• How many systems were affected?

• What data, if any, was compromised (in other words, viewed, downloaded, or copied)?

• Was any personal identifiable information compromised?

• What countermeasures are we taking?

• What are the chances that our countermeasures will succeed?

• Who else knows about the security breach?

• Is the incident ongoing? Preventable?

• Is there a risk of insider involvement?

Technicians are much more effective from a legal and compliance perspective if they understand your concerns ahead of time. Armed with this information, technicians are more inclined to investigate the incident in a manner that helps meet legal counsel’s objectives, and legal counsel will be better positioned to advise senior management with the best response strategy.


In my years managing the expectations of corporate legal advisers after a computer security incident occurs at their company, I’ve developed the following list to ensure that legal counsel understands the landscape:
• You will likely underestimate the time and cost of a thorough investigation into a security breach, and you may be underwhelmed with the results.

• At large companies, it is possible that the security breach is not easily mitigated. The incident may last for months or even years, depending on the depth and breadth of the compromise.

• The majority of investigations into computer security breaches yield inconclusive results concerning which, if any, files and data were compromised by the hackers.

• The sophistication of attacks is advancing rapidly, and untrained or inexperienced personnel may provide inaccurate conclusions and ineffective countermeasures.

• If the technical-resource workers responding to the security breach at your business are the same workers responsible for defending the information infrastructure, a conflict of interest exists. Whether intentional or not, because these workers are responsible for securing the network, they may not be forthcoming with incident details after a security breach. When you suspect that this is occurring, you may want to engage external incident-response experts to manage or review the ongoing efforts to resolve the incident.


Legal counsel’s role in incident-response management is practically limitless, though it depends in part on the industry, the nature of the security breach, and the assets or information involved. There are, however, several common questions facing legal counsel during most incidents. During my experience with hundreds of incidents, these questions most frequently confront legal counsel and often cause undue delay when counsel did not anticipate the issue:
• What are the applicable regulations or statutes that relate to our company’s response to the security breach?

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]