• How many systems were affected?

• What data, if any, was compromised (in other words, viewed, downloaded, or copied)?

• Was any personal identifiable information compromised?

• What countermeasures are we taking?

• What are the chances that our countermeasures will succeed?

• Who else knows about the security breach?

• Is the incident ongoing? Preventable?

• Is there a risk of insider involvement?


Technicians are much more effective from a legal and compliance perspective if they understand your concerns ahead of time. Armed with this information, technicians are more inclined to investigate the incident in a manner that helps meet legal counsel’s objectives, and legal counsel will be better positioned to advise senior management with the best response strategy.

AFTER THE SECURITY BREACH

In my years managing the expectations of corporate legal advisers after a computer security incident occurs at their company, I’ve developed the following list to ensure that legal counsel understands the landscape:
• You will likely underestimate the time and cost of a thorough investigation into a security breach, and you may be underwhelmed with the results.



• At large companies, it is possible that the security breach is not easily mitigated. The incident may last for months or even years, depending on the depth and breadth of the compromise.

• The majority of investigations into computer security breaches yield inconclusive results concerning which, if any, files and data were compromised by the hackers.

• The sophistication of attacks is advancing rapidly, and untrained or inexperienced personnel may provide inaccurate conclusions and ineffective countermeasures.

• If the technical-resource workers responding to the security breach at your business are the same workers responsible for defending the information infrastructure, a conflict of interest exists. Whether intentional or not, because these workers are responsible for securing the network, they may not be forthcoming with incident details after a security breach. When you suspect that this is occurring, you may want to engage external incident-response experts to manage or review the ongoing efforts to resolve the incident.


ANTICIPATE YOUR ROLE

Legal counsel’s role in incident-response management is practically limitless, though it depends in part on the industry, the nature of the security breach, and the assets or information involved. There are, however, several common questions facing legal counsel during most incidents. During my experience with hundreds of incidents, these questions most frequently confront legal counsel and often cause undue delay when counsel did not anticipate the issue:
• What are the applicable regulations or statutes that relate to our company’s response to the security breach?