Any organization may be the target of a cyberattack, and such attacks may occur anytime. Common cyber threats such as malware, information leakage, ransomware or phishing could have serious – if not existential - consequences for organizations. Hence, Cyber is among the most substantial risks facing companies today and going forward. To safeguard the confidentiality, integrity and availability of information should therefore be treated, and not only regarded, as a top priority in a company's risk management. This leads to the urgent need for general counsel and legal departments to deepen their focus on cybersecurity. Because the potential implications of cyber threats are manifold, a coordinated approach is needed to prepare for and respond to cyber threats. Based on experiences made in our cybersecurity and privacy practice, it is recommended to follow a five step plan. This article offers a perspective on the practical steps to be taken in order to ensure that cybersecurity programs are properly aligned with evolving laws and regulations, industry practice, and regulator expectations. 

Additionally, this article outlines why the professional legal privilege could play an important role in court, proceedings or regulatory enforcement actions occurring in the context of cyber incidents. 

[Key Words: Cyber Threats, Data Breach, Incident Response, Data Breach Notification, GDPR, Legal Privilege].

Full article

Cyber threats and the need for a coordinated approach

Cyber is among the most substantial risks facing companies in 2020 and going forward. Any organization can be the target of a cyberattack, regardless of industry, size, or geographic footprint. No industry or organization is untouched. Recent developments reinforce the urgent need for general counsel and legal departments to deepen their focus on cybersecurity. As a result, many senior executives have come to the realization that cybersecurity is perhaps the most serious—and existential—risk facing their companies. But some organizations are well behind the curve. This article is drafted to help getting in-house counsel on a coordinated approach in preparing for and responding to cyber challenges.

Cybersecurity risks lurk everywhere and anytime. Cybercriminals have already exploited feelings of insecurity and panic, and they will continue to do so, particularly in times of COVID-19. It is important to be aware of the different types of Cyber Threats in order to be able to safeguard the confidentiality, integrity and availability of information. According to the European Union Agency for Cybersecurity (ENISA) the top fifteen Cyber Threats  is as follows:

The potential implications of cyber threats are manifold. Hence, a coordinated approach is needed to cope with cyber challenges. Based on experiences made in our cybersecurity and privacy practice, we generally recommend companies to follow a five step plan. This overview summarizes these steps, and offers a perspective on the practical steps in-house counsel can take to ensure that their organizations’ cybersecurity programs are properly aligned with evolving laws and regulations, industry practice, and regulator expectations.

Assess

Every company is a potential victim. However, every company is unique and exhibits its own specific threat profile. Such a threat profile may be influenced by several factors such as:

• Industry;

• Data (e.g. personal data, trade secrets, financial information, IP, sensitive business data);

• Obligations from a civil, regulatory, operational and technical perspective; and

• Risks from a business continuity perspective.

It is recommended for each company to perform a tailored assessment that creates a specific threat profile, which subsequently allows preparing for possible cyber threats on a risk-based approach. In this respect companies should also consider their dataflow, including how the data flows in and out of the organization. Due to the central importance of cybersecurity, conducting due diligence on a company's cybersecurity program for incoming and outgoing data is increasingly common.

Prepare

Regardless from the industry and threat profile, every company is bound to face a cyber incident at some point. In order to be prepared for such incidents, companies should create and update data governance strategies and incident response plans. In today's environment, international coordination and speed are two of the most important elements to build into an organization's cybersecurity incident response plan. Incident response plans typically outline the structure, responsibilities and members of the incident response team and define decision making, escalation and other necessary procedures.  The latter may include standard operating procedures (SOP's) that minimize errors which could occur during incident handling under tempo and stress.  Preferably, the incident response plan also entails a definition of the term "incident", which allows the incident response team to distinguish between events and cyber incidents. Usually, there is a daily occurrence of events within IT infrastructures, but not all events qualify as cyber incident.  It is of utmost importance that these measures mentioned before are not only in place, but also tested and adjusted accordingly (if needed). This may be done by means of testing specific scenarios that involve real-time decision making and cooperation with stakeholders associated with critical cyber incidents. To do this effectively, the company’s full threat profile should be considered. For instance, for global companies, an incident response plan with an established and tested process to identify, analyze, and mitigate cyber threats will have limited efficacy if those capabilities exist in only one region, or do not properly reflect operational, compliance, regulatory expectations. This is challenging, amongst others due to the rapidly evolving regulatory landscape. 

Respond

Once a cyber incident has been detected, the incident response team is in charge to i) analyze the incident (e.g. source, motivation, threat actor, etc.), ii) assess the extent and damage caused by the incident and iii) to plan potential solutions and measures. Followed by this analysis, the incident response team usually responds to mitigate the incident by containing and eradicating the incident followed by recovery.  Containment requires decision-making such as disconnecting a network, shutting down systems or disabling certain functions. Since containment strategies depend on the type of incident, it is recommended to define separate strategies for each type of incident, which contributes to quick and sound decision-making. Eradication refers to the activity to remove the cause of the incident from the system, such as eliminating malicious programs, apply patches or correct improper settings in the system. The purpose of the recovery phase is to restore the system to its original state.  Additionally, it may be necessary to perform a forensic investigation in order to gain valuable insights regarding the incident (e.g. how and why an incident took place). In all of this, speed is an increasingly important consideration. Cyber incidents may trigger timely regulatory notifications. For example, the  EU General Data Protection Regulation requires data controllers to notify the appropriate authority of personal data breaches within 72 hours after having become aware of it.  Similar requirements apply under the California Consumer Privacy Act, in financial laws, in network and information security laws, etc., to contractual obligations (e.g. in licenses, vendor agreements, data sharing agreements, and insurance agreements) and obligations within the company (e.g. shareholder, stakeholder etc.). As such in order to be able to respond properly and timely, companies should establish a process to keep track of these and should facilitate coordination across various business functions and corporate group if an incident occurs. As a best practice, many companies find it useful to include pre-approved “starter” templates for the variety of potential notifications and communications that may have to be made, in their incident response plan.

Engage

As stated above, various obligations could be triggered by a cyber incident, and these obligations must be considered accordingly. These vary by jurisdiction, and the relevant laws and regulations, and expectations, are evolving at a rapid pace. To determine whether or not to notify a supervisory authority, business partner, stakeholder, insurer or other party is not a straightforward affair. It requires amongst others a careful analysis of the scope and nature of the incident as well as a good understanding of the potential impact the incident may have on the company, the data and the parties involved. For instance, the GDPR requires notification on personal data breaches to the relevant supervisory authority without undue delay (not later than 72 hours after becoming aware of it), unless it is unlikely to result in a risk to the rights and freedoms of natural persons. This means, first of all, the GDPR must apply to the incident at hand. Second, the incident must constitute a personal data breach as defined in the GDPR under the responsibility of the company acting as a data controller.  Third, it should be determined when the company became "aware", and hence, when the clock started ticking (i.e. the timeframe of 72 hours). Fourth, not all personal data breaches must be notified, so there is need for an analysis of the impact of the incident.  Fifth, the competent supervisory authority must be identified.  However, these steps are only the beginning as the GDPR requires notification to affected individuals if the incident is likely to result in a high risk to their rights and freedoms, and companies should also consider their own interests in the context of a cyber incident. For instance, companies should furthermore assess if it could be helpful or required to cooperate with law enforcement (e.g. working with intelligence services) forensic investigators or cyber insurance companies, business partners, investors or media. Lastly, companies should also analyze whether the incident (also) affects the company's trade secrets or IP rights, and which parties to engage in this respect.

Defend

The purpose of the last step is to represent and vigorously defend cases in court or in proceedings. Enforcement actions initiated by regulators following a cyber incident and civil litigation, including class actions and liability claims from business partners, have become increasingly more common in recent years. The threat of enforcement actions and litigations should be part of the assessment on how to prepare for and respond to incidents, as well as on the engagement with all parties involved.  

Engaging external legal counsels in the context of cyber incidents might be beneficial for companies from various perspectives. An important aspect in this context is the professional legal privilege. Confidential communications (including documents and investigation reports) between companies and their attorneys which relate to the provision of legal advice are protected and must not be disclosed to external parties. External parties may include data protection supervisory authorities, other enforcement authorities or counterparties in litigations. An example of a matter wherein the importance of legal privilege is shown, is the US Experian Data Breach Litigation case.  In this case, Experian (the defendant) has hired an outside litigation counsel for legal advice regarding a data breach. Subsequently, the outside counsel hired a third party forensics consultant in order to conduct an expert report analysis of the attack. The plaintiffs filed a motion seeking access to that report and related documents. However, the court ruled that the report is protected under the work product doctrine. Under this doctrine, there is a qualified privilege "for certain materials prepared by an attorney acting for his client in anticipation of litigation". Jurisdictions in the EU generally do not recognize a separate work product doctrine but often protect information and documentation prepared by outside counsel as privileged materials, such as legal advice, litigation documents and attorney/client communications. Hence, it may be helpful for companies to define a legal privilege strategy, which considers the rules applying to legal privilege and relevant court decisions in a certain jurisdiction. 

Conclusion

Cyber threats lurk everywhere and anytime, and their potential implications are manifold. Hence, it seems to be crucial to follow a coordinated approach when coping with cyber challenges. Companies and certainly also law firms should assess their own threat profile. They must be prepared for cyber threats and ensure to be able to respond to cyber threats at any time. After having become aware of a cyber incident, various obligations and aspects must be considered that go beyond personal data breach notification obligations, but also involve contractual obligations and a company's own interests (such as to keep trade secrets confidential). Furthermore, it may be required to vigorously represent and defend cases in court or proceedings, where also aspects concerning the legal privilege come into play.