sit at a computer terminal and wage hand-to-hand combat with computer hackers. You may not understand the intricacies of the attacks or the technical details required to understand the scope of compromise, appropriate countermeasures, and the likelihood that the countermeasures will succeed. You will therefore have to rely on the technical responders for much of the information required to provide proper corporate guidance. The technicians responding to a computer security breach are normally consumed with determining how the attacker compromised the network and how to remove the attacker from the network. During the initial phases of their response, the operational tempo and demands placed on the IT staff are exceptionally high. Technicians are not as concerned or focused on the information compromised by the intrusion or any applicable legal requirements that affect the handling of the incident. So in addition to asking how the attacker compromised the network and how to get the attacker out, legal counsel should ask the technical responders to answer the following questions: • How long were we exposed?

• How many systems were affected? • What data, if any, was compromised (in other words, viewed, downloaded, or copied)? • Was any personal identifiable information compromised? • What countermeasures are we taking? • What are the chances that our countermeasures will succeed? • Who else knows about the security breach? • Is the incident ongoing? Preventable? • Is there a risk of insider involvement?

Technicians are much more effective from a legal and compliance perspective if they understand your concerns ahead of time. Armed with this information, technicians are more inclined to investigate the incident in a manner that helps meet legal counsel’s objectives, and legal counsel will be better positioned to advise senior management with the best response strategy. AFTER THE SECURITY BREACH In my years managing the expectations of corporate legal advisers after a computer security incident occurs at their company, I’ve developed the following list to ensure that legal counsel understands the landscape: • You will likely underestimate the time and cost of a thorough investigation into a security breach, and you may be underwhelmed with the results.

• At large companies, it is possible that the security breach is not easily mitigated. The incident may last for months or even years, depending on the depth and breadth of the compromise. • The majority of investigations into computer security breaches yield inconclusive results concerning which, if any, files and data were compromised by the hackers. • The sophistication of attacks is advancing rapidly, and untrained or inexperienced personnel may provide inaccurate conclusions and ineffective countermeasures. • If the technical-resource workers responding to the security breach at your business are the same workers responsible for defending the information infrastructure, a conflict of interest exists. Whether intentional or not, because these workers are responsible for securing the network, they may not be forthcoming with incident details after a security breach. When you suspect that this is occurring, you may want to engage external incident-response experts to manage or review the ongoing efforts to resolve the incident.

ANTICIPATE YOUR ROLE Legal counsel’s role in incident-response management is practically limitless, though it depends in part on the industry, the nature of the security breach, and the assets or information involved. There are, however, several common questions facing legal counsel during most incidents. During my experience with hundreds of incidents, these questions most frequently confront legal counsel and often cause undue delay when counsel did not anticipate the issue: • What are the applicable regulations or statutes that relate to our company’s response to the security breach?

• Are there any contractual obligations that affect our incident-response strategy? • Are we required to notify our clients, consumers, or employees about the security breach? • What constitutes a “reasonable belief” — the standard used in many states to determine whether notification is required — that protected information was compromised? • How might public knowledge of the compromise affect the company? • What is our liability if the compromised network hosted pirated software, music, or videos? • Does notifying our customers increase the likelihood of a lawsuit? • Is it permissible to monitor or intercept the intruder’s activities? • How far can or should we go to identify the intruder? • Should the company notify its regulators? Law enforcement?

These questions are sometimes difficult to answer, but successful incident-response management means that legal counsel must identify and address these issues before an incident occurs. Luckily, many of these issues can be solved before your company has to mobilize and respond to a security breach. Due to emerging standards, legislation, and regulations as well as the increased risk of computer intrusions and the types of attacks that are occurring, legal counsel’s role and influence in the management of computer security issues will continue to grow. This evolution will require legal counsel to become an integral member of a company’s incident-response team.
Kevin Mandia is president and CEO of Mandiant, an information-security company that provides professional services, education, and incident-response management software to corporations, law firms, financial institutions, and government agencies. Mandiant has offices in the Washington, D.C., area and New York City.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.