The hidden benefits of legal counsel, with Atmos Group's Reece Corbett-Wilkins

When a hacked company hires third-party assistance, they do so with the goal of getting back on their feet as quickly as possible. This means having experts determine the cause, containing the breach, determining the data impacted, reporting to relevant authorities, dealing with media and notifying those impacted.

However, the value of legal counsel goes far beyond directly containing and reporting a cyber incident. As involved as these teams become, businesses still need to operate and make their own decisions.

Speaking with Cyber Daily, Partner and Head of First Response at Atmos Australia Reece Corbett-Wilkins outlined some of the lesser known advantages of legal counsel.

Corbett-Wilkins says that while legal counsel can lead the investigation and response following a cyber attack, they can be tailored to the needs of the business.

“Part of the answer also depends on the role you want legal to play. Some organisations have small legal teams with generalist experience where legal may not play a leading role in the crisis response. Others have large and very specialised teams with deep subject matter experience in regulation / crisis management / privacy etc and lead the incident response process and crisis management team meetings,” he said.

“A lot of the time the organisational culture determines whether legal is seen as a blocker or enabler and this plays into the psyche of ‘why would I bring legal in’ straight away. But early involvement of a good cyber lawyer who specialises in incident response is critical to ensuring you can set yourself up for success in the first 24 hours for the days, weeks and sometimes months that follow.

“My ultimate rationale for having a good trusted legal advisor in the room is that they can help create a safe space for hypothesising what has occurred and also devising a strategy for your response in circumstances where very little is known about the incident. Being independent of the business, legal can also look at things objectively, help make quick decisions based on little information and help guide the various workstreams from that point towards an outcome.

“They also typically report to the C-Suite if they aren’t themselves on the executive leadership team (ELT) and are able to help socialise critical decisions that need to be made by core decision makers.”

Many businesses won’t understand their obligations. If need be, legal counsel can shape response with the obligations in mind.

“Ideally an organisation has pre-mapped their ‘ready reckoner’ playbook setting out their legal, contractual, and regulatory notification obligations. Depending on the industry and size of the organisation impacted, the ‘stopwatches’ could span multiple obligations with varying timeframes, tests and triggers,” Corbett-Wilkins added.

“For example, a global ASX listed technology company will typically have reporting obligations under their contracts with their clients (which may differ depending whether their clients are private or public sector, domestic or international), the Privacy Act within Australia, continuous disclosure obligations with the ASX and potentially also under SOCI and other industry regulations.

“If legal counsel is helping run the breach, they can be alive to these obligations but also help shape the response to ensure that the strategy of ensuring the incident lands exactly where you want it to. This may involve strategic considerations such as early, proactive and voluntary engagement with regulators and other stakeholders, even if the legal requirement to notify hasn’t been met.

“Alternatively, it could be a very tightly controlled strategy where notifications and engagement will only occur where legally and strictly required. This might be say where there is a minor incident which is being investigated but where notifications aren’t likely at all, subject to an adverse investigative finding at which point the position would change. We see this a lot with US breaches – where the long tail risk associated with class action litigation far outweighs any ‘voluntary or proactive’ approach that goes beyond what is strictly legally required.

“Ultimately, legal obligations are only one lens but crucially are an important lens particularly in multi-party data breach scenarios, where multiple parties share the risk of the incident and the incident response. The role of legal is to help navigate that strategy ensuring that everyone (including individuals who are caught up in the incident) are supported.

At Cyber Daily, we have seen all too many mismanaged public responses to cyber attacks, having even been asked to assist in writing the statements we ask to publish. Some media publications will use this to get as much of a scoop as possible, causing reputational and even legal damages for the business.

A business still needs to operate. Even if client-facing operations are down, leaders still need to be making decisions to ensure the future of the business. Corbett-Wilkins says that having legal counsel craft a reputable and throughout media response creates an environment where that can be done.

“Preserving privilege and managing sensitive communications is critical for creating a safe space for decision making and ensuring that long tail regulatory and litigation risk is properly managed from minute one. Legal counsel should be taking steps to do this from the time that an incident is discovered.

“It involves structuring the incident response and relevant workstreams so they are framed for the dominant purpose of obtaining legal advice and managing the distribution of information about the incident. This typically includes:

• structuring the engagement of forensic IT providers and threat intel specialists and negotiators (where applicable) to ensure their works are properly tied to the dominant purpose test of obtaining legal advice;

• establishing a privilege protocol so that the distribution of information by the ELT / CMT related to the incident is properly controlled and handled, and the risk of waiver of privilege through forwarding or summarising information about the incident is minimised;

• managing communications with third party stakeholders by ensuring that privileged information is excluded from those communications or, to the extent possible, determining whether common interest privilege between the parties applies (which enables a more seamless exchange of information between the parties without risk of waiver of privilege);

• ensure that regulatory notifications and/or communications contain information to the extent necessary and there is no inadvertent sharing of privileged information.

“These steps are critical for ensuring that a strong privilege claim can be maintained if challenged and a defensible framework is established was established at the outset of the incident. We do flag however that not everything is privileged and simply copying lawyers into correspondence or marking documents “confidential and subject to legal professional privilege” doesn’t automatically achieve this.

"It’s not a magic wand you can just wave over the response. Also, having a workable framework that governs the incident response is more important than one that places privilege above all else.

"We’ve seen investigations where clients were told by other law firms not to put anything in writing which might sound like a good idea at the time but makes the process of responding too the breach impossible. Not to mention there is no record of what occurred, what decisions were made, what actions were taken, and what information underpinned these activities.

“Lastly – on the point of privilege – if you think the value of the legal team in incident response is limited to establishing a claim for legal professional privilege, then you’re completely underutilising the skill set (rather than simply the function) of the legal team.”

The core goal of any incident response is to protect the business and its clients, ensure the organisation can return to normal operations asap, and to minimise the financial, reputation and other impacts on the business. As Corbett-Wilkins outlines, this is a key responsibility of legal counsel.

“An experienced cyber lawyer performing the role of incident response manager or breach coach knows how to shape the incident response so that overall risk is reduced.

“Ultimately, their role is to control exposure when the impacted organisation is under intense pressure to respond to various stakeholders including government agencies, regulators, third party customers / clients and media about the incident, often within 72 hours of discovery of the incident.

"This includes:

• Legal risk – managing mandatory reporting and notification requirements to avoid ‘over’ or ‘under’ notification, and early regulatory engagement as well as minimising the risk of third party claims and class action risk by adopting a ‘defensive’ incident response strategy;

• Financial risk – focussing on containment efforts to minimise business interruption losses, pursuing recovery efforts in respect of lost funds (including with the assistance of law enforcement where applicable) and managing threat actor engagement with respect to ransom demands;

• Reputational risk – ensuring that transparency in external communications is managed and does not rely on assumptions or evolving facts that may later change, ensuring correct sequencing in communications including with regulators where the client is ASX listed and has continuous disclosure obligations, and ensuring consistency in communications with all parties including clients / customers, regulators and media.

“Ultimately, the role of a cyber lawyer in this capacity is focussed on managing and minimising risk exposure in a crisis environment. The cyber lawyer should also have deep experience over many years acting for companies in various industries with all kinds of incidents. They should also have relationships with industry and credibility to help clients shape the response favourably.”

So what happens post incident? Regulatory obligations still require attention as the business recovers and returns to normal operations. These can stunt growth and recovery, and demand resources that could limit a return to normal.

Corbett-Wilkins says that as the regulatory landscape evolves and becomes more intense, legal counsel can more or less take on the job of dealing with those obligations.

“The cyber incident litigation and regulatory landscape in Australia is intensifying. It’s easy to see how. In an incident involving a high number of affected individuals, it only requires a small claim for compensation from each to amount to an extinction level threat for many businesses,” he said.

“Regulators also continue to sharpen their focus on who is responsible for cyber security and cyber resilience and cyber incidents continue to create regulatory risks for both organisations and their directors and officers.

“It’s therefore critical that experienced cyber lawyers with deep disputes and investigations experience are involved at every step of the incident response process including:

• shaping the narrative in responses to regulatory requests for information in a way that minimises the risk of an investigation being launched;

• effective management of enquiries and complaints by affected individuals to minimise the risk of formal claims or class actions;

• timely review of contractual notification and associated obligations to minimise the risk of warranties and indemnity claims across the supply chain;

• when claims do arise, swiftly getting to cutting edge of liability and quantification issues and developing a comprehensive claim management plan to minimise exposures while mitigating associated reputational risk; and

• where appropriate, assisting to mitigate exposure by looking to recover losses from responsible third parties and across the contractual chain.

“Deep technology, privacy and incident response expertise is required to form the fine judgments necessary to properly assess and manage the litigation and regulatory risks.”