If you are responsible for your cyber incident response team and you discover that you may have been breached – like the Trump Hotels this week – who should you call, and how should you contact them?
I will answer the and how part first because it is easier.
Walking down the hall is best. Failing that, the phone is ok as long as it is not connected to your company network (like a VoIP phone). What you don’t want to do is use company email or messaging systems.
There are two reasons for this. The first is that you do not know if those systems have been compromised and if, as a result of using them, you are telling the attacker that you are on to him and how much your know.
You are also leaving bread crumbs that can be discovered as part of the legal process after the breach and used against you.
So now that the and how part is handled, lets move on to the the who part.
The answer is not your boss or the CEO. That will just ruin their day and if you tell them 5 minutes later, it won’t make any difference.
That first call should be to your outside cyber incident response law firm. The one you should have on retainer. The one that you have already brought up to speed on your business and processes. The last thing you want to do at this point is be dealing with contracts and explaining to them what you do.
The firm also has to be experienced in cyber incident response – otherwise, they might make mistakes.
The one thing that Target did right during their breach – and it was not to decide to wait until after Christmas to remove the malware – was to contact their cyber incident response outside attorney.
That firm directed the response in order to provide the company legal advice and prepare for lawsuits. That cover allowed them to protect what they did under attorney client privilege. It turns out that the fact that they were outside counsel instead of corporate legal makes a difference in the story. After all, you were preparing for litigation – you don’t pay outside law firms hundreds of dollars an hour unless you are expecting something bad to happen – more cover.
And it worked. When the banks who were suing Target attempted to get Target to produce documents during discovery, Target’s law firm said that those documents belonged to the law firm (since the law firm engaged all the consultants and experts, not Target) and were protected by privilege.
Except for a few business emails between the CEO and the Board which were considered business records and not protectable, the judge struck down requests for every other document.
So in your incident response plan should be, at the top, a note to self: CALL ATTORNEY FIRST. Then call your boss.
If you have questions, remember that I am not a lawyer and do not play one on the Internet – contact that cyber incident response attorney that you already have a relationship with.
Information for this post came from the National Law Review.