Five ways outside counsel can help you respond to a cyber incident
By and on Posted in Cybersecurity

Incident response is a high-pressure, fast-moving process where technical, operational, and legal decisions occur simultaneously. While teams work to contain the threat and restore systems, the organization is making choices about how to document findings, engage vendors, communicate internally and externally, comply with legal requirements, and prevent future incidents.

Any misstep can increase regulatory scrutiny of the organization and expand its litigation exposure after the incident has been contained. Consulting with outside counsel as early as possible can help your organization respond efficiently while protecting it from legal exposure.

No. 1: Creating or preserving attorney-client privilege

In the event of a cybersecurity incident, outside counsel can help define the scope and objectives of the investigation, direct the fact-gathering process, and retain reputable third-party vendors . Conferring with counsel can also provide attorney-client privilege protection to much of the documentation or discussions.

Counsel can help to clarify who should document what, with whom the documentation should be shared, and when it should be escalated. Organizations dealing with an incident should route their engagement letters or statements of work through counsel, include counsel in communications with forensics teams, and summarize their investigative findings in a way that protects the information from discovery in the event of regulatory or legal challenges.

No. 2: Coordinating the Incident Response Team

An incident response effort is similar to a symphony orchestra, with outside counsel as the “conductor.” On the side of the organization, the role of counsel typically includes leadership, IT/security, privacy and compliance, Human Resources (especially if employee data is involved), finance, and communications/public relations. On the vendor side, it may include forensic investigators, restoration or incident response providers, a call center, or a notification vendor.

If the organization has cybersecurity insurance, counsel also coordinates with the insurer and related partners.

In addition, counsel can help to set a schedule of routine reports and create escalation paths. These can help to clarify roles and decision-making authority.

No. 3: Complying with regulatory and legal requirements

Outside counsel’s analysis starts with determining which states or countries may be implicated based on residency, data types, and where the organization operates.

Counsel then evaluates whether applicable laws define the event as a “breach” requiring notice. Counsel also assesses the risk of harm to the organization, any encryption safe harbors, and any other statutory provisions relating to coverage of the organization.

Assuming the event was a breach, counsel advises on the content, recipients, and timing of any required notices. Counsel also helps to address whether there are any requirements specific to particular industries (for example, health care, financial services, education, critical infrastructure), or contractual obligations.

No. 4: Managing communications and risk exposure

Communications can be evidence. In most breach incidents, communications may involve employees, customers or consumers, vendors or partners, regulators, the media or the public, and internal leadership and the board. Outside counsel can help to ensure that any messaging is accurate, and appropriate for the circumstances. Counsel can coordinate and ensure consistency of communications, including notice letters, frequently asked questions, call center scripts, website postings, press statements, and partner or client notifications. Counsel can also help to maintain decision logs and create a process to follow when approving internal communications for outbound messaging.

No. 5: Preparing for post-incident litigation and recovery

Unfortunately, incident response does not end when the above steps have been taken. Outside counsel can also help organizations prepare for regulatory actions and litigation. The organization may need to preserve evidence and documents relating to the incident. In addition, there may be required responses to regulatory investigations, or to discovery requests in litigation.

Counsel can also advise on remediation plans, vendor management and contract issues, and (where applicable) coordination with the organization’s insurance carriers. Many organizations also use the post-incident period to take appropriate preventive action (for example, running tabletop exercises) to help ensure that a similar incident does not occur in the future. In some cases, counsel may also help the organization anticipate class action trends in the relevant jurisdictions and make recommendations regarding future privilege protections.

Conclusion

Outside counsel helps organizations respond faster and more defensibly by integrating legal strategy into the technical response. The earlier counsel is engaged, the more effectively the organization can protect itself.

The Constangy Cybersecurity & Data Privacy Team helps businesses of all sizes and industries develop a comprehensive incident response plan or support with a breach. We are here to help! The Constangy Cyber Team is available 24/7. Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.

TAGS: Cyber Incident Response, CyberMonday, Cybersecurity, Data Breach
Facebook Twitter/X Linkedin Email

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Search

Get Updates By Email

Subscribe

Archives

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek