Developing an Incident Response Plan for a Cyber Attack
By Procopio Partner and General Counsel Carole J. Buckner
Every attorney’s ethical duty of competence requires a lawyer to provide competent representation to a client, applying the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation. This in turn requires that a lawyer keep abreast of technology, including associated risks and benefits, including continuing study and education. As a matter of best practice and preparation, lawyers should proactively develop an incident response plan with the objectives of both stopping the breach and restoring systems, with “specific plans and procedures for responding to a data breach.”
Because a data breach requires a rapid response, the plan should be developed prior to the time the lawyer is swept up in an actual breach. Developing a thorough and thoughtful incident response plan creates the ability to respond to data breach incidents systematically, employing the appropriate personnel with appropriate experience, with a careful methodology, in a coordinated manner.
Once an incident occurs, mitigating damage and minimizing legal exposure requires a quick response on multiple levels. Undertaking the process of creating an incident response plan before it is needed allows for the development of strategy by a diverse team with the appropriate range of expertise and knowledge. A strong and comprehensive incident response plan will consider a range of issues including communications, legal rights and remedies, mitigation of loss and business disruption and preservation of evidence in an appropriate manner. Approval of the incident response plan should be obtained from senior management.
In anticipation of litigation, structure the incident response plan so that the response is covered by the attorney client privilege and work product doctrine to the maximum extent possible. Everyone involved should be trained to communicate in a manner that preserves the application of both privilege and work product to the maximum extent possible. Once the plan is prepared, team members should practice running through a mock incident response. Training should be repeated periodically through a variety of simulated data breach situations. Tabletop exercises, in which members of the incident response team address a hypothetical incident and explain proposed responses, may reveal gaps in the plan and can be used to improve the incident response plan.
An incident response plan should be designed to address any type of security incident, including both internal incidents and external incidents such as exfiltration that may involve theft of information or ransomware attacks that block use of systems.
There are many formulations for incident response plans. Such plans share several common key components:
- Identification of all team members and their backups.
- Definition of the role of each team member in the event of an incident.
- 24/7 contact information for each team member and backup.
- An outline of all steps to be taken at each stage of the incident response process.
- Guidelines for external and internal information sharing in handling an incident response.
- Designation of each team member responsible for each step in the process.
Planning for communications without use of compromised systems should be addressed in the incident response plan. Ideally, the compromised system should not be used for communications. If the compromised system must be used to address the incident response, encryption should be implemented. Proper notification of the team regarding the incident should be detailed in the incident response plan. Hard copies of the plan should be distributed to assure availability during an incident when systems are blocked.
Incident Response Team
Viewing a cyber response plan as an “IT plan” fails to give appropriate significance to the legal issues involved and risks ignoring the significance of the attorney client privilege. The goal should be to integrate all stakeholders. Composition of the response team will depend on individual business operations and available resources. Given the necessity of rapid response, coordination of members in distinct roles is essential. Planners can decide whether an incident response will follow a dual track design in order to preserve attorney client privilege.
In a dual track design, one team is managing legal issues and the other is handling business issues. An incident response team typically includes both internal and external members. Internally, two team members from each department should be selected, allowing for a backup in case the primary person is unavailable. Members of the response team should have such responsibilities included in their job descriptions. Legal counsel (in-house and outside counsel), corporate management, information technology, human resources, and public relations/marketing representatives, customer relations and investor relations, should be included.
Identification of outside forensic consultants should be done in advance. Ideally, forensic consultants should be identified to determine what happened and how to mitigate the incident through data recovery or other measures. Again, two well-qualified forensic vendors should be identified in order to assure maximum responsiveness. Additional outside public relations personnel can also be designated depending on internal capabilities and expertise in crisis communications. Law enforcement contacts should also be identified in the incident response plan, and it best to make contact with them in advance. Contacts with cyber insurance carriers should also be included.
Incident Response Process
There are numerous formulations for an incident response process. The following elements are typical:
- Confirm that the incident is not a false alarm.
- Notify the insurance carrier for cyber insurance coverage.
- Contact cyber counsel to establish attorney client privilege and work product.
- Decide how urgent and how serious the incident is.
- Identify the source of the incident – external/internal.
- Identify the data threatened, and whether it is encrypted.
- Determine whether the breach is ongoing.
- Identify, evaluate and assess the nature and scope of any potential network anomaly or intrusion.
- Establish whether data was accessed and/or compromised.
- Quarantine the threat and/or eradicate the malware.
- Prevent exfiltration of data.
- Restore the integrity of the network system.
The incident response plan should include summaries of insurance coverage and the requirements for notification to insurance carriers, to include any cyber insurance and any excess or umbrella policies. Timely notice is essential as expenses incurred prior to notice may not be covered. General counsel or outside counsel should promptly report the incident to the insurance carrier. The notification to the cyber insurance carrier should reference the relevant policy, the date of the incident, and type of incident. After giving notification keep the carrier apprised in order to satisfy the duty of cooperation under the policy.
A cyber insurance policy may require that the insured obtain consent from the carrier prior to engaging outside vendors. As part of the preparation of the incident response plan, preferred vendors can be identified. These vendors can be submitted to the insurer for pre-approval in order to maximize expense reimbursement. Basic terms of engagement of vendors can be negotiated in advance of an incident in order to minimize delays in seeking approval in the event of an incident.
The incident response plan should take into consideration the scope of policy coverage, including whether the policy provides for assistance with the breach. While some social engineering scams may not fall within the scope of coverage, insurance may cover extortion by ransomware. Many policies cover expenses incurred after a data breach incident for legal, forensics, public relations and regulatory compliance.
Cyber insurance is not uniform. Policy wording significantly varies. First-party insurance coverage typically will cover direct losses and out-of-pocket expenses incurred in connection with incident response. Mitigation coverage may include legal expenses, forensic investigation, remediation, business interruption, notification, crisis management and cyber extortion, when triggered by an occurrence under the policy. Such expenses should be tracked for submission to the carrier. Cyber policies may also cover reputational injury and disclosure injury.
Third-party coverage insures against liability of the company for harm to third parties arising from a claim for monetary damages or injunctive or declaratory relief. Third-party coverage may extend to regulatory proceedings including fines and penalties in some jurisdictions where such coverage is permitted. Third-party coverage will also extend to compensatory damages, as well as coverage for defense and damages suffered by third parties caused by disclosure or theft of confidential information or a computer virus, as well as privacy violations.
Internal IT personnel staff or untrained third parties should not be called in to “fix” the problems arising from a cyber incident. Efforts to “clean” servers, even if well-intentioned, may destroy important evidence of the source of an intrusion. Two outside forensic consultants should be identified in the incident response plan in case one is not available in a timely manner to respond to an urgent incident. Forensic consultants should be identified in the incident response plan and pre-approved with the cyber insurance carrier, with basic terms of the engagement agreements pre-negotiated. Such consultants should be engaged through counsel to preserve attorney client privilege. The forensic consultant can interview internal IT personnel and others with knowledge of the incident, confirming the scope of the incident through an inventory and evaluation of devices connected to the network.
Preservation of Evidence
Litigation, prosecution and regulatory actions can follow a cyber incident. This can include class action claims regarding the data breach, regulatory investigations and criminal investigations. In anticipation of this, information about the data breach incident should be preserved in a forensically appropriate manner. Ideally, the FBI recommends immediately making forensic images of the affected computers. Imaging computers will likely require involvement of forensic consultants or law enforcement. In addition, preservation of logs from servers, routers and firewalls is appropriate.
Steps taken from the inception of the incident should be documented including dates and times, identification of systems, accounts, networks, and databases impacted by the incident. All evidence should be safeguarded to prevent alteration and maintain a chain of custody. An evidence retention policy should be established to allow for potential prosecution. A single employee can be designated in the incident response plan as the custodian of such records. A critical goal of the incident response plan should be to preserve forensic evidence during the entire course of the investigation, including any remediation, in order to respond to any claims that evidence was destroyed or tampered with during the investigation.
A sound incident response plan should also address how to handle media inquiries in order to maintain public confidence in the company. Whether to use internal or external communications specialists should be determined. An external communications specialist can be approved in advance by the insurance carrier. A single point of contact for external communications and a backup is preferable. A data breach may require multiple communications. The plan should anticipate press inquiries regarding who attacked, how the attack occurred, the scope of the attack, impact of the attack and remediation.
All proposed communications must be drafted with the assistance of legal counsel. Public disclosures regarding a data breach may be used against the company in subsequent litigation as admissions of liability. Communications should anticipate consumer questions, avoid misleading statements and avoid withholding key details that are relevant to consumers. Companies offering credit monitoring should explain the reasons for doing so in a manner that will reduce the risk that such an offer will be deemed an admission of liability in subsequent litigation.
The incident response plan should also include statutory reporting obligations and any required notifications. The forensic consultant, inside and outside legal counsel and incident team members must assess and evaluate notification requirements. This will be driven by state and federal law, ethics requirements, and by contractual obligations. Breach notification statutes are not uniform, and vary on the definitions of breach, who must be notified, when notice is required, as well as the form of notice required. California and many other states have specific statutes dictating the information that must be included. Some state requirements may conflict with the requirements of other states. Notification obligations in each jurisdiction must be analyzed.
The content of the notification will depend upon the incident as well as the applicable state law. The FTC recommends that a notification describe how the breach occurred, what information was taken, and what actions were taken to remedy the situation, as well as contact information for your organization. Notification should also explain to the recipient what response is appropriate. Public companies must disclose information security breaches that are individually, or in the aggregate, material. Such disclosure should include the costs and consequences, as well as relevant insurance coverage.
Contacting Law Enforcement
The incident response plan should include procedures for determining whether and under what circumstances notification of law enforcement is appropriate. Prior to such contact, a determination of the nature of the incident will need to be made. Management along with inside and outside counsel and internal and external public relations personnel will need to determine whether contacting law enforcement is advisable depending on the circumstances of the incident.
Understanding the responsibilities of various law enforcement agencies can help with development of an incident response plan. The DOJ and FBI investigate and prosecute cyber-crimes. The Department of Homeland Security focuses on national protection including prevention and mitigation of cyber incidents, including phishing and malware. The National Cybersecurity and Communications Integration Center (NCCIC) is available 24/7 to receive and share information concerning an ongoing incident, and provide assistance to victims. The Department of Defense focuses on foreign cyber threats, national security and military systems. Data breach incidents can be reported to the Department of Justice computer fraud unit, U. S. Attorneys, or to the Secret Service, and can also be reported to state and local law enforcement. Each FBI field office has cyber capability. Contact information for relevant agencies and individual specific personnel should be included in the incident response plan. Companies should designate a point of contact and a backup for interaction with law enforcement.
There are several advantages of reporting an incident to law enforcement. Trained criminal investigators have experience handling and preserving forensic evidence. Forensic investigations by the government may save the company money as the government does not charge for forensic analysis. Criminal investigations may be a basis for delay of notifications. Criminal investigators can obtain search warrants, which can preserve evidence. At the same time, there are several downsides of contacting law enforcement. The company may lose control as the government takes charge of the investigation. Once law enforcement is involved, information may not reflect well on the company, and the company cannot terminate the inquiry.
Once the incident response plan is in place, it should be updated periodically to address new types of potential breaches and changes in the operations of the business, including responsible personnel. After an incident, a post-mortem is recommended to allow the incident response team to evaluate overall performance, including vendors and consultants and plan for needed security improvements.
Carole J. Buckner is a Partner and General Counsel at Procopio and a member of its Privacy and Cybersecurity practice group. Her practice focuses on legal ethics, professional responsibility and the law of lawyering, including advising lawyers and law firms, and rendering expert opinions. She also serves as an expert consultant on issues involving legal ethics including legal fees, billing, fee arrangements, conflicts of interest, fee sharing, referral fees, unauthorized practice of law, withdrawal from representation, modification of fee arrangements, client trust accounting, and other issues. Prior to joining Procopio, Carole was a sole practitioner in the field of legal ethics, issues involving professional responsibility, and the law of lawyering.
Jill D. Rhodes and Robert S. Litt, THE ABA CYBERSECURITY HANDBOOK: A RESOURCE FOR ATTORNEYS, LAW FIRMS AND BUSINESS PROFESSIONALS (2d ed. 2018)
George B. Huff, Jr., John A. DiMaria, and Claudia Ruse, Best Practices for Incident Response – Achieving Preparedness through Alignment with Voluntary Consensus Standards, THE ABA CYBERSECURITY HANDBOOK: A RESOURCE FOR ATTORNEYS, LAW FIRMS AND BUSINESS PROFESSIONALS (2d ed. 2018).
ABA Formal Op. 483 (2018).
Steven M. Puiszis, Prevention and Response: A Two-Pronged Approach to Cyber Security and Incident Response Planning, 24 The Professional Lawyer 3 (2017).
Mindy Rattan, Lawyers Need Plan of Attack After a Cyber Attack, 34 Law. Man. Prof. Conduct 339 (2018).
Jay T. Westermeier, Duty to Disclose Breaches, 6 Computer Law VI (2018).
William R. Covino, Data Security Assessments: Are You Prepared for a Breach? 33 Law. Man. Prof. Conduct 257 (2017).
Jay T. Westermeier, Legal Battle Plans, 6 Computer Law VI (2018).
David Bender, 5 Computer Law – A Guide to Cyberlaw and Data Privacy Law, § 42.08 (2018).
Federal Trade Commission, DATA BREACH RESPONSE: A GUIDE FOR BUSINESS (Sept. 2016).
National Institute of Standards and Technology, COMPUTER SECURITY INCIDENT HANDLING GUIDE (2012).
U.S. Department of Justice, COMPUTER CRIME & INTELLECTUAL PROPERTY DIV., BEST PRACTICES FOR VICTIM RESPONSE AND REPORTING OF CYBER INCIDENTS (April 2015).
ABA Standing Committee on Law and National Security, A PLAYBOOK FOR CYBER EVENTS (2d ed. July 2014).