Daniel Croft, Brigitte Gasson, Eden Winokur 
At the time of a cyber attack, it can be hard to understand exactly what the first step is. You’ve got cyber criminals knocking on the digital door demanding that you cough up money, while journalists hound your phones for more information, all before you know what’s happened and what your legal obligations are.
Taking the wrong step is an easy thing to do that can cause further reputational and legal damage.
The solution? Engaging third-party assistance. Lawyers play a major role in your incident response plan, from guiding businesses on compliance to preparing statements and keeping media at bay, ensuring that the response is as smooth as it can possibly be.
Speaking with Cyber Daily, lawyers Brigitte Gasson and Eden Winokur from Hall & Wilcox outlined the role of lawyers in the incident response process and said that when it comes to a cyber attack, legal counsel can never be deployed too soon.
“Legal counsel should be involved as early as possible after discovery of an incident. Early involvement ensures any notification and reporting obligations are identified and responded to within time frames, communications are managed carefully, and the overall impact of an incident is minimised,” said Gasson.
“Early involvement also increases the likelihood that forensic findings and any reports produced are protected by privilege.”
Following a cyber incident, there is a web of compliance requirements regarding reporting to relevant agencies and more. A key part of this is notification of the incident to those impacted and relevant agencies.
Under the Notifiable Data Breach Scheme (NDB), organisations must notify affected individuals and the Office of the Australian Information Commissioner if a breach was unable to be contained, caused serious harm or involved unauthorised access or data disclosure.
Winokur said that having a pre-existing relationship with legal counsel prior to a breach will accelerate the incident response process, as regulatory and contractual notification obligations are already understood.
“If not, that’s a critical part of the initial discussions,” he said.
Gasson emphasised again that early adoption of legal counsel is critical in ensuring compliance and determining obligations.
“When lawyers are engaged early after a cyber incident is identified, we are able to quickly get across the regulatory environment in which our clients operate and assist with determining any notification obligations,” she said.
“This is done through early engagement and clear communications with an organisation’s key people.”
Legal counsel guides businesses through largely the entire incident response process, allowing victims to tailor their response based on the attack vector, the data, or people impacted and more.
“Depending on the incident, cyber lawyers are often responsible for coordination and management of the entire incident response process,” Gasson said.
“Being across all workstreams, we can quickly identify the most significant risks and issues, and adapt the response as required, including by engaging additional vendors or utilising extra resources.”
Gasson added that following the initial discovery and management by IT teams and cyber experts, lawyers become the key coordinators of the response, directing technical teams and investigations to ensure the most significant vulnerabilities and risks are identified and dealt with as soon as possible.
“Playing the role of key coordinator also enables cyber lawyers sufficient detail to advise and obtain instructions from leadership, and effectively manage communications relating to the incident, both internal and external,” she said.
A key role of legal counsel is managing ongoing risk and preventing further reputational and other damages.
From guiding businesses through the web of regulation and legislation, managing their statements and communications and mitigating damages impacting victims and stakeholders, a major part of a lawyer’s role in incident response is mitigating further damage.
“Experienced cyber lawyers play a huge role in reducing the potential impacts of a cyber incident,” Gasson said.
“We advise on legal and regulatory obligations, minimising the risk of enforcement or fines for non-compliance. We also carefully manage stakeholders and communications following an incident, reducing the chances of reputational risk for poor incident management.”
Winokur added that when businesses have cyber insurance, lawyers can improve their claim experience by advising their business decisions.
“When a client holds cyber insurance, cyber lawyers with an understanding of the policy can help clients make informed business decisions about the response, which often results in a better claim experience,” he said.
After an incident is contained and business can return to normal operations, it’s important that businesses rethink their cyber security strategy going forward to prevent further incidents.
Lawyers can help businesses identify what else could have gone wrong and ensure that if a cyber attack occurs again, the business can be better prepared.
“After an incident occurs, we find our clients are increasingly focused on what else could have occurred to their organisation or the ‘worst-case’ scenario,” Gasson said.
“Along with technical enhancements, we are often engaged to assist clients to further develop incident response plans and supporting materials, to prepare for potential future incidents.”
They can also help manage regulatory investigations that may occur on the business afterwards, assisting the business’s response to mitigate any financial or reputational damages that could occur.
“Regulatory investigations and litigation are becoming a bigger part of cyber law. Handling the incident well usually reduces some of this risk. If a regulatory investigation or litigation is commenced, cyber lawyers play an integral part in assisting a client respond,” Winokur said.