Most companies recognize that a cyber attack will require the company to engage outside counsel. But, do you know what that engagement should encompass, what role outside counsel should play, or what benefits can be gained by managing the relationship effectively? Trust me – you do not want to discover the answers to these questions in the throes of a crisis. Preparedness is key in the success of managing a cyber security incident.
Here are four considerations for your cyber security plan.
1. Keep the roles of legal counsel and technical or forensic consultants separate.
This sounds obvious, but highlights an important point: There should be a clear division of responsibility between professional forensic consultants and cyber security counsel. Some companies cross these lines and ask counsel to answer questions best directed to forensic consultants, or ask forensic consultants to provide legal advice. Your company will be best served by establishing clear roles for each.
2. Consider the benefits of having counsel engage and direct your forensic consultant.
Any time there is a cyber incident, a company needs to find out the facts – what was compromised, what broke down, and what was the impact. That said, you may not want that information available to an adverse party in litigation, and you do not want your consultants to be afraid to be frank with you. The best way to achieve this is to engage counsel about the potential for litigation, and to retain the forensic consultant to work at counsel’s direction to assist counsel in rendering legal advice. Under federal rules and most state rules, you will have a strong argument that the forensic consultant’s work product is privileged, and that the consultant is a non-testifying expert that cannot be examined by an adverse party in litigation.
3. Have counsel advise management.
Given the financial and public relations impact of recent breaches, top executives and board members will need be engaged and fully informed about cyber incidents. Good outside counsel will work to translate the technical findings and considerations into business and legal concerns and make it easier for top management to understand issues and make decisions.
4. Engage counsel to help with going-forward strategies.
Once you understand what happened and have “stopped the bleeding,” your company will need to decide how (if at all) your policies and procedures will change. Those decisions have legal ramifications, and your counsel can provide advice that should be taken into consideration along with the advice of your IT group, PR department or other administrative entities.
This list is not exhaustive. You will likely need counsel to evaluate insurance coverage issues, review contracts that might have been impacted by the incident, and monitor document retention issues related to possible litigation, among other things. But if you keep these considerations in mind, and discuss the scope of representation up front, you will be better situated to use counsel more effectively during a time of crisis.