Black Hat: How cybersecurity incidents can become legal minefields

Facing a cyberattack? Pick up the phone and talk to legal help as well as incident response.
Written by Charlie Osborne, Contributing Writer

BLACK HAT USA: When a company becomes the victim of a cyberattack, executives are faced with a tsunami of challenges: containing a breach, remediation, informing customers and stakeholders, identifying those responsible, and conducting a forensic analysis of the incident -- to name but a few.

However, it is not just the real-world issues faced, in the now, that businesses have to tackle: the legal ramifications of a security incident have become more important than ever to consider. 

Speaking to attendees at Black Hat USA in Las Vegas, Nick Merker, partner at Indianapolis-based legal firm Ice Miller LLP said that before becoming a lawyer, he worked as an information security professional -- and this experience allowed him to transition into the legal field through a cybersecurity lens. 

After being involved in the legal side of over 500 security incidents, including everything from the theft of a laptop to major ransomware incidents, Merker said that many of the pitfalls he experienced could have been "easily avoided with a simple conversation."

When attorneys are brought into a cybersecurity incident, they need to consider areas including data protection standards (such as HIPAA or GDPR), insurance coverage, liability, the preservation of evidence, and the potential for lawsuits and class-action claims. 

Robust IT systems are no longer enough to protect against the financial and reputational harm of cyberattacks, and it is up to legal teams to assist victims in making the right decisions in the aftermath. 

According to Merker, during a cybersecurity incident, "IT professionals and security folks, people who are not lawyers, [often] find themselves in a weird solution where they need to think like a lawyer or at least have one there."

One of the main issues that enterprise players need to consider is attorney-client privilege. The purpose of this is to make sure a client who wants to seek advice from an attorney can say what they want and retain confidentiality -- and the attorney cannot be compelled to testify against them. 

However, there are misconceptions surrounding this concept -- not everything you say is privileged. It might be privileged communication but that doesn't mean the subject matter is privileged, such as the disclosure of facts surrounding a data breach or cyberattack. 

"This does not mean that the underlying factors of a security incident are privileged," the lawyer said. "This is an important thing to think about."

If you want to retain privilege, then you need to "paper up" and make sure there are defined lines between investigations, reports, and forensic activity. Specifically, if you want investigations to be privileged, they should be done separately and apart from ordinary business investigations.

A "100 percent, separate team should be in place" and any reports on an incident should be "only used for litigation preparedness rather than as a business-outcome report," Merker commented. 

In addition, it should be noted that corporations can waive privilege, but they cannot necessarily cherry-pick which areas to waive. It may be an "all or nothing" approach in some jurisdictions, and rather than "having your cake and eating it too," attempts to do so can create further legal challenges. 

An example given is a document submitted in court with redactions, whereas the full document, without redactions, was provided to regulators. It may be that this attempt to partly utilize privilege could fail. 

In addition, privileged information should stay within protected walls. The lawyer says that if information is shared, such as through an email or by the watercooler, this could result in deposition and could be considered a waiver of privilege. 

Another area of legal concern relates to OFAC's recent warning on potential sanctions when ransomware payments are approved -- especially if someone ends up paying as part of a criminal chain that lands in an area with economic restrictions, such as Iran or Cuba. This can create individual or corporate liability and prompt heavy penalties -- or even jail time.

If you're in a ransomware event and you need to pay the ransom in order to get back online, Merker says you should have a risk-based compliance program; a robust structure and risk assessments for whether or not you will pay a threat actor, and you should engage law enforcement immediately. This could be a significant factor determining the eventual outcome, the legal expert noted. 

"[Also] getting in touch with us quickly is what you want to do," Merker added. 

Merker emphasised that companies more often "need to actually use an incident response plan in an incident situation," and said that documentation should be a key focus. Timelines, logs, major decisions, and status summaries should be kept as regulators -- or plaintiffs - will be asking questions, and you need to know "what you did, and why you did it."

"You need to build up a story of what you actually did as a company," Merker says. "This will also protect the chain of custody [and] you want to make sure you don't accidentally waive privilege."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards